Requirements for next-generation network intrusion prevention
- Standard first-generation IPS capabilities to support vulnerability-facing signatures and threat-facing signatures: An IPS engine that can perform detection and blocking at wire speeds and rapidly develop and deploy signatures, is a primary characteristic. Integration can include features such as providing suggested blocking at the firewall, based on IPS inspection.
- Application awareness and full-stack visibility to identify applications and enforce network security policy: This needs to occur at the application layer, independent of the port and protocol, rather than only ports, protocols, and services. Examples include the ability to block families of attacks, based on identifying hostile applications.
- Context awareness to bring information from sources outside the IPS to make improved blocking decisions or to modify the blocking rule base: Examples include using directory integration to tie decisions to user identities and using vulnerability, patching state and geolocation information (such as where the source is from or where it should be from) to make more effective blocking decisions. It could also include integrating reputation feeds, such as blacklists and whitelists of addresses.
- Content awareness of various file types and communications: It should be able to inspect and classify inbound executables and other similar file types, such as PDF and Microsoft Office files (which have already passed through antivirus screening), as well as outbound communications. In addition, it should make pass, quarantine, or drop decisions in near real time.
- Agile engine: It should support upgrade paths for the integration of new information feeds and new techniques to address future threats, including hitless upgrades, global threat intelligence integration, scalable hardware, signature updates, Snort-capable), packet capture, and complementary solutions (Source: Gartner, Defining Next-Generation Network Intrusion Prevention, 2011)