topic Re: Replacing the Traditional IPS in Industry News

Replacing the Traditional IPS

DepartmentZ — Fri, 29 Dec 2017 13:57:29 GMT

Has anyone replaced their traditional intrusion prevention system (IPS) (physical boxes on-premises, at the perimeter) with a different solution? Like perhaps one of the cloud-based IPS services? I'm interested to know the latest options available in accomplishing IPS goals. What are the pros/cons/things to look out for with the option you selected? Thanks!

Re: Replacing the Traditional IPS

greppy73 — Fri, 29 Dec 2017 15:11:03 GMT

So I've dabbled in this a bit. I deplore "marketing speech" but the perimeter is disappearing, so my effort has veered more towards HIPS agents and EDR controls (which may not be your question). In my pipe dream world, there is a perfect stack of agents that can defend an endpoint as well as if it was in my network.

I've never done this with incoming IDS. I think, over every port, at a cloud provider - internet is a point of failure, so you'll need redundancy. Throughput is going to be a concern, too - ensuring a minimum speed test. You'll also need to lock down those hops very tightly between internal and external. If it's a vendor providing this, I'd want to know specifically what the SLA's are and if I'm on a shared IPS .

I have done this on outgoing connections. This was a large enterprise with millions to spend, so we just figured what the heck...they're offering it as a service (really a Palo Alto) and are guaranteeing throughput, so let's just try it. This probably sounds a bit weird, but there are good reasons for it. It worked, I suppose, but there were issues - sometimes due to the complexity of the setup, sometimes due to the service itself. You're likely to face a load issue on your IPS so whoever you're doing this with, better guarantee some level of service. Makes me nervous to think that the CEO's daily visits to Yahoo! news are being slowed down or stopped by something that's not in my direct control.

The biggie, control, is likely where I'm going to lose the most sleep. The other issues can probably be overcome. Historically, IPS rules were specific to the business. What was "bad" for someone might not be bad for others. So what defines that? If I move to the cloud, how much granular control do I have? If you are in a shared cloud (to my earlier remark), that could mess up your ability to create specific rules for your business.

Several other thoughts, but I'll just stop there b/c they delve into other areas beyond IPS.

Re: Replacing the Traditional IPS

DepartmentZ — Fri, 29 Dec 2017 18:15:55 GMT

@greppy73 I hear you on the perimeter disappearing. That's funny. I remember hearing my first presentation on "deperimeterization" about 8 years ago. The interesting thing is that deperimeterization happened a long time ago for some organizations and is still just now happening for others. Also, it doesn't always feel like "de"-perimeterization - more like "poly-perimeterization." Places still have things that resemble the old fashioned castle and moat network but now they've added 15 jillion more perimeters as they move business to the cloud, mobile, etc. I could go on but no.

Anyway, you make extremely good points: performance/uptime and control of the rules in multi-tenant arrangement. I guess I already knew these things passively but you are helping me to get focused. BTW this particular business runs all 80/443 through a cloud-based secure web gateway and it's terrific. But this SWG is one robust, global cloud service provider with serious redundancy and performance management. It has been very successful. Things get a little more complicated when all ports and protocols come into play. Thanks again for the reply. BTW I believe I detected a tongue in cheek on that Yahoo! news comment. Nicely done.

Re: Replacing the Traditional IPS

DepartmentZ — Fri, 29 Dec 2017 18:19:26 GMT

Oh and I do support your strategy to get closer to the endpoint/action/data via HIPS/EDR - it's solid if you can do it.

Re: Replacing the Traditional IPS

Early_Adopter — Sat, 30 Dec 2017 14:16:10 GMT

As an aside, if anyone was wondering where the whole 'De-Perimiterization' thing first surfaced then you can marvel at the Technicolor Nightmare(in a good way, no really wear shades) that is David Lacey's presentation material on de-perimeterisation to the first meeting of the Jerichio Forum, January 16th 2004:

Introduction to De-perimeterisation

I've heard the concept originated with a chap called Jon Measham who was at the Royal Mail in the UK) but my first intro was from David.

The concept of 're-perimiterization' really fits nicely with your idea of poly-perimiterization, which I take to mean that DID is still a thing and will continue to be a thing.

Re: Replacing the Traditional IPS

DepartmentZ — Tue, 02 Jan 2018 18:10:06 GMT

@Early_Adopter Wow. You weren't kidding. I'm pretty sure that was sent back in time to 1984 for final edits. Somehow it works for me though.

Anyway, thank you for sharing that peek into the history of "de-perimeterisation." I did not know the origins. I followed it up with some self-guided rabbit hole exploration on Wikipedia starting with https://en.wikipedia.org/wiki/Jericho_Forum - great stuff.

Interesting, much of this material could have been written yesterday and would be timely. One more thought about perimeter: There is a perimeter around every bit of data that you would mind losing, wherever it is.