Business & Technology

A Productive Transformation of NGFW Over the Dedicated IPS

By Satinder Khasriya | April 24, 2020

If there is one thing that analysts and pundits can predict to a great degree of certainty, it is that cyberattacks will continue to rise, becoming a major global threat to businesses. Given that what’s at stake is not just critical customer data, but also the enterprise’s revenue and brand reputation – not to mention hefty penalties stemming from regulators should their networks be compromised – it is imperative that enterprises use every bit of security technology available to prevent the possibility of a network breach.

The challenge is that implementing an effective and consistent security strategy is increasingly difficult to achieve and maintain. The erosion of traditional perimeter boundaries, the expansion of cloud adoption, and the growth of mobile and IoT devices has led to increasingly complex network architectures where traditional tools like dedicated IPS devices are falling short on delivering security value.

The Pitfalls of Dedicated IPS Solutions

Traditional IPS solutions were designed for a single purpose: deep packet inspection of traffic to proactively identify and block malicious content. That myopic focus led to IPS systems becoming a point solution with very little integration and few automation capabilities beyond their traditional use case. With limited innovation, IPS systems have failed to evolve fast enough to address the challenges being posed by today’s evolving threats and network landscape. Compounding the challenges facing dedicated IPS solutions even further, digital transformation around security tool consolidation has caught IPS products unprepared to adapt. Enterprises that want visibility, flexibility and scalability also want to manage their portfolio through a single pane of glass for ease of use and to simplify deployments, and this function is missing in single point IPS products.

IPS has long relied on the presumption that other technologies would not be able to deliver the same capabilities with similar performance. As a result, very little development in the standalone IPS space has taken place for some time. This vacuum of innovation has led ancillary products, like Next-Generation Firewalls, to offer integrated IPS capabilities in addition to their core functions as an add-on.

This led to a decline in the market for dedicated IPS appliances, since enterprises could simplify deployment and management by simply enabling IPS functionality within their existing or upgraded network firewalls. They could manage their entire security policy – from adding application awareness and control to their firewall functionality, to deploying and managing things like IPS and VPN, all through a single network appliance. This was a great solution for enterprise security teams starved of resources and struggling with a shortage of skilled staff.

It's Not a Battle of Equals Among NGFWs Providing an IPS Solution

What most organizations, and vendors, forgot was that one of the things that dedicated IPS appliances did fairly well was provide deep inspection of encrypted traffic. Of course, that functionality came at a pretty steep cost. But by moving IPS functions to an integrated NGFW system, that functionality has been all but lost.

That’s because most traditional NGFW vendors rely on a generic intel-based compute architecture that was simply never designed to meet the performance requirements of inspecting encrypted data. But today, as more and more network traffic is encrypted – according to the Google Transparency Report, between 87% and 97% of internet traffic is now encrypted, while the volume of malware using encryption is also increasing at a breakneck pace ­–  the limited performance capacity of NGFW devices running IPS as an add-on  comes at a significant cost of performance vs security. In fact, performance numbers are so low that most security vendors refuse to even publish them.

Even worse, turning on more IPS signatures to inspect the growing volume of encrypted traffic also results in the serious deterioration of the performance of the firewall, along with other functions critical to the network firewall. As a result, organizations are faced with the devil’s choice of not inspecting encrypted traffic, or turning off SSL and passing critical data through the firewall unencrypted. As a result, enterprises are struggling with how to balance security with performance, and whether the high expense of a dedicated IPS or a slow NGFW that includes IPS is a better fit.

Why Fortinet’s FortiGate Offers the Best of Breed IPS Solution

Fortunately, those aren’t the only choices available to organizations. Fortinet enables organizations to achieve a security-driven network with the highest-performing firewalls, innovative product portfolio, and deep integration with the Security Fabric and trusted partners to reduce complexity and protect the entire network from sophisticated threats. This includes the highest performing IPS solution of any NGFW in the industry – in fact, 20X faster than the industry average.

The FortiGate security platform, with its purpose-built hardware, leverages the superior performance provided by its dedicated security processors and network processors to deliver high IPS performance without impacting the flow of network traffic. Because FortiGate products deliver very high IPS inspection with very low latency, they have a unique advantage over other NGFW vendors who struggle with performance once their IPS functions are turned on. FortiGate products not only offer better protection per Mbps of inspection than traditional dedicated IPS, but also offer additional capabilities which are missing in other IPS products available in the market.

FortiGate NGFWs, with their unique hardware design and architecture, have a proven track record of being successfully deployed as dedicated IPS solutions. Enterprises can realize the dual benefits of managing both their FortiGate network firewall and FortiGate IPS through a single pane of glass to leverage consistent security and policy management across their entire infrastructure, whether deployed in the data center, core network, branch office, or in a public or private cloud environment.

The other critical component that differentiates Fortinet over dedicated IPS vendors as well as other NGFWs vendors competing in this space is our unmatched threat intelligence delivered by FortiGuard Labs. FortiGuard Labs collects, correlates, and delivers real-time intelligence on the threat landscape, providing comprehensive and actionable security updates across the full range of threats. This enables enterprises to prevent, detect, and mitigate advanced attacks automatically with the integrated, AI-driven breach prevention and advanced threat protection services from FortiGuard Labs. With over 14,000+ IPS signatures and real-time updates, Fortinet’s IPS solution enables enterprises to respond to the latest threats faster, while offering complete protection for known, unknown, and zero-day threats.

For more details on how the FortiGate IPS offers a replacement strategy for existing dedicated IPS download a copy of our whitepaper.

Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.