By weaving reputation intelligence into perimeter devices, the hope among security vendors is that they boost the effectiveness and performance of firewalls and intrusion-prevention systems (IPS) -- maybe even routers and switches -- as much as they have for e-mail and Web security appliances.
Robert Boenne, a network engineer for Teachers Credit Union in South Bend, Ind., likes this idea, too. "I definitely see the potential in increasing the use of reputation-based controls. As long as we're working with a vendor that makes sure valid traffic doesn't get blocked and gives us the ability to make adjustments, it would make sense," he says.
The reputation buzz
To Jamey Heary, a security consulting systems engineer and frequent security blogger, the integration of IP reputation services into all sorts of security hardware is the most exciting trend in security this year. What really jazzes him is the improved performance such integration promises, he says.
Heary uses e-mail security as one example. "The reputation lookup takes a fraction of the CPU cycles that a real scan of an e-mail would take through an antivirus, -spam or -malware engine," he says. By some estimates, the lookup can run as much as 90% faster than processing through spam filters. As another example, he says offloading content processing from the IPS could cut bandwidth requirements by a third. "An enterprise that needs three IPSs and some load-balancing to get through all the data might just need one IPS if that IPS does the reputation lookup," he says.
The integration of IP reputation services speaks to a layered, in-depth security strategy, according to experts.
Pat Peterson, a Cisco fellow and researcher who had been part of the SenderBase development team at IronPort, puts it this way: "We know there are dirty, filthy awful places on the Internet, like the Russian Business Network, which hosts an enormous amount of malicious content of all types. Why wouldn't you want to inform your firewall, especially if you don't routinely do business with Russian Web sites or you're not a multinational company, that this network is out there and that 99% of the time it's used for malicious activity?"
The same sort of logic applies to the IPS, which relies on signature files to determine access. "Knowing that a signature comes from a really good server or a really bad one will provide a far more high-fidelity indicator that the signature is good than just looking at the signature file alone," Peterson explains.