Forrester's Take on the Changing Landscape of IPS

Last week Forrester released their 2011 Market Overview for IPS solutions (read it here), and in it they had some pretty interesting things to say not only about theongoing consolidation of stand-alone IPS, but also about the changing requirements for IPS as a whole. Before we delve into some of the more interesting bits, a little self-promotion is probably in order. We are happy to say that Palo Alto Networks showed very well in this report with the solution being one of theonly vendors to deliver all of the IPS features in Forrester’s feature matrix and the analysis specifically noting that the “unparalleled success of Palo Alto Networks is pushing the entire vendor community toward further innovation.”

However, while we always appreciate recognition from the industry, I think the really interesting part was to see Forrester’s take on how the requirements for IPS are evolving. In particular, Forrester’s analysis called out firewalling features, directory integration and the ability to inspect encrypted traffic as requirements for a modern IPS. While these features are certainly not new to Palo Alto Networks customers, they are very new to the IPS market in general. These inclusions highlights that the consolidation of IPS is about far more than the convenience of consolidating two boxes into one, but rather that new next-generation capabilities are required in order for an IPS to do its job.

The requirement to inspect SSL stands out in particular simply because it acknowledges the notion that any threat prevention solution is only as good as its ability to actually see the traffic. This position actually should not be too much of a surprise given that the author of the report, John Kindervag, is the driving force behind the concept of the Zero-Trust Network, whose founding premise is that all enterprise traffic, whether internal and external, should be inspected and controlled.

This is philosophically very similar to what we refer to as “The Rule of All” at Palo Alto Networks. Put simply, The Rule of All means that the full power of the next-generation firewall must be applied to all traffic, on all ports all of the time regardless of encryption or evasive tactic. The industry has slowly come around to the notion that SSL traffic (making up 1/3 of enterprise bandwidth) is a serious exposure to the enterprise, and as such we are seeing vendors rushing to add SSL inspection to their solutions. However no one other than Palo Alto Networks has addressed the even more fundamental challenge of stopping threats that leverage evasive applications and run over non-standard ports. Given that over 60% of applications on enterprise networks have the ability to use commonly open ports or any available port, this is a very real-world problem for networks today.

This gets to the heart of what a next-generation firewall really is and why it is truly a requirement for both firewalling and threatprevention. Again, your security will only be as good as its ability to see the traffic, and if your firewall and IPS don’t meet the standard of the rule of all, then large chunks of your enterprise traffic are going to fly right byyour security. The point is that now that traffic is no longer controlled by port, neither the firewall nor the IPS can afford to be built on a port-based architecture. If you would like to learn more about the Zero Trust Architecture from John Kindervag, the author of the Forrester report, you can check out a recent interview here.