Intrusion Prevention Systems
See What You’re Missing & Save
Like most enterprises, you will probably increase spending on network security this year.
You are responsible for that spend, but unfortunately, you may not get what you’re
paying for. For the last decade, every network security vendor has told you that if you
buy more appliances, you’ll be more secure. Every year, that hasn’t been true. And
every year, you’ve been paying more.
Intrusion prevention is a great example of this. Intrusion prevention systems (IPS) are
necessary, but have become more and more expensive while being less and less
effective in today’s environments. Lacking any and all ability to see and control
applications, which today, are the major threat vector, and typically the target for
exploits. They are also completely unable to protect organizations against threats in
Changing the network security game in your company.
Recently, Gartner has gone on record recommending that enterprises move away from
stand-alone IPS to next-generation firewalls at their earliest refresh opportunity. Now,
you might ask yourself, “isn’t this just more stuff to put into my network?” The short
answer is no.
One of the benefits of next-generation firewalls is the simplification of your network
security infrastructure. More on that in a
minute. The key benefit to next-
generation firewall is the ability to control
traffic not just by ports, protocols, and IP
addresses, but also by applications, users,
and content. This completely changes the
network security game, enabling functions
like intrusion prevention to be performed
much more effectively – firstly, by
controlling applications, and then by
enabling intrusion prevention scanning on
allowed application traffic – even if the
content is SSL-encrypted or compressed.
Compare your stand-alone IPS costs to next-generation firewall costs and you’ll see
regardless of whether its data centre, gateway, regional or branch office requirement
you can significantly decrease the cost of intrusion prevention, by as much as 86% per
network segment protected.
You size IPS appliances in two ways: throughput and ports (number of segments
protected). In simpler networks, throughput is the only concern, and sizing is easy. In
more complex networks, you must consider the number of network segments as well –
often forcing you to buy a more powerful box than you actually need in order to get the
number of ports required for the deployment.
In both comparisons, not only do Palo Alto Networks next-generation firewalls offer
superior functionality (see and control applications, protect against threats in SSL-
encrypted traffic), but significantly lower costs. Here are some specific examples
comparing Palo Alto Networks next-generation firewalls with stand-alone IPS products
from 3Com/TippingPoint (HP) and IBM/ISS:
Regional or branch office deployment: save 24-60%
Typical regional or branch office deployments might require between 400 and 600 Mbps
of IPS throughput, and depending on the complexity of the network, adequate ports to
protect anywhere from 3-10 segments. For a regional or branch office deployment, we
often recommend a Palo Alto Networks PA-2050, which protects 10 segments with
500Mbps of threat prevention throughput.
Internet gateway deployment: save 43-53%
Common enterprise Internet gateway deployments might need 2 Gbps of throughput,
and enough ports to protect 6 or more network segments. We often recommend the
Palo Alto PA-4020 for these
deployments, which can handle 2
Gbps of traffic across 12 network
segments (24 ports). Examining
comparable stand-alone IPS
products, the Palo Alto save 43-
53% per Mbps of throughput, and
65-84% per protected segment.
Data center deployment: save 54-64%
For a data centre or internal firewall deployment, intrusion prevention needs lots of
throughput (up to 5 Gbps), but the number of segments needing protection varies
widely (as few as 4, as many as 12)
depending on regulatory concerns
and the infrastructure design. The
Palo Alto Networks, Next
Generation Security Appliance is
designed for this environment, and
can save you 54-64% per Mbps,
and 67-86% per protected
Not included in the above
comparisons is the extra protection
from being able to see and control which applications run on the network, and the
ability to protect against threats in SSL-encrypted and compressed content. Those cost
savings are impossible to calculate, but given that many threat-bearing applications
(e.g., Gmail) now SSL-encrypt by default, these features are more critical than ever.
Save even more money
Many organizations have significantly simplified their security infrastructure with next-
generation firewalls. You can also realise significant additional savings by consolidating
other network security functions later (typically resulting in 40-60% savings of both
capital expenditures and hard operations costs for network security).
Next-generation firewalls provide next-generation protection
How is this possible?
Recognising and controlling applications, users, and content, regardless of port,
protocol, SSL encryption, or compression requires substantial changes in both hardware
and software – necessitating a clean slate approach, and our single-pass, parallel
processing architecture does this. It also required us to build a world-class research
center – one that’s been credited with discovering more Microsoft vulnerabilities in the
last 6 months than any other IPS vendor’s internal team. So not only can you take
advantage of game changing infrastructure, but benefit from superior research and
support, you can introduce this critical, innovative technology into your company and
save money in the process.
Please call Varidion today on +44 1372 233 333 to discuss how we can help you see
what your missing.