As I've been saying for years now, IDS functions and firewall functions are going to start merging. Well, IPS shows IDS moving towards firewall functionality and Deep Packet Inspection (DPI) shows firewalls moving towards IDS functionality. So the real question here is, should you go with an IPS system or a firewall with DPI?

Well, the answer to that (today) is that it depends on what functions you need. Typically firewalls also provide for NAT, VPN, and general filtering so they actually provide many more services. Today IPS systems just watch for bad packets and stop them when they match a rule or look bad to the heuristics system. So it would seem that for most smaller companies going with an integrated solution like a DPI firewall would be the way to go.

For larger companies or companies with a larger security need going with both a firewall and an IPS system seems like the best solution for security as firewalls provide a necessary function but don't (yet) rival the IPS systems for packet analysis. But that will certainly change as DPI systems become smarter and smarter as the firewall vendors move more and more IDS knowledge into the firewall.

Keep an eye on Netscreen in this area, they purchased OneSecure which made one of the first really good IPS devices. While Netscreen says that they are moving only part of the technology into their firewall I can see a day when they are forced to fully combine the two by market pressure. For the time being they are much more content to just sell two different products to make twice the money which seems to be the general trend.

Of course there is no reason that IPS creators couldn't add firewall capabilities to their product as well. Considering that they are already doing deep packet analysis they could easily add rules that mimic statefull packet inspection (only if this destination ip and destination port are good do further inspection of the packet else drop it) and NAT. Adding VPN is a bit more work but VPN has always been a fairly separate module of a firewall and not really integrated into the packet inspection process. So for most of the IPS vendors out there it would just mean taking one of their other products, or in Sourcefire's case grabbing another opensource product like FreeS/WAN, and integrating it into their IPS.

In the future I don't really see these two different product lines looking much different, in fact I'm going to call this device a Total Protection System (TPS). There will probably always be debate on whether the TPS systems that came from the original IPS vendors are better or if the ones that came from the firewall vendors are better but the smart admins will probably always rely on more than one technology to provide complete protection and will still practice defense in depth.

One of the big problems with any security device is how can you easily test that it is doing what you believe. With security technologies converging this will become an even cloudier area.

I would be really keen to get feedback from anyone who has an interest in this area on a couple of products Blade Software have developed, www.blade-software.com

We have just released a new version of IDS Informer which allows real attack traffic to be safely replayed between two network cards. Thus allowing any inline device or IPS to be tested to see exactly at which point attacks are blocked etc. We are working with many of the leading security vendors and I am interested in getting feedback from any Gov users of inline devices to see thoughts etc.

Matt

I agree with you completely, for now people pay me to test their configurations and I like that but certainly network consultants could use a better tool for analysis of firewall and IDS configurations with more real-world traffic. Your tool does seem to fit that description.

But what about not only replaying bad traffic but instead replaying good traffic? Sounds crazy but I've also been saying for years that perhaps we should go from a deny perspective to a permit perspective (on IPS systems). So instead of denying lots of bad things by signatures, statistical analysis, and protocol analysis why don't we record all of the normal traffic to a web site and say permit all traffic that conforms to these paramaters (that we recorded from looking at the good traffic) and deny everything else.

Its more of the firewall type mentality but it would require a IPS generation script that would record only good traffic and then automatically generate a ruleset.

--P>G>>

Good idea Packet. I audit network security installations for a living as well (among other things) and if your looking for feedback on your product give me a shout sometime. I am a little busy now but this business is very cyclical. (word? spelling?)

@Packet.....Have you seen ISS' proventia series. It is being billed as the silver bullet (groan). Checkpoints VPN Edge1 (might be off on the name, I only half payed attention to the webcast) is blurring the firewall/ids/ips line too. Man I miss the days when there was a product for every place and every product had its place. Clearly the world went to heck when switches started routing (layer 3 switching) and its gotten worse ever since.

Well, I'm a big proponent of the IPS type of solution. I believe that firewalls (which IPS systems are basically becoming) should get that deep packet inspection as it's dumb to just say "gee, port 80 no worries, go right ahead sir".

But these "all in one" boxes do start to become too much. And silver bullet - no such thing in security.

BUT - I must say that I love layer 3 routing on switches - at least for VLAN to VLAN traffic. I don't think they should be your area 0 OSPF router or do BGP but damn if I want traffic to leave the switch if it's just going to another VLAN. KnowwhatImeanvern?

Cisco has taken the switch way (way) to far with their it can do VOIP, it can do routing, it can do firewalling, it can do IDS, it can slice it can dice it can even cut this can! I think it makes their switch worse off in the end and is the reason that I go with Foundry or Extreme for big backend switches.

--P>G>>