As we approach Thanksgiving in the U.S., the one thing I look forward to the most — aside from turkey and spending time with my family — is football. As I watch the games, the security geek in me can’t help but notice some parallels between football and network security, particularly firewalls and intrusion prevention.
Network Security Playbook
During a passing play, for example, the tailback needs to protect the quarterback from any defender who breaks through the offensive line. That is critical to the success of the specific play and the quarterback’s long-term health. A firewall is like that offensive line. Even the latest next-generation firewalls (NGFW) occasionally allow threats to break through. Your organization needs a game plan for blocking those attacks that get past the firewall.
That’s why it makes sense to deploy a next-generation intrusion prevention system (IPS) behind your NGFW. By complementing the protection provided by a NGFW, the IPS can stop attacks that firewalls miss, such as those launched from within the enterprise, zero-day attacks, mutated threats, obfuscated exploits and attacks embedded in encrypted channels.
Why not use the built-in IPS capability found in most NGFWs? That’s certainly an option, if you take into the account the additional performance overhead needed to power the IPS feature and size the NGFW properly for your network. But even so, don’t forget about the internal segments of your network that need protection as well.
This an ideal use case for a standalone IPS, since it is a level 2 network device that just sits as a bump in the wire. There is no re-architecting needed to deploy it. You might also consider the fact that 55 percent of security professionals think that a standalone IPS is more effective that one built into a NGFW.
Teamwork Makes the Network
It is also important to remember that the IPS needs to be a good teammate to all the other security solutions you have already deployed, especially since it is capable of stopping threats at the point of attack. For example, your IPS should provide an out-of-the-box integration with your organization’s SIEM so that an attacker can be quarantined when an offense is detected.
Automating containment of threats reduces the spread of malware, halts an attacker’s subsequent lateral movement and stops additional data exfiltration. It’s important to choose an IPS that provides a web server application program interface (WSAPI) so that it can be integrated with the organization’s existing security products.