A History of IPS and the Cloud, and Why It’s Happy Times Again
Until recently it seems not only has network defence come full circle, but that circle took us back in time. Stopping attacks on networks started out as a detect-only regime. Bad things were spotted, and people had to take action to limit the damage or respond quickly enough. The emphasis was placed on limiting what could traverse through gateways and firewalls, and IDS would spot the bad stuff. If that sounds weak it was, and IPS was the advancement. If you could spot what clearly were attacks, why not block them?
Things were just swell for a while until virtualisation hybrid, and multi-clouds. Almost all IPS and firewalls to that point were delivered in appliances because general purpose servers couldn’t deliver the network inspection capabilities to maintain latency low enough that the blocking could be effectively real time. This was never an issue because IDS was always ‘out of band’ and could inspect at its own pace. IPS has to be in the path of packets in order to block the bad stuff. Cloud really challenged the technology, because virtualizing the appliance-type IPS software meant eating up incredible capacity for private cloud, or spending a lot on public cloud cycles. At the same time, a lot of cloud technologies didn’t expose enough of the virtual network that IPS placement points could be placed at virtual switches, for example. So, putting IPS into cloud, especially hybrid and public cloud was difficult.
Organisations reacted by leaning on IDS. Cloud providers offered native IDS features. At the same time a bit of a bad trend was happening, I’m not sure if it was chicken or egg, that leaning on detection was seen to be fashionable. Some of the reasons at the time made sense, including a lot of heterogeneity and the old security architectures weren’t suitable fort the new technology. The result is that bad things get detected but not blocked. One excuse was that ‘you’re always going to get breached so detection is key’, but that ignores the logic of blocking the known bad stuff. I know there could be disagreements about how the security philosophy progressed (hey, this is the internet after all) but no matter the route, we ended up in a place with IDS and nearly no IPS in our clouds. No ‘virtual patches’ in that critical period between when a new vulnerability is known about and a patch is successfully deployed across the organisation.
Things got worse again recently then when the era of multi-cloud became reality, and organisations had to contend with rationalising native IDS from multiple cloud vendors each with their own API, management console, and approaches. Again, no blocking.
So, kudos to Gartner this year when they recognised the issue and said “Enterprises will migrate to a new model where they will consolidate multiple cloud network security services with one vendor to reduce complexity.”1
At the same time, two events made IPS for hybrid and multi-cloud possible. The first event was cloud technology providers exposing more of virtual networking and giving new features that network inspection technologies could leverage. The second was a bottom up rework of IPS technology to work in a cloud environment and also leverage those features. Not only is IPS now available that scales in the cloud, but it also is born in the cloud so it can be orchestrated into being, and built into the operating and subscription models cloud ops are used to rather than ye olde appliance throughput models. Just to clarify, I’m not talking about ‘IPS as a service’ where traffic would be sent to an external cloud, but having IPS in any or all of the networks within your clouds – multi-cloud or hybrid cloud.
We’ve come full circle back to blocking threats again. Nothing bad ever comes from blocking known bad things. Unless you are an attacker.
1 Gartner, Top Security and Risk Management Trends, February 27, 2020