Intrusion Prevention Endgame

All good things must come to an end.  In the late 90’s I was fortunate to be involved with the development of one of the first intrusion prevention systems (BlackICE).  It was a defining job for me since I learned so much working with the NetworkICE people, notably Robert Graham, Clinton Lum, and the late Janice Befu.

Intrusion detection and prevention (IDS/IPS) technologies over the past decade have become a “must-have” for organizations of all sizes.  The good news is that IDS/IPS technology is not going away.  What is disappearing is the dedicated IPS appliance, and the culprit is a repeat offender in the realm of market share plundering.

The genesis for this demise is the same as hundreds of other technologies before it: commoditization.  Ten years ago, IPS/IDS was an emerging market.  IPS engines were immature, detection rates were inconsistent, and high-performance solutions had steep price tags.

Fast forward to 2012, and the picture is very different.  High quality IDS/IPS engines are common place, present in virtually all security appliances. The detection rates are all fairly close, meaning the quality of IDS/IPS engines has stabilized.  Furthermore, inexpensive, commodity hardware, with purpose-built chipsets and integrated switching fabric can deliver high-performance, in-line protection at affordable prices.

The driving force behind this commoditization is the ubiquitous UTM/NGFW.  It seems UTM/NGFW is everywhere these days.  (Incidentally, I just recently wrote how these two technologies are largely identical: UTM v NGFW – A Single Shade of Gray.)

Along with consuming the firewall market, UTM/NGFW has also gobbled up the IPS market as well. Nowhere is this more apparent than the latest NSS report on IPS performance.  This report costs money to get, but many of the UTM/NGFW providers offer abridged versions that you can read.  Fortinet, Sourcefire, and Palo Alto Networks all have links to the report on their site.

The report is very enlightening and says a lot about the shift in the IPS market.

The top performing IPS was, unsurprisingly, Sourcefire with block rates of 98% or so.  Checkpoint, Fortinet, and Sonicwall were all in the 97-95%. range  McAfee’s IPS and Stonesoft (not exactly a name you hear a lot in the IPS industry) were also very good at around 97%.  Palo Alto Networks did very well also coming in around 94%.  What was interesting is that all of the UTM style products beat two stalwarts of the IPS industry:  HP TippingPoint and IBM (the old ISS BlackICE engine).  Juniper’s IDP was also on the list, but it fared poorly as well.

ISS and TippingPoint used to be the leaders in IPS.  ISS’s BlackICE engine was the leading engine for years.  TippingPoint came along in the mid 2000s to deliver high-performance IPS coupled with ease of use which gave it impressive growth and market share.  Now both are falling into the dustbin of IPS market.  Although, both products are also victims of their new owners.  IBM bought ISS and left it to rust on the side of the road like an old Plymouth Volare.  TippingPoint got bounced around from 3Com, through the fingers of Bain Capital, until HP reluctantly acquired them.  HP promptly ignored TippingPoint opting to focus on new and creative ways to aggravate customers, lose market share, and depress stock value.

So the question is, why would anybody buy a dedicated IPS appliance these days?  Aside from the general benefit of isolating this capability to a single platform, there really is no reason.  UTM/NGFW have proven they can step in and take over as an IPS product.  Moreover, why buy a dedicated appliance that only does one thing (IDS/IPS) when you can get a UTM appliance that does many things.  Even if you do not use all the other features, at least they are there and available for you to use at some other time.

Furthermore, as if to underline this issue, UTMs are significantly less expensive. A quick survey of the price list from TippingPoint, SourceFire, McAfee, Fortinet, SonicWall and Palo Alto Networks shows that dedicated IPSs are generally 30% more than a comparably equipped UTM.  UTM is a classic case of “does more, costs less.”

The only pure play IPS vendor that seems to have some hope here is Sourcefire.  Not only are they widely respected in the IDS/IPS space, but they are likely to be the last man standing in this market.  Partially, because they have a really good product, but mostly because they fill the only remaining niche for dedicated IPS.  There will always be a small segment of the IPS market that wants and demands a full-featured IPS with a highly customizable engine.  In that sense, Sourcefire really is the best fit.  Also, Sourcefire remains the only pure IPS-focused company.  The biggest concern with Sourcefire is what is going on inside the company.  Their CEO, John Burris just resigned citing health issues.  Martin Roesch was named “interim CEO.” Marty is a brilliant guy and a legend among the IPS world.  But, he is a technical guy, and technical guys generally are not the best CEOs.

Sourcefire is doing well financially. So, as long as Roesch can hold it together, they may be okay.  Sourcefire has also recently entered the UTM/NGFW market, which is a good move, but they have a lot of competition and no name recognition in that space.

Smart IPS buyers need to throw off their inhibitions about UTM/NGFW.  The data is clear, the trends are obvious, the game is over.  Unless you are one of those places that really wants to fine tune your IPS, the era of dedicated IPS is over.   If you have a bunch of dedicated IPS products in your network, it is probably time to start planning their removal.  Not only are those products decreasing in usefulness, there is a good chance their manufacturers simply will not support them any longer.

Anitian – Intelligent Information Security. For more information please visit

Leave a Reply