Comparing the best intrusion prevention systems

Expert contributor Karen Scarfone examines the best intrusion prevention systems to help you determine which IPS products may be best for your organization.

Network intrusion prevention systems (IPSes) are enterprise security technologies dedicated to monitoring and analyzing network traffic for suspicious activity. Unlike a firewall, which is generally based on a ruleset that specifies network traffic flow restrictions, an intrusion prevention system examines the headers and contents of network traffic for activity that is deemed too risky, and then stops the current communications containing such activity. They may directly force suspicious activity to terminate, or may trigger reconfigurations in other enterprise security controls to accomplish this.

Most technologies for detecting attacks and other malicious and unwanted behavior concentrate on one type of malicious activity, such as antivirus software targeting malware. What makes intrusion prevention systems unique is they have the ability to detect many different types of activity at all levels of the network stack, including malicious behavior by or within thousands of application protocols.

Today's network intrusion prevention systems are available in three main forms:

  • Dedicated -- either hardware-based appliances or virtual appliances dedicated to IPS functions only;
  • Integrated -- generally a module enabled on another enterprise security control, especially a next-generation firewall (NGFW); and
  • Cloud-based -- available as a service from a cloud-based IPS provider.

This article examines the best intrusion prevention systems on the market today. It is difficult to compare them across these three forms because each form is best suited to certain cases and conditions, as explained in the first article in this series. For the purposes of simplifying and focusing the comparison, this article looks at dedicated IPS products only. Although hardware-based appliances and virtual appliances have some inherent differences because of their forms, in most cases, their functionality is nearly identical.

The best intrusion prevention systems available today, according to the IPS products studied for this article, are:

These products were evaluated using public sources of information, such as product websites, white papers and product manuals. IPS criteria used for the evaluation are as follows:

  • Criterion 1: How broad and comprehensive the IPS's detection capabilities are
  • Criterion 2: How well the IPS can incorporate an understanding of context to improve its functioning
  • Criterion 3: How effectively the IPS can use threat intelligence feeds

These three criteria are meant to be only a small part of a much larger IPS evaluation process. Every organization has a unique environment, unique security requirements, and unique risk tolerance characteristics. Consider the rest of this article as input for an evaluation that should be considered, along with many other inputs. If an evaluation includes integrated and/or cloud-based forms of IPS, as well as dedicated technologies, these criteria may be helpful, but consider that additional criteria will be needed to compare across IPS forms.

Criterion 1: The four IPS detection capabilities

It is incredibly difficult and time-consuming to do your own comprehensive comparison of attack detection capabilities across intrusion prevention system products. Fortunately, there are third-party testing efforts that are performing hands-on evaluations focused on detection accuracy. These organizations publish the results of their evaluations, but they often charge fees to access any details.

No IPS technology is inherently

Organizations considering the acquisition of dedicated IPS technologies should carefully weigh the costs and benefits of purchasing third-party evaluation results, as well as the credibility and neutrality of the organization performing the evaluations. Another important factor is the age of the results; products can change a great deal in a year or two, for better or worse, so older results may be misleading.

No matter what source an organization uses for its information gathering on IPS detection, certain high-level characteristics should be considered particularly important for most organizations, such as:

Uses a wide range of techniques to detect attacks

Examples of common techniques include signature- or anomaly-based detection, network flow or behavior analysis, denial-of-service detection, and deep-packet inspection. All major IPSes use multiple techniques, because each technique detects a somewhat different set of attacks, but some IPSes use several techniques to provide the broadest attack detection possible. The products that claim the largest range of detection techniques are IBM Security Network Intrusion Prevention System, Intel Security McAfee NSP and Radware DefensePro. This doesn't necessarily mean other products have a narrow range, only that those products do not specifically claim a wide range.

Detects zero-day attacks and other attacks that have never been seen

An IPS's ability to understand the security implications of completely new attacks has become a key component to its detecting and stopping attacks that most other security controls cannot recognize. All the IPS products studied for this article have this ability to some extent because they can detect aberrations in expected behavior. Ideally an IPS also performs extensive protocol analysis to find potential exploitation attempts of both known and unknown vulnerabilities in those protocols. Both the HP TippingPoint NGIPS and the IBM Security Network Intrusion Prevention System specify their support for this capability.

Detects attacks within application communications

So many attacks today are application-based that it's become imperative for an IPS to understand application communications as much as possible. Other than Radware DefensePro, all the studied products claim analysis capabilities for a wide range of applications -- in the case of Intel Security McAfee NSP, over 1500; and for Cisco FirePOWER, over 3000. The sheer number of supported applications is largely irrelevant, however; what's important is that the IPS supports the applications that pose the highest risk to your organization. Check with the IPS vendors during an evaluation for a list of the applications they currently support.

Uses simulation and/or emulation capabilities to identify malware

This is a relatively new capability for IPS technologies. It allows an IPS to use techniques such as Web browser and JavaScript emulation to analyze the behavior of client-side Web activity. Similarly, some IPSes can also analyze the contents of individual files to look for potential malicious content within them. This goes a step farther than application communication analysis, and it is a direction all IPS technologies are likely to pursue. At this time, the Intel Security McAfee NSP claims the greatest range of simulation and emulation techniques for malware detection. Check with the vendors of all IPS products being considered for the latest information on their plans to adopt simulation and emulation capabilities.

To summarize, no product excels in all four of these detection characteristics, but the product with the highest overall support for the characteristics is Intel Security McAfee NSP. All other products were ranked at the top for at least one of the characteristics, so each product offers some strong detection capabilities.

Criterion 2: IPS context understanding

Over the years, intrusion prevention system technologies have evolved to better incorporate the context around the activity they observe. A common example is an IPS having basic information on the role of each of the organization's hosts. This allows the IPS to give higher priority to an attack against an enterprise database server than a similar attack against a user workstation. It also allows the IPS to differentiate those attacks that may succeed from those that have no chance of working -- say, an attack against a vulnerability in a product that the targeted host is not running.

An IPS can gain some understanding of context by observing benign activity and noting significant characteristics of the hosts involved in these communications. Some IPSes are more advanced and can receive data from IT asset management systems and other similar sources that provide a more authoritative and richer source of contextual information.

Of the products studied for this article, Cisco FirePOWER has the most robust understanding of context. It can know a great deal about each host, including its operating system type and version, services, applications and application versions, and known vulnerabilities in the operating system, services and applications. In addition, it also has knowledge of host processes and files, as well as the expected network behavior for each host. The only other reviewed IPS with major contextual understanding is Intel Security McAfee NSP, which focuses on the elements that are generally the most important: hosts, users and applications.

Criterion 3: IPS threat intelligence use

Intrusion prevention system technologies are in the early stages of adopting threat intelligence use. Using threat intelligence to identify attacks more quickly and accurately is becoming more important all the time. Many organizations only use threat intelligence for their security information and event management solutions, but also using threat intelligence with an IPS allows even faster detection, and is especially helpful at stopping quick attacks in progress before they can do damage.

Cisco FirePOWER, HP TippingPoint NGIPS and Intel Security McAfee NSP all offer support for some aspects of threat intelligence, but details on the types of threat intelligence they support, such as whether they provide reputation information for IP addresses, URLs and domain names, are not publicly available. Because IPS technologies are rapidly evolving when it comes to their support for threat intelligence feeds, evaluators should contact IPS vendors to get the latest information on existing threat intelligence capabilities and plans for expanding those capabilities.

Choosing the best intrusion prevention system

It is important to do your own evaluation before selecting the best intrusion prevention system for your organization. The first step is to determine which form or combination of forms of IPS -- dedicated, integrated or cloud-based -- best suits its needs. If the selected forms include dedicated products, then look at the products studied in this article, and potentially others as well, in terms of the criteria defined in this feature, as well as many other criteria.

No IPS technology is inherently "the best," because every organization has unique requirements, and different technologies are better for different situations. That being said, however, the product that generally fared best against the selected criteria was the Intel Security McAfee NSP.

It was the only IPS product that strongly supported all the criteria. In addition, organizations particularly interested in detecting and stopping application-based attacks should carefully consider the Cisco FirePOWER product as well because of its superior support for applications and context. The other products also offer strong enterprise IPS capabilities and are worthy of consideration in any IPS evaluation.

Next Steps

In part one of this series, learn about the basics of network intrusion prevention systems

In part two of this series, discover the enterprise benefits of network intrusion prevention systems

In part three of this series, find out about the criteria for evaluating, researching and testing IPS products

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing