How do you feel Mr. IDS ?

Your answer was selected as a Good Answer
Your Public Answer:
“Gartner’s response is a very usual one for an analyst who reads the specifications of the products and then comes with "research" conclusion. Well, the reality on the hands-on world is different. If you start shopping today, you will not be able to find an IDS/IPS product effective over 5Gbps. (I should say even 2Gbps the real full duplex gigabit pipe is very difficult with mixed traffic type). Today enterprise deployments move firewall systems closer to the core, next to the server farms. We are looking at multiple aggregated gigabit channels to enforce information security policies. Firewalls by nature look at the headers of the packets, and if they detect a pattern they simply allow traffic, this accelerates the traffic. On the other hand application level firewalls and IDS/IPS systems need to look at the full payload of the traffic, they need to understand the application and detect threats, and this process is slow. Did you ever see an application in the middle of the core routers? If Gartner is right it will be Gartner’s firewalls. If everybody enables IDS/IPS features on firewalls, they would be either investing 10 fold in infrastructure or they would be slowing their network severely. Dedicated IDS/IPS systems are designed to handle full packet analysis fast, firewalls aren’t. I am working with almost all of the major firewall vendors and if the production environment is mission critical we always recommend dedicated/best of breed IDS/IPS solutions. On the other hand, if you are looking at a T1/E1 internet pipe, the whole picture changes, it makes sense to use an integrated appliance, not just the firewall and the IDS maybe URL filtering, AV, QOS etc in a single device. This category is called unified threat management (UTM) and there are several vendors on this space. There is another argument in the architectural design of firewalls and IPS systems. Firewall are the security gateways, they are designed to fail-close upon failure/overload, IPS systems on the other hand are not the security guards, they are the intrusion alarms, they are usually deployed in a fail-open design unless a heavy investment is done in IPS high-availability. Mixing these 2 approaches on a single platform may require revamping of operational procedures. Last but not the least, ask Check Point about the NFR acquisition, or ask Nokia why there is a different IPSO platform for Sourcefire, or ask Juniper why there is a dedicated blade for IPS, or ask Cisco why their ASA box cannot run full mode with IPS features, or check with Cisco on how many IPS blades you need on 6509 to secure 8 gigabit ports, or check with Fortinet about IPS enabled performance numbers, or listen to the sad story of why Microsoft does not have the IPS features on ISA :)”