9.7 Integrating the Firewall and IDS

Given the complementary roles that the IDS and the firewall provide each other, it should be no surprise that vendors have created "all-in-one" firewall/IDS boxes. This type of device certainly eases the integration between a reactive IDS application and the firewall application because both devices are on the same hardware.

When discussing the integration of the firewall and VPN gateway earlier in this book, several advantages and disadvantages became clear when considering the integration of multiple security devices on a single box. From one perspective, the security of the network can be more easily tested, monitored, configured, and managed when all security functions can be found on a single device. Because a major threat to information security is overly complex configuration of network services, it stands to reason that the simpler the integration of a firewall/IDS is, the more securely it can be configured with assurance.

That said, reliance on a single device for network security is a risky proposition. An IDS serves as a check on the configuration of the firewall and your logging systems serve as verification of network activity after the fact. Should all of these systems be placed in a single device, the impact of a successful attack on that device would be devastating for the network. Not only would your firewall be compromised, a serious incident on its own, but you would also lose the ability to detect the compromise.

While dividing information security services among multiple devices increases the management overhead, it also creates the ability to discreetly ensure the integrity of the various systems — even after one has been compromised. I cannot answer whether a single security box of multiple components will be best for your network. As long as you are aware of the consequences of your decision and how it affects your security policy, you can choose the solution that is best for your network.