Business & Technology

Firewall and IPS vs. NGFW: Which is Best for You?

By Nat Smith | June 13, 2018

Key to securing every corporate network and data center is an intrusion prevention system (IPS). Every moment of every day, an IPS system works to detect malicious content in network traffic to prevent attacks and exploits for organizations of all sizes. But as the digital infrastructure changes, the traditional IPS market is also being forced to evolve.

Most organizations have long relied on a separate IPS appliance to protect their corporate network and data center. Today, companies are reconsidering whether to continue to run a standalone IPS appliance or to consolidate the IPS and other security functions into next-generation firewalls (NGFWs). Which option is right for your organization? As with many decisions involving an organization’s approach to information security, there are pros and cons to both paths.

What is an Intrusion Prevention System (IPS)?

IPS is a mandatory component of any organization’s security strategy - or at least it should be! IPS was originally developed to work side-by-side with your network firewall. While firewalls filter network traffic and block traffic that’s not approved, the IPS is designed to analyze the content of that traffic in real time to detect and prevent attacks.

To better understand the role IPS plays when it comes to network security, let’s consider an analogy using airport security. Though airport security is multifaceted, for the purposes of our analogy we’ll keep it simple.

The first step in airport security is to check a passenger’s ticket and identification. Only those passengers who have a valid ticket and proper ID are authorized to enter the terminal and, eventually, board the aircraft. In a similar way, when it comes to network security, a firewall checks traffic against a set of rules (validated ticket and ID), ensuring that only authorized traffic is allowed onto the network (aircraft).

But that is only part of the airport security process. Passengers and their baggage also need to be checked. When it comes to checking what a passenger is wearing and their baggage, a passenger’s ticket and ID are insufficient. All authorized passengers must also participate in body and baggage inspection to ensure they are not carrying anything dangerous. 

This is similar to what IPS does for network security. The firewall doesn’t check the flow payload (the “bags”) - it focuses on indicators that help it determine whether the traffic is authorized or not, such as the origin of the traffic, who sent the traffic, and the type of application being used.

IPS is like the airport’s security baggage check. Think of malware as baggage posing a security risk. IPS ensures that all network traffic is reassembled so that it can properly check content for unwanted files, vulnerabilities, or threats in the traffic that can only be seen by inspecting the payload.

Choosing a Standalone IPS and Firewall vs. NGFW with IPS Capabilities

In a nutshell, organizations have two IPS choices: (1) they can implement IPS through standalone IPS appliances, or (2) they can implement an NGFW with IPS functions integrated. One isn’t necessarily better than the other. Both have their benefits. Ultimately, organizations must decide what their specific cost restrictions and security needs are to make the right decision and maximize their investment.

Organizations that stay with standalone IPS appliances tend to value more robust performance and inspection capabilities, while organizations that move to an NGFW solution with integrated IPS often look to streamline administrative tasks, which reduces costs. In this consolidated scenario, the amount of cost savings usually depends on how many NGFW features are enabled to make operations more efficient. In general, the size of network links and an organization’s particular security requirements dictate whether to go with the first path—IPS through standalone appliance—or the second—an NGFW that includes IPS capabilities.

Option #1: Standalone IPS and Firewall

In general, large organizations have complex networks and large data centers where data security is paramount. The content inspection capabilities available in standalone IPS appliances are particularly suitable to these organizations because they want to inspect every packet of traffic to ensure there is no malicious content. This means that the IPS capabilities of standalone IPS appliances tend to be more vigorous than similar functionalities available in most NGFWs, such as multiple inspection engines and specialized workflows. 

For example, typical NGFWs inspect traffic flows with a single, rudimentary IPS engine that only matches the signatures of known threats. This may be “good enough” regulatory compliance for some organizations. However, morphing malware is problematic for this engine because it uses a unique signature for every mutation. That means massive amounts of new signatures must be made available from the IPS vendor, and organizations must continuously add loads of new signatures just to keep up. This process does not scale and probably contributes to the market perception that NGFW inspection is not as good as standalone IPS.

Performance is typically another benefit of a standalone IPS. Many NGFWs with integrated IPS have difficulty scaling to the performance speeds of the data center. Turning on signature-matching IPS engine capabilities significantly reduces performance in all NGFWs. The bottom line is that if a company needs top-shelf performance and security for its data center or corporate network, the deployment of separate firewall and standalone IPS solutions is usually the best path forward.

Option #2: IPS Capabilities Within the NGFW

Although organizations of all sizes have transitioned to NGFWs that include IPS capabilities, small and medium organizations—including the branch offices of larger organizations—are especially likely to go this route because of a desire to keep costs low, at the expense of living with more security risk. Incorporating IPS and other security functions, such as firewall, virtual private network (VPN), and antivirus, in an NGFW significantly simplifies device management and addresses issues related to limited security staff. This is an important part of the equation in view of the shortage of skilled cybersecurity professionals.

Total cost of ownership (TCO) savings resulting from incorporating IPS within NGFWs cannot be overemphasized. As organizations try to balance the simplification of managing their security with overall costs, moving to an approach where IPS capabilities are included within an NGFW can significantly ease configuration requirements and improve device visibility. Without integration, IT staff will often duplicate the same tasks in different ways for different systems. Getting new staff up to speed takes longer in such a siloed environment, and usually requires a larger security team to sufficiently manage all of the different systems. A tightly integrated solution that includes IPS and NGFW resolves this problem by optimizing efficiencies as well as the effectiveness of an organization’s security processes. For this option, it is important to find NGFWs that provide world-class IPS detection methods without compromising on performance.

Moving Forward with the Option That’s Best for You

As network security management looks at whether to run a standalone IPS appliance or consolidate their IPS and other security functions into an NGFW, there are key issues they must consider. If the organization needs sophisticated inspection capabilities, then the decision for a standalone IPS could be a relatively easy one. If costs and simplification are more important, then the benefits of incorporating IPS into NGFW will be particularly attractive. Understanding security requirements and the amount of risk an organization is willing to accept while also creating an inventory of available team security skills and where they are being focused can help organizations evaluate and determine which option is the best fit for them.