Wrapping a firewall around the perimeter is no longer sufficient to meet the needs of modern networks. Technologies such as IPS need to be pushed into the network, not just at the edge, but throughout the entire infrastructure.During Network World’s recent Security Technology Tour, we received a lot of questions about intrusion-prevention systems. The problem is that there is little agreement on what an IPS really is.The security experts on the tour agreed on one thing: An IPS must be inline. That is, packets have to move through the IPS to prevent intrusions. While the idea of resetting connections and changing firewalls is a good interim step, enterprise-class intrusion prevention will require that the IPS handle packets, dropping them when something is wrong. A second assumption about IPS is that it is a “permissive” technology. In other words, an IPS will drop a packet if it has a reason to, but the default behavior is to pass traffic along. In contrast, a firewall is a “prohibitive” technology: It lets a packet through only if it has a reason to. Obviously, firewalls are also intrusion-prevention devices. Some experts say that all IPS vendors are talking about is what firewalls should be doing. But the difference in the orientation of these technologies suggests that they are not the same.More importantly, because they are different, you can use a firewall or an IPS or both at any point in your network. At the perimeter, it’s reasonable to expect that a firewall also will have an IPS built in. But at the core of the network, inline IPS might be built into switches and routers. How do you convince purse holders to buy into IPS? There’s no easy answer to that. The “fear factor” approach can be useful. Make the decision-makers afraid. Point out the new legislation regarding liability. And perhaps you’ll see the money start to flow. But that’s not a long-term solution.For some, an IPS can be justified on the “nuisance factor” instead. By blocking the thousands of Code Red and MS-SQL Slammer attacks coming into the network every hour, the load on the firewall is lightened, the Internet connection is faster and the Web server logs are easier to analyze.For others, IPS justification will have to be part of a larger program of security, justified on the basis of traditional ROI analysis.What’s clear from tour attendees is that wrapping a firewall around the perimeter is no longer sufficient to meet the needs of modern networks. Technologies such as IPS need to be pushed into the network, not just at the edge, but throughout the entire infrastructure. Related content news Alkira expands NaaS platform with ZTNA capabilities Network-as-a-service vendor Alkira looks to extend security down to user policies and posture for a full zero-trust approach. By Sean Michael Kerner Oct 23, 2024 6 mins SaaS Network Security Networking news IBM launches platform to protect data from AI and quantum risks The SaaS-based Guardium Data Security Center provides unified controls for protecting data across distributed environments, including hybrid cloud, AI deployments and quantum computing systems. By Michael Cooney Oct 22, 2024 4 mins Generative AI Hybrid Cloud High-Performance Computing analysis Gartner: Top 10 strategic technology trends for 2025 Agentic AI, post-quantum cryptography, AI governance, and hybrid computing are among the most pressing and potentially disruptive trends that enterprises are facing, Gartner reports. By Michael Cooney Oct 21, 2024 8 mins Generative AI Edge Computing Network Security analysis Has the time come for integrated network and security platforms? Platformization buy-in has been elusive in the past, but AI could be the impetus for enterprises to give new consideration to the idea of a consolidated network and security platform. By Michael Cooney Oct 21, 2024 5 mins SASE Generative AI Network Security PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe