IBM yesterday introduced what it’s calling a “next generation” intrusion-prevention system (IPS), an offering that not only is designed to stifle network-based attacks, but adds application-level controls and URL filtering capabilities typically found in separate products such as Web security gateways.
The Security Network Protection XGS 5000 appliance, expected to ship in August for a shade under $50,000, integrates IBM’s core IPS technology with threat-monitoring features such as the ability to identify misuse of the Web by end users and to block dangerous URLs known to spread malware. The XGS 5000 does not include a traditional firewall, however.
“Part of this is about a marketing position in the firewall versus the IPS space,” says Scott Crawford, managing research director at Enterprise Management Associates, noting that typically there are different buyers for firewall and IPS products. With the XGS 5000, IBM wants to maximise its influence with IPS buyers (IBM ranks only behind Cisco with 13.2% of the $1.88 billion market, according to IDC).
IDC security research analyst Charles Kolodgy says the IBM XGS 5000 does represent a new kind of IPS-based product that “improves network, user, and application awareness” and “vastly improves an IPS’s ability to provide full network protection, especially trying to uncover custom malware and stealth attacks perpetrated by advanced persistent threats.” APT is the term use to describe stealthy attacks to try and steal sensitive corporate data.
Sourcefire and McAfee “are producing similar boxes,” Kolodgy says, and Barracuda previewed a similar type of appliance at the Black Hat security conference last week.
Although the term “next-generation IPS” is starting to be bandied about, Kolodgy said IDC is still pondering the usefulness of this phrase or whether a new category entirely should be established that “goes beyond either firewall or IPS.”
“The uniqueness isn’t so much in the application layer and URL, a lot of products have that, but it’s in the ability to set up security at the user level (like the next-generation firewall), correlate that information (in this case with QRadar), and utilise cloud-based threat intelligence to uncover malicious websites and files,” Kolodgy explains.
Another industry watcher, Current Analysis principal analyst for enterprise security Paula Musich, calls the IBM appliance innovative in that it adds “three new malware detection engines that focus on exploit payload detection, Web application protection and file and content inspection.”
Sourcefire has already released a next-generation IPS, she points out, adding, “I think we’ll see some overlap between next-generation firewall and next-generation IPS products in the market.” She concludes, “I’m aware of at least one enterprise that is evaluating both for the same project. Right now, the market is highly fragmented, and vendors that describe their products as next-generation firewall, UTM appliance and next-generation IPS are all competing for the same budgets.”
John Cloonan, IBM program director for threat protection in IBM Security Systems, says the XGS 5000 has an approximate 3Gbps of throughput, and represents the “moderate end” for traffic. However, IBM plans to release a wider range of appliances with varying throughput levels based on its next-generation IPS technology in the future.
He says one advantage in the fine-grained controls the XGS 5000 permits is that you could set it up to allow users to read personal email but “maybe not the have access to the attachment” if that was deemed a security risk. And “if I know someone is going to a website known for malware, I can block that.” The XGS 5000 can work with IBM’s QRadar security information and event management product as well.