Intrusion prevention systems (IPS) are one of the earliest forms of network security products. At NSS, we have tested IPS technology for years (since 2013 for those of you tracking our group tests), and we routinely discuss the technology with our clients, covering everything from test methodologies to log output. We also provide guidance on how to measure the value of an IPS, and we look at where NSS test data fits in.
We conduct primary research to ensure our understanding of cybersecurity product usage aligns with that of IT security teams. This research digs into details as well as asks questions to gain insight into broader trends, which is valuable in many ways—from assessing product satisfaction all the way to building network architecture diagrams. The following IPS-specific excerpts are from our 2019 Security Architecture Study:
- About half of the survey respondents (211 of 389, or 54%) reported deploying IPS technology.
- Most commonly reported form factors were as follows: virtual appliance on premises (31%), followed by physical appliance on premises (30%), IaaS-based IPS (27%), and IPS-as-a-Service (18%).
- 70% of the respondents from very large enterprises (VLEs) and 64% of the respondents from large enterprises (LEs) reported deploying an IPS on premises.
The findings in the first two bullets confirmed what we expected regarding how widely IPS are deployed and which form factors are most typically in use. When we dug deeper into the data, we found that between 2017 and 2019 there appeared to be a significant decline in on-prem deployment of IPS. In 2017, 86% of the VLEs surveyed reported deploying an IPS vs. 70% in 2019 (a similar trend exists for LEs). However, conversations with our clients point to a possible shift in how IPS are being deployed rather than a general downward trend in deployment. This shift may indicate a trend that we will track in future primary research studies. Intrusion prevention technologies can be deployed as on-prem physical appliances, on-prem virtual appliances, cloud-based virtual appliances, or cloud-delivered services, all of which are being explored by enterprises.
Enterprises are also revisiting where they deploy their IPS. The technology is traditionally installed at the network perimeter to scan north-south traffic. Since next generation IPS (NGIPS) products provide application-layer visibility, user-level visibility, and traffic enforcement capabilities, they can be used as tools for the segmentation of internal networks to control east-west traffic. Their fine-grained policies can be leveraged to provide better visibility than the often coarse-grained traditional VLAN policies and ACLs. However, this use case is not without operational impact and is more likely to be successful in small-to-large enterprises with mature IT security architectures. This shift in purpose could signify an interesting architectural evolution and we will continue to track it with our clients.