When the firewall market ran out of innovations a year or two ago, the security vendors jumped onto a new bandwagon – Intrusion Detection Systems (IDSs) and Intrusion Protection Systems (IPSs). As we've said in the past (see here ) there isn't really a difference between an IDS/IPS and a traditional firewall – it's just that IDS/IPS systems dig more deeply into the packets that are flying past in order to make more fine-grained decisions.
The problem the vendors are facing now, though, is that they're running out of ideas for IDS/IPS systems as well: after all, there's only a finite amount of things an attacker can do with the content of an HTTP header, or the buffer overflow susceptibilities of an SMTP server.
The answer is, of course, speed. If you can't sensibly add significant new features to differentiate you from the competition, the answer is to tell the world that you do all the stuff that the others do, but you do it faster. And sure enough, this is starting to happen: TippingPoint (http://www.tippingpoint.com/), for instance, cites those immortal words "wire speed" for its Gigabit-connectable UnityOne platform, and Check Point's marketing people also make a big deal about the performance of their appliance-based InterSpect system.
In the security appliance world there are two distinct camps: those who build their own kit (a la TippingPoint), and those who don't (Check Point, for instance). There are some vendors out their doing a bit of both, too: NetScreen produces hardware-based firewalls, for instance, but bases its IDS/IPS kit on standard servers.
The thing is, one can't help wondering how you can ever dream of getting close to wire speed unless you're spending a lot of money doing everything in hardware. When you think about it, the instant you decide you're going to write a lump of software and stuff it on a Dell server, you're resigning yourself not just to having to rely on the IP stack of some OS or other (even if you get an Open Source operating system and chop it around, it's still a software-based IP stack) but also to the limitations of sequential processing. Let's face it, even if you have a twin-CPU server running the IDS function, you can only ever do a maximum of two things at once.
Home-grown hardware, on the other hand, is a different ball game, If you design your own boards and your own ASICs, you can plan an architecture which allows you to run far more stuff at once – and which has specialised equipment for each different test you're performing. The cost is greater, and the complexity is massive, but from a technology point of view there is no reason why you can't be significantly faster than the software-only guys.
The problem facing companies who make hardware-based IDSs is that the law of diminishing returns comes into play a lot earlier than in the software-based world. That is, once you've done all the "obvious" stuff in hardware and made it work screamingly fast, you're stuffed when it comes to adding little features to support new types of attack as they appear. The software-only vendors just need to write a little patch to deal with these attacks, whereas the hardware-based vendors have to wait for the next release of their ASICs – and then there's the issue of how to persuade the customer to buy a new lump of equipment to add just a few subtle features.
My prediction is that the eventual winner in this market will be a hybrid of the two worlds. Yes, it makes perfect sense to put as much of the core operating technology as one can into screamingly fast hardware, as in the best case the result may be performance an order of magnitude faster than a software option. But alongside this will be a microcode-, software- or firmware-based codebase that provides the flexibility that any hardware-only implementation lacks. The physical form it takes might be a custom-built appliance with the ability to run resident software, or it might equally be a Dell server with a normal operating system and a pile of application software, plus some kind of custom plug-in hardware adaptor that deals with the core work before the packets find their way to the CPU.
It doesn't really matter which approach wins (or even if there's just one winner). But one can't help thinking that right now, the hardware-based vendors are best placed at the moment, as they've done the tricky bit (the hardware) and in most cases the devices are already able to run software too (there aren't many boxes out there that don't run a Web server as their GUI). So wake up, you server-based IDS/IDP people – if you don't start shipping some hardware, you won't see the competition for dust.