Intrusion Prevention System Selection Criteria,Evaluation & Buying Guide

Intrusion prevention System

is critical component on each data-center to have a proactive security and to block advanced persistent attacks.Selecting the right Intrusion Prevention System (IPS) that work best to achieve the defense in depth security architecture is a hard process. You need to evaluate each IPS in the market .I advise you to have a poof of concept to test in depth each IPS to test each feature. It's not a look and feel POC.

Here I will discuss points about the initial features that must be out of the box in each IPS solution.The criteria here is general not like the buying guide that describe a certain product to direct you to buy it.Please if you want to add or discuss some of the points in my selection criteria for IPS ,you're more than welcome.

Intrusion prevention system initial features: 

• IPS must protect business-critical assets such as networks, servers, endpoints and applications from malicious threats.
• IPS must provide a “big picture” context of information about the network and its devices to qualify security information.
•  Provide immediate comprehensive protection for all types of network attacks (known vulnerabilities and attacks, Day Zero, and advanced Denial of Service attacks...).
• IPS detection engine must use multiple technologies, including signature matching and protocol anomaly and behavior anomaly detection.
• IPS throughput at least 10 GBPS.
• IPS must be able to monitor multiple different inline segments.
• IPS must be able to enforce granular policies per segment, Per VLAN, Per IP address/range and Per Port.
• IPS must support VLAN mapping.
• IPS must support Stateful failover.IPS must support both failure scenarios (fail open and fail close).
• IPS must be accurately able to track all network communications, interpret the intent of each individual communication, and then make an instant security decision, based on accurate evidence of an attempted attack perpetration
• 
  
• Works with multi-vendor enterprise edge switching products.
• IPS must have the ability to be configured for specific protection needs so users can choose the configuration that best meets business security demands
• Information provided to analyst when an alert is raised via IPS must be clearly identifying the reason causing the event to be raised. The alert should also identify the source of the alert and the target system and also further information (whois or DNS lookup on an IP address).Alert should also provide links to vulnerability databases.
• IPS vendor must provide a signature database continuously updated with high quality signatures.
• IPS must have the ability to write a custom signature.
• IPS must be able to work with snort open IPS signatures
• IPS must be able to use third party vulnerabilities reference (CVE,  Bugtrag ID...)
• IPS must be able to query common resources of information, such as LDAP and Active Directory.
• IPS must support inspection and reporting for IPv6 networks.
• IPS devices must be easy to install, remain transparent to normal network traffic.
• IPS must process traffic quickly, make security decisions instantly.
• IPS must be able to search for specific events in real time and in historical events.
• IPS must provide an easy way to generate custom reports.
• IPS must have built in reports related to the collected events. 

 Best wishes in choosing the best IPS that suits your needs.