Intrusion Prevention Solutions
Standalone IPS products will soon be gone, as IPS functionality becomes integrated as a standard feature of Next Generation Firewalls.
“With traditional IPS solutions, you’re typically going to get eight ports, which allows you to cover usually four segments. Mid-level Palo Alto Network boxes come with 16 copper and eight fiber ports, which gave us a huge amount of flexibility compared with where we were.” Carl Boyer, Director of Information Security for Farm Credit Financial Partners
Threats target applications, and enterprises struggle to control modern applications with existing security infrastructure. The current landscape dictates a new set of requirements for comprehensive intrusion prevention.
Are you struggling to defend your organization against new and emerging threats? As modern hackers increasingly turn to new applications to deliver and hide threats, many enterprises are finding out the hard way that their traditional stand-alone IPS is not up to the task of preventing application-enabled threats. This is precisely why Gartner has recommended that organizations migrate away from stand-alone IPS and move to a next-generation firewall to prevent intrusions into the network.
￼Palo Alto Networks offers the only true next-generation firewall which delivers a proven, two pronged approach to threat prevention. First, Palo Alto Networks reduces the threat footprint by controlling which applications are allowed into the network, then the solution inspects the permitted traffic for vulnerability exploits, viruses, and malware with a proven 93.4% IPS catch rate. All of this is done at 115% of stated datasheet performance as noted in the recent IPS test by NSS Test Labs.
GRAPH CHART HERE
Using Palo Alto Networks to Save Money on Intrusion Prevention
Compare your stand-alone IPS costs to next-generation firewall costs and you’ll see – whether a data center, gateway, or regional or branch office deployment – that you can significantly decrease the cost of intrusion prevention, by as much as 86% per network segment protected.
IPS appliances are sized in two ways: throughput and ports (number of segments protected). In simpler networks, throughput is the only concern, and sizing is easy. In more complex networks, you must consider the number of network segments as well – often forcing you to buy a more powerful box than you actually need in order to get the number of ports required for the deployment.
Would you like to learn more about the future of IPS? Download our whitepaper now so you can make an informed decision before your next IPS purchase or renewal.
As you probably know, last year Gartner recommended that enterprises migrate from stand-alone IPS to next-generation firewalls for performing IPS functions. While this advice made intuitive sense based on the tight relationship between apps and threats, there was nevertheless a lack of empirical evidence to confirm that a next-generation firewall could actually stand up to the challenge of being a true IPS until now.
NSS Test Labs, the world’s largest security and performance testing lab, have recently completed in-depth IPS testing of the Palo Alto Networks’ next-gen firewall. Our solution was tested against 1,179 live exploits in what was the industry’s most comprehensive IPS test to date. The results were crystal clear and provided the hard proof of what our next-generation firewalls can really do. Key results include:
- The highest IPS block rate in recent history (93.4%)
- 100% resistance to IPS evasion techniques
- Simple IPS configuration and tuning
- Provided all the above while exceeding the datasheet performance metrics by 115%
Why Choose Palo Alto Networks for IPS ￼
Palo Alto Networks provides customers with the best intrusion prevention option in the industry based on effectiveness, performance and usability as verified in the recent IPS test performed by NSS Labs. NSS Labs tested the Palo Alto Networks solution against 1,179 live exploits in what was the industry’s most comprehensive IPS test to date. The system was tested with a wide variety of traffic that varied by payload size, protocol, attack target and end-user delay time to ensure a reliable, real-world test bed.
Industry Leading IPS Effectiveness
The results of the NSS tests referenced above found that Palo Alto Networks accurately detected and blocked 93.4% of all of the 1,179 attacks, putting Palo Alto Networks easily in the uppermost echelon of IPS solutions based on core functionality. Tests included all types of attack methodologies, applications and targets. As a reference, the 2009 IPS group test found IPS block rates ranging from 17% to 89%.
Performance and Scalability
IPS systems are notoriously prone to degrading network performance in direct relation to the number of signatures that are enabled on the system, which almost invariably leads to a conflict between the security and network operations teams. In NSS lab tests, Palo Alto Networks delivered an industry-best 93.4% block rate, while maintaining 115% of the stated datasheet IPS performance for the appliance.