By Leslie T. Oâ€™Neill on May 29th, 2007
IDS and IPS both make up a $1.6 billion market, according to Infonetics Research, a market research firm in Campbell, Calif., that specializes in data networking and telecommunications.
Interestingly, pure IDS is a declining market while IPS is a growing market. IDS, a basically passive technology that sends a steady stream of alerts, demands a lot of time, expertise, and expense to manage and maintain – after all, it’s up to the network administrator receiving the alarms to determine how to respond to them. But IPS is reactive, automatically shutting out traffic it knows to be dangerous.
More and more, the two technologies are being combined into single devices, as well as integrated into other, lower-cost security boxes, such as firewalls and VPNs. With employees dispersed around the world, working from branch offices and from home, networks no longer have a single perimeter, the traditional location for IPS. Also, network administrators don’t want to install several IDS devices in their branch offices because they’re too expensive to manage separately. But IDS/IPS becomes much more affordable when it’s part of an all-in-one box. A box that does both IDS and IPS can act almost as a virtual device, allowing you to enable IDS on part of the network – usually internally – and IPS on a different part – usually at the network perimeter.
Despite the quiet phasing out of IDS, in 2006, the worldwide revenue of IDS/IPS products grew 19 percent, per a March report from Infonetics.
Sanjay Beri, the senior director of product manager at Juniper Networks outlined additional “micro trends” happening in the market today. Juniper Networks, based in Sunnyvale, Calif., offers intrusion detection and prevention (IDP) products aimed at both small to large enterprises and carrier and data center networks.
The second trend is a direct result of the Web 2.0 evolution: Employees are saturating WAN pipes with non-business-related traffic, such as personal instant messaging and video downloads ala YouTube. Although companies don’t want to ban outright these uses of the Internet, they do want to guarantee a certain level of quality of service for business processes – and they’re looking to IPS to do this through rate limiting, to limit perhaps ten percent of the WAN pipe for non-business traffic.
“No other device can do that,” says Beri. “Be a proactive business policy-setting device.”
In addition, IPS is becoming more proactive and more intelligent to keep up with the increasing sophistication of threats. Traditionally, IPSes “used to only look at bits on the wire, looking for a pattern. It’s a course method of matching a threat, the dirty secret of IPS,” says Beri. “The Layer 4 IPSes don’t understand applications well, and it creates tons of false positives.” But new Layer 7 stateful IPS devices can understand applications well enough to more intelligently search for threats.
Lastly, IPS boxes are as much about network capabilities, such as high availability and scalability, as they are about security features. Unlike IDS products, one that performs IPS sits inline with the network traffic. Although IPSes were once little more than “PC boxes,” they must now be reliable networking gear.
“Now the hardware is more critical. You’re in the network, and if you fail or don’t fail properly, you could take down the network,” explains Beri.