Six Steps To Choosing Your Next Gen Intrusion Prevention System

Six Steps To Choosing Your Next Gen Intrusion Prevention System

New technologies bring new challenges

six steps to choosing your next gen instrusion prevention systemToday’s IT professionals—regardless of industry—are adopting the latest technologies to meet increasing bandwidth demands, create higher and faster performing networks and increase availability as cost-effectively as possible. But new technologies bring new challenges, and organizations’ IT departments must rapidly adjust to the latest technologies while keeping their already stressed network infrastructures stable and secure. As such, the most common question when adopting a new technology or device is simply: How can I be sure the solution I choose will perform as expected in my network?

If the new deployment involves next-generation firewalls or Intrusion Prevention Systems (IPS), this decision can have added challenges. The sophisticated high-performance network and security devices within these infrastructures require a more comprehensive approach to testing and validation than traditional testing tools can provide. Today’s devices use deep packet inspection (DPI) to examine traffic in ways that legacy testing tools were never designed to validate.

These devices, and the complex traffic they handle, demand testing with real-world application, attack and malformed traffic at line-rate speeds. Without this improved approach, contentaware equipment cannot be stressed thoroughly or accurately enough to determine its true capabilities. That’s why companies are turning to an objective testing approach that allows them to impose their own conditions during pre-purchase evaluations, ensuring that they can rigorously validate device capabilities under real-world scenarios, including the applications they must handle, actual user behavior and the attacks they expect to see. Doing this prior to deployment will not only save time and money, but it also ensures that the network remains resilient. Therefore, it’s imperative that IT buyers follow the six steps outlined below to make informed purchase decisions, eliminating costly post-deployment troubleshooting.

Create and prioritize specifications for products to be evaluated. As with any project, it is wise to begin with the end goal in mind. Before considering any piece of equipment, define and prioritize the company’s needs for infrastructure build-out. Otherwise, it is too easy to dive into questions of “speeds and feeds” without taking into account broader objectives. A good way to start is by asking fundamental questions. How should the infrastructure support key objectives? What are the transaction latency requirements? How important is the security of transactions in comparison to their speed? Which services are most sensitive, requiring the highest levels of security? Is application inspection necessary?

Rethink testing around repeatable, quantitative principles. Create a plan for stressing each device under test (DUT) with realworld application, attack and malformed traffic at heavy load. Doing this is not as simple as taking the older, ad hoc approach to testing and then injecting authentic traffic. Instead, the entire plan should embrace a standardized methodology and scientific approach to eliminate guesswork. That means the plan must use repeatable experiments that yield clear, quantitative results to accurately validate the capabilities of DPI-enabled devices. Previously, IT professionals have lacked the precision equipment necessary to enforce consistent standards across testing processes. Today, however, they have access to superior testing products that create authentic network traffic and capture precise measurements of its effects, even for complex environments.

Use standardized scores to separate pretenders from contenders. It is relatively straightforward to use standardized scoring methods to pare down a long list of candidate devices without performing comprehensive validation of each product. These scores quickly eliminate devices from consideration that clearly do not meet an organization’s needs. The resulting score is presented as a numeric grade from 1 to 100. Devices may receive no score if they fail to pass traffic at any point or if they degrade to an unacceptable performance level. The Resiliency Score1 takes the guesswork and subjectivity out of validation and allows administrators to quickly understand the degree to which system security will be impacted under load, attack and real-world application traffic.

Test final contenders with individual test scenarios that mirror the production environment. True validation requires an accurate understanding of the application, network and security landscape in which devices will be operating. Review the infrastructure’s traffic mix and the mixes of service providers before designing individual tests; this will ensure that the testing equipment reflects the latest versions and types of application traffic that traverse the network. However, generating real traffic is not enough. The traffic mix used also must be repeatable yet random. Randomization makes test traffic behave like real-world traffic, creating unexpected patterns that force DUTs to work harder. Creating repeatable, random traffic requires testing equipment that uses a pseudorandom number generator (PRNG) to set a seed value that creates standardized, random traffic.

Execute a layered testing progression that includes load, application traffic, security attacks and other stress vectors. This is where the scientific method comes into play. By changing only one variable at a time and testing the parameters established earlier, this progression will reveal the specific strengths and weaknesses of each product, replacing guesswork with verifiable results. The processes in this phase ensure that a DUT can adequately handle heavy load, in terms of both sessions and application throughput. If the device cannot pass these tests with traffic known to be free of attacks, there is no way it will process enough traffic once its security features are turned on or when it also must handle malformed traffic or other stress vectors.

Lay the groundwork for successful purchase negotiation, deployment and maintenance. Deploying untested network and security devices creates nightmare scenarios. Untested equipment requires weeks of post-deployment troubleshooting that is frustrating and time-consuming, and often leads to finger-pointing and costly remediation steps. This is particularly true when device outages, security breaches or unplanned bottlenecks affect entire infrastructures; such failures can damage an organization’s reputation. Testing pre-deployment minimizes the risk of these problems and saves hundreds of hours of staff time by eliminating surprises and guesswork. Selecting the right device is about more than finding the right make and model, it also means choosing the right amount of equipment for the infrastructure in order to meet business needs.

IT departments should look for information that goes far beyond the performance and security features that can be read off a data sheet. They should be measuring the security and stability of their IPSs based on real-world conditions, not generic conditions in a lab. Another common mistake that IT departments make is relying on test lab reports to make informed decisions. Labs often perform device testing in isolation, without regard to the unique environments of purchasers. Also, test lab reports are often funded by device manufacturers, which inevitably raise objectivity questions. Ultimately, IT departments choose a firewall vendor, but they never feel as though they truly understand how well the device is going to work. Will it actually recognize the difference between applications, even at a granular level, such as the difference between Facebook traffic and Facebook messaging traffic? Putting that next-gen firewall/IPS through proper context-aware testing is the only way to be confident it will perform as advertised.

If IT leaders follow these technical recommendations and avoid making common mistakes, they can select the right products to meet their business objectives, improve infrastructure planning and resiliency by understanding device capabilities and save up to 50 percent on IT investments. This also eliminates hundreds of man-hours in post-purchase configuration and tuning, and gives purchasers advanced insight into device capabilities, enabling them to configure devices appropriately in order to avoid surprises and delays.

This article originally appeared in the February 2013 issue of Security Today.


  • Progressing in Capabilities

    Progressing in Capabilities

    Hazardous areas within industries like oil and gas, manufacturing, agriculture and the like, have long-sought reliable video surveillance cameras and equipment that can operate safely in these harsh and unpredictable environments. Read Now

  • A Comprehensive Nationwide Solution

    A Comprehensive Nationwide Solution

    Across the United States, manufacturing facilities, distribution centers, truck yards, parking lots and car dealerships all have a common concern. They are targets for catalytic converters. In nearly every region, cases of catalytic converter thefts have skyrocketed. Read Now

  • Planning for Your Perimeter

    Planning for Your Perimeter

    The perimeter is an organization’s first line of defense and a critical element of any security and surveillance program. Even if a building’s interior or exterior security is strong, without a solid perimeter surveillance approach any company or business is vulnerable. Read Now

  • The Key Issue

    The Key Issue

    It is February 2014. A woman is getting ready in her room on a cruise ship when she hears a knock on the door; it is a crewmember delivering breakfast. She is not presentable so she tells him to leave it by the door. Read Now

Featured Cybersecurity

New Products

  • Genetec Security Center

    Genetec Security Center

    This major new release allows more system components to run in the cloud, reducing the gap between cloud and on-premises security systems. It also makes it easier to connect external systems and tap external data for use in dashboards, maps and investigations without relying on complex, specialized integrations. 3

  • VideoEdge 2U High Capacity Network Video Recorder

    VideoEdge 2U High Capacity Network Video Recorder

    Johnson Controls announces a powerful recording solution to meet demanding requirements with its VideoEdge 2U High Capacity Network Video Recorder. This solution combines the powerful capabilities of victor with the intelligence of VideoEdge NVRs, fueled by Tyco Artificial Intelligence, for video management that provides actionable insights to save time, money and lives. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3