The Ashimmy Blog

Hot on the heels of yesterdays news about some dismal results in the NSS IPS labs in detecting attacks, we see today’s news about new capabilities in IPS. Now, one may ask what are the IPS guys doing adding all of this new stuff when the base detection doesn’t seem to work.  From what I know about the NSS testing, its not like they were trying to trick the IPS boxes. It was basically meat and potatoes, block and tackling type of attacks. Some of them were old and perhaps some of the IPS vendors had dropped detection of them. But in any event, clearly we would expect better detection of attacks from the existing technology.  I am sure the IPS vendors will be hard at work on this and those that are in the next round of NSS testing will do better.  It should also be noted that many IPS vendors opted out of the NSS testing. You can only assume that they did because their results would not have been much better.

But at the same time, it seems they are all busy adding new bells, whistles and features. First comes the “big” announcement from McAfee about a major refresh to their platform. It seems they have added a NBA to the mix. It is a separate box evidently.  They have also added the ability for their IPS to get real time threat information from their cloud based technology. Of course it all ties into ePO to mesh with their endpoint stuff.  It sounds interesting, combining all of this security technology but it is just a means into locking you into McAfee?  Will it result in detecting more real attacks in the next NSS test? I guess we will have to see.

Next up, Dark Reading’s Kelly Jackson Higgins has an article up about the virtualization gold rush in the IPS market.  Over at StillSecure we had our IPS running in a VMware image years ago. Sourcefire made a lot of noise about their gear running in a virtual machine a while ago too. What I found most interesting in Kelly’s article was the IBM/ISS disclosure about putting the IPS in the hypervisor and actually protecting the inter-VM.  That is different then just running an IPS in a VM environment versus a stand alone box. 

Tipping Point is even trying to get into the act according to the Dark Reading article. They claim that in their own boxes, they are actually virtualizing the IPS. Of course being so dependent on custom hardware making the move to mainstream VM is going to be hard for the TippingPoints and McAfee’s of the IPS world.

All in all though, the IPS vendors have a double barreled shotgun staring them in the face. They have to get better at the block and tackle stuff the NSS tests exposed, while keeping pace with an ever growing threat landscape and new technology!