Wrapping a firewall around the perimeter is no longer sufficient to meet the needs of modern networks. Technologies such as IPS need to be pushed into the network, not just at the edge, but throughout the entire infrastructure.During Network World’s recent Security Technology Tour, we received a lot of questions about intrusion-prevention systems. The problem is that there is little agreement on what an IPS really is.The security experts on the tour agreed on one thing: An IPS must be inline. That is, packets have to move through the IPS to prevent intrusions. While the idea of resetting connections and changing firewalls is a good interim step, enterprise-class intrusion prevention will require that the IPS handle packets, dropping them when something is wrong. A second assumption about IPS is that it is a “permissive” technology. In other words, an IPS will drop a packet if it has a reason to, but the default behavior is to pass traffic along. In contrast, a firewall is a “prohibitive” technology: It lets a packet through only if it has a reason to. Obviously, firewalls are also intrusion-prevention devices. Some experts say that all IPS vendors are talking about is what firewalls should be doing. But the difference in the orientation of these technologies suggests that they are not the same.More importantly, because they are different, you can use a firewall or an IPS or both at any point in your network. At the perimeter, it’s reasonable to expect that a firewall also will have an IPS built in. But at the core of the network, inline IPS might be built into switches and routers. How do you convince purse holders to buy into IPS? There’s no easy answer to that. The “fear factor” approach can be useful. Make the decision-makers afraid. Point out the new legislation regarding liability. And perhaps you’ll see the money start to flow. But that’s not a long-term solution.For some, an IPS can be justified on the “nuisance factor” instead. By blocking the thousands of Code Red and MS-SQL Slammer attacks coming into the network every hour, the load on the firewall is lightened, the Internet connection is faster and the Web server logs are easier to analyze.For others, IPS justification will have to be part of a larger program of security, justified on the basis of traditional ROI analysis.What’s clear from tour attendees is that wrapping a firewall around the perimeter is no longer sufficient to meet the needs of modern networks. Technologies such as IPS need to be pushed into the network, not just at the edge, but throughout the entire infrastructure. Related content how-to Compressing files using the zip command on Linux The zip command lets you compress files to preserve them or back them up, and you can require a password to extract the contents of a zip file. By Sandra Henry-Stocker May 13, 2024 4 mins Linux news High-bandwidth memory nearly sold out until 2026 While it might be tempting to blame Nvidia for the shortage of HBM, it’s not alone in driving high-performance computing and demand for the memory HPC requires. By Andy Patrizio May 13, 2024 3 mins CPUs and Processors High-Performance Computing Data Center opinion NSA, FBI warn of email spoofing threat Email spoofing is acknowledged by experts as a very credible threat. By Sandra Henry-Stocker May 13, 2024 3 mins Linux how-to Download our SASE and SSE enterprise buyer’s guide From the editors of Network World, this enterprise buyer’s guide helps network and security IT staff understand what Secure Access Service Edge (SASE) and Secure Service Edge) SSE can do for their organizations and how to choose the right solut By Neal Weinberg May 13, 2024 1 min SASE Remote Access Security Network Security PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe