Internet Security Systems (ISS) has claimed that a new protocol will allow its intrusion prevention systems to handle workloads around ten times higher, by enabling them to communicate directly with network switches.
The switch-enabled intrusion prevention system (SWIPS) technology couples together a switch (an Extreme Black Diamond, in the initial implementation) and an ISS Proventia IPS. It allows the two to work together, handing traffic to and fro, and avoids the need to put the IPS onto the network backbone - instead, the IPS has its own direct connection into the switch.
"It's being smart about how traffic is selected to pass to the IPS," said James Rendell, a senior technology specialist with ISS. "It deploys the IPS into the switch almost as a part of it, augmenting the switch logic.
"The classic IPS would see every frame on the network. In this version, the intrusion logic sees the first frames of a session and can instruct the switch to either switch future packets on that session or simply block it."
Rendell said that by being selective about what gets passed to the IPS for inspection, and by blocking bad TCP sessions in their entirety, SWIPS can greatly increase the amount of network bandwidth that an IPS can protect. In addition, a single switch could connect to multiple IPS engines for even higher performance.
ISS said a Proventia could normally handle between 2Gbit/s and 6Gbit/s when placed in-line, but that tests showed it was able to protect 30Gbit/s to 40Gbit/s of network traffic when piggybacked onto a switch via SWIPS. It added that it could potentially scale to 100Gbit/s.
There are other techniques for increasing IPS performance, such as sampling the TCP traffic using sFlow, but these generally rely on an IPS or IDS elsewhere in the network which then tells the network management system to apply an ACL rule or turn off a port.
ISS said that its command and control protocols - which require a firmware upgrade on the Extreme switch - allow the IPS to feed rules directly into the switch. It added that by allowing each IPS to protect more network bandwidth, and by not requiring network topology changes, it is another step towards building intrusion prevention into the network core, not merely applying it at the perimeter.
"We are seeing real interest in the ability to weave deep packet inspection into the network core," said Rendell. "We can take a lot of attacks off the wire very quickly." ISS plans to release its first commercial SWIPS-capable IPS later this year, he said.
Although the initial work on SWIPS was done with Extreme, ISS now hopes to establish it as a standard that any switch vendor can implement. However, ISS said it has no plans to licence the technology to other IPS developers.