Why Application and User Context are Vital to Next-Generation IPS

Over the last few years, we’ve increasingly seen a number of products claiming to be “next-generation.” This message is now so frequently used, it’s difficult to really understand whether the message has gotten lost in the technology or vice versa. What makes something “next-generation”?

To quote from my favorite college-unapproved secondary source, Wikipedia, which takes their definition for Next-Generation Firewalls from this article written by Eric Geier of eSecurity Planet:

A Next-Generation Firewall (NGFW) is an integrated network platform that combines a traditional firewall with other network device filtering functionalities such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS) and/or other techniques such as SSL and SSH interception, website filtering, QoS/bandwidth management, antivirus inspection and third-party integration (i.e. Active Directory).

From this definition, next-generation products appear to be those that are natively built within the same platform or device, can identify applications regardless of port or protocol, operate in Layer 7, and can integrate with other software that maps IP addresses to actual users on the network.

But this brings me to my next question: What’s the difference between traditional IPS and “next-generation” IPS, or NGIPS for short?

The description above would indicate that NGIPS is part of a next-generation security platform, sharing context-aware features with the firewall, such as application and user visibility, improved threat prevention performance, and log correlation. In short, they’re much better than traditional IPS at understanding malicious traffic.

NSS Labs’ has designed a test for NGIPS products, which Palo Alto Networks participated in recently. In their methodology overview, NSS sets forth this requirement for NGIPS devices:

next generation intrusion prevention systems (NGIPS) must provide organizations the ability to identify both the applications and the users on their internal networks.

The importance of application and user visibility is paramount, as these are what basically turn an IPS into an NGIPS, but the context they provide is vitally important.

First off, they help to enforce application- and user-specific policies. For example, JDoe should have access to this application but only in these specific ways — anything outside this is prohibited. An NGIPS can help you do this.

Secondly, application and user visibility make heuristics much more useful. These features make your IPS smarter so that it knows what “normal” traffic looks like for each application, and alerts you to anything that falls outside that pattern. In short, the context provided by application and user visibility allows you to determine whether specific activity is malicious or not.

Any vendor who boasts an NGIPS product must be able to employ these features realistically for the customer. This means providing NGIPS capabilities while maintaining performance that reasonably fits the customer’s throughput needs, and doesn’t sacrifice 80 to 90 percent of throughput when these “next-generation” features are turned on. You can’t claim to be serious about security and promote these features if customers can’t really use them in a meaningful way.

Although the platform component is a key improvement in intrusion prevention, as it effectively consolidates multiple security features and makes them easier to deploy and manage, not every customer in the market for IPS necessarily needs all of these bells and whistles.

Internal IPS deployments are sometimes stand-alone, segmenting the network or protecting data centers. These stand-alone deployments are where “next-generation” features like application and user visibility are most needed.

In today’s world of devious attackers and sophisticated threats, hiding in plain sight – within the very applications that enable businesses to become more productive – is a tactic cyber criminals are using to successfully infiltrate organizations. Only a smart IPS, one that’s truly “next-generation,” is equipped to prevent these threats and level up enterprise security.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS