Intrusion Prevention Solutions
“You’re limited in the number of ports you can monitor with most IPS boxes – and adding more ports can get pretty expensive.. Instead of investing more into the existing IPS boxes, which would only cover three segments, Mercy could cover eight using Palo Alto Networks, saving the company money.”
- Dan Schulte, Manager of Network Security at Sisters of Mercy Health System
Traditional IPS is a relatively passive approach to threat prevention in that the IPS simply sits in line and waits for threats to hit the network without doing anything to proactively address the attack surface of the enterprise. Palo Alto Networks allows you to proactively reduce the risk on your network by limiting traffic to the applications and users that are approved for your network. This instantly reduces the attack surface of your network from every known vulnerability in the world, to just the relatively few vulnerabilities in the apps that you actually use.
Secondly, traditional IPS has failed to address how threats have learned to use applications as enablers. Today’s threats increasingly use applications that are invisible to most firewalls and threat detection solutions. Applications such as IM, P2P, Skype, Webmail all use security evasion tactics of one type or another. Evasive applications will dynamically hop ports, re-use other ports, emulate other applications or tunnel inside SSL, thereby going undetected and therefore avoid inspection.
While existing Intrusion Prevention System’s (IPS) do a relatively good job of looking for threats in traditional protocols like FTP and POP3, they fail at detecting newer evasive application and threats that can hide within applications themselves. The fact of the matter is most IPS still use port and protocol as the initial traffic classification mechanism and as such, may miss the threat carrying application.
IPS solutions also suffer from chronic performance challnges. Typically as the quality of IPS goes up, the performance and throughput go down. Palo Alto Networks was designed from the ground up to meet enterprise performance demands by leveraging specially designed hardware appliances and a unique Single Pass software architecture. This unique architecture has been proven in independent lab testing to provide best-of-breed IPS accuracy while maintaining documented levels of performance and throuput.
￼ Next-Generation Firewalls
Palo Alto Networks next-generation firewalls addresses both of these issues with a two pronged solution to threat prevention. First, identify and control the applications traversing the network to reduce the threat footprint, then inspect the permitted traffic for application vulnerability exploits using a single pass software architecture that is accelerated in hardware.
Why Choose Palo Alto Networks for IPS
Palo Alto Networks provides customers with the best intrusion prevention option in the industry based on effectiveness, performance and usability as verified in the recent IPS test performed by NSS Labs. NSS Labs tested the Palo Alto Networks solution against 1,179 live exploits in what was the industry’s most comprehensive IPS test to date. The system was tested with a wide variety of traffic that varied by payload size, protocol, attack target and end-user delay time to ensure a reliable, real-world test bed.
Industry Leading IPS Effectiveness
The results of the NSS tests referenced above found that Palo Alto Networks accurately detected and blocked 93.4% of all of the 1,179 attacks, putting Palo Alto Networks easily in the uppermost echelon of IPS solutions based on core functionality. Tests included all types of attack methodologies, applications and targets. As a reference, the 2009 IPS group test found IPS block rates ranging from 17% to 89%.
Performance and Scalability
IPS systems are notoriously prone to degrading network performance in direct relation to the number of signatures that are enabled on the system, which almost invariably leads to a conflict between the security and network operations teams. In NSS lab tests, Palo Alto Networks delivered an industry-best 93.4% block rate, while maintaining 15% over stated datasheet IPS performance for the appliance.
93.4% Threat Block Rate at 2.3 Gbps
100% Resistance to IPS Evasion Techniques
15% Over Stated Performance
Using Palo Alto Networks to Save Money on Intrusion Prevention
Compare your stand-alone IPS costs to next-generation firewall costs and you’ll see – whether a data center, gateway, or regional or branch office deployment – that you can significantly decrease the cost of intrusion prevention, by as much as 86% per network segment protected.
IPS appliances are sized in two ways: throughput and ports (number of segments protected). In simpler networks, throughput is the only concern, and sizing is easy. In more complex networks, you must consider the number of network segments as well – often forcing you to buy a more powerful box than you actually need in order to get the number of ports required for the deployment.
In both comparisons, not only do Palo Alto Networks next-generation firewalls offer superior functionality (see and control applications, protect against threats in SSL-encrypted traffic), but significantly lower costs.