As Anil Kapur, IPS product manager at Cisco, describes it, if the firewall is the door, an intrusion prevention system is the inspector behind that door who knows what valuables are in the safe. He also knows, by the tools in the intruder's backpack, whether he's a safecracker. If so, the inspector deflects the attack. But confusion surrounds an IPS's deployment in the highly virtualized data center, the virtualized public cloud, and the mixed scenarios to come.
In the traditional, on-premises data center, a stand-alone IPS appliance could simply sit at the network edge, just behind the firewall, and inspect all incoming traffic. In the increasingly virtualized and borderless data center, IPS sensors must also stand guard at the network core, and sometimes within host servers, between virtual machines. Host-based intrusion prevention itself runs on a virtual machine, spun up on demand.
Intrusion prevention now becomes the responsibility of the server team as well as the network team.
HOW IT WORKS
Network- and host-based protection overlaps at the hypervisor, which mediates between host servers and the virtual machines they contain. As SMBs migrate to heavily virtualized, off-premises servers, they need IPSs that work with hypervisors - chiefly from VMware, Citrix, and Microsoft.
Cisco claims to have an IPS that works with several hypervisors in virtualized and hybrid cloud scenarios. Trend Micro likewise claims to have such a comprehensive solution in its Deep Security offering, working with VMware.
The hybrid cloud - spanning both in-house data center and public cloud - adds a new complexity that should become increasingly common as SMBs reach into Rackspace or Amazon Web Services or a channel partner's own data center to house some of their applications or provide extra compute power during peak usages. Such businesses will need to apply tailored IPSs and firewall policies consistently across physical and virtual servers, at home and in the cloud.
“If, for example, end users need to transfer files to another organization,” suggests Kapur, “you as MSP will open the FTP port for them on the firewall, and also make sure you enable the [anti-malware] signatures for FTP on the IPS so that nobody exploits that opening.”
Greg Young, research vice president at Gartner Inc., cautions that the great majority of intrusion prevention systems in use today run on dedicated, purpose-built processors, and that host-based IPSs running on nonspecialized virtual machines exact a heavy performance toll.
But Jeff Wilson, principal security analyst with Infonetics Research, finds IPSs for the hybrid cloud worth investigating for the medium term. He also says that Cisco's 1000V Nexus InterCloud solution, which unifies the hybrid cloud and virtual machines under one management pane, puts Cisco first to market with this public-private cloud, blanket IPS capability.
“Even though the bulk of Cisco revenue in security comes from selling ASA firewalls,” says Wilson, “they have to do this now because in three to five years it'll be a mainstream requirement.”