The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... Read More
Security got the boring end of the stick when names for the generations were handed out. Instead of Millennials, Gen X, Baby Boomers or the Greatest Generation, we’re stuck with “Next Gen.” What comes after “Next Gen”? And where were the creative minds hiding when we needed them most?
In this post, I’m going to focus on a sliver of the next-gen security stack that we get asked about every day. Specifically, where do next-gen firewalls stop and where do next-gen IPSs pick up the baton.
But first, to understand next-gen security we need to take a quick trip down memory lane back to the mid-2000s. That will help us understand what went wrong with “Last Gen” security and get smarter about the future. The mid-2000s was a bleak time for enterprise network security. Remember those port-centric firewalls that couldn’t break out of the ACCEPT/DENY paradigm, and completely ignored the fact that most applications were beginning to run over HTTP?
Back then, there were deep-packet inspection-based IPS devices with primitive matching languages that (at best) could look into protocol headers for exploits targeting application servers. Full packet capture systems were in their infancy, filling large arrays of spinning disks with terrabytes of packets. It was an awesome sight to behold but it delivered little practical benefit.
Enter “Next Gen” Security
As the industry began to get smarter and more focused on the nature of the threats it faced, next-generation firewalls (NGFW) were the first and most compelling solution to emerge. Better known in their infancy as application-aware firewalls, application-specific packets were added to their accept/deny paradigm so you could sort out when your employees were working in Salesforce and block them when they were working in the World of Warcraft.
It wasn’t long before next-gen firewalls gobbled up other firewall functions like VPNs, basic routing, URL filtering and even some malware analysis. As the capabilities of next-gen firewalls grew, the next logical step was to incorporate the packet-focused IPS engine and its associated ruleset.
This next step in the Great Gobble, however, is where next-gen firewalls ran into some problems. Sure, NGFW is as good a place as any to park those packet-based signatures if it makes you feel good. But real problems can emerge when you take that step.
First, it turns out that all of the additional features in NGFWs don’t come for free. Each incremental feature increases the load on the NGFW, to the point that it risks creating a bottleneck that slows down the network. More important, as we pointed out in the first blog post in this series (“Would You Re-Hire Your IPS Today?”) those IPS signatures aren’t doing much to stop modern attacks, wherever they reside. So, adding them to the NGFW doesn’t really solve the problem of the day: stopping intrusions.
Next-Gen Intrusion Prevention
That’s where next-generation intrusion prevention systems (NGIPS) come in. They pick up where NGFWs leave off. All next gen-firewalls can do is block known bad threats (think…signatures). By contrast, next-gen intrusion prevention systems are far more muscular. They find and stop the (more dangerous) unknown threats that push right through your next-gen firewall. They help you truly understand what is happening and has happened in your environment so you can respond quickly and resolve incidents.
Think of the offense on a football team to understand the different roles a NGFW and NGIPS play. Your next-generation firewall is the offensive line. Its job is keep the defense at bay and out of the offensive backfield. Meanwhile, the quarterback is your next generation IPS. They call the plays, read the defense, make audibles and need to be ready to quickly react to a wide variety of situations in the moment.
With that analogy in mind, let’s take a hard look at how next-gen firewalls differ from next-gen IPSs to understand the division of labor between them and what it means to your security operation.
You might be thinking “Hold on a second. It’s unfair to expect the NGFW to do all of this in addition to the classic firewall, proxy and basic IPS functions that it handles.” I’m glad you’re thinking that. Because that’s the entire point. Each player on a team has a different role. But if you don’t have the right players in the right roles, you’re less likely to have successful outcomes on the field.
So here’s a quick reference guide for what a next-gen firewall does and what a next-gen IPS can and must do in your security stack.
How a Next-Gen Firewall Compares to a Next-Gen IPS
Next-Gen Firewall (NGFW)
Next-Gen IPS (NGIPS)
|Rich Alert Forensics||x|
|Historical Metadata for Incident Response||x|
|Application of Threat Intel to Past and Present||x|
|Analytics and Machine Learning||x|
You can take a look at the second blog post in this series (“Did You Hire Your IPS for a Job of the Past?”) to see how Fidelis customers are implementing next gen IPSs. Meanwhile, stay tuned for our next post in this series where we’ll take a look at the market and explain how Fidelis’ next-generation intrusion prevention solution is unique from other next-gen IPS offerings.
-Hardik Modi, VP, Threat Research