Some technical experts and IT managers who have gained hands-on experience with network-based IPSs say the only way to find out if an IPS will disrupt network traffic is to put it in line and hold your breath.
"In our labs, we can create false-positives tests, but the only way to be sure is to put one of these things in your network and watch it for a while," says Bob Walder, president of NSS Group, a British equipment-testing organization with labs in the south of France.
NSS, which has tested both host- and network-based IPSs and IDSs for accuracy in detecting hundreds of types of attacks, also looks for latency problems caused by IPSs struggling to keep up with examining traffic flows.
"When you go in-line with monitoring or blocking, you have a huge signature set. It can be difficult for the IPS to keep up," Walder says. In general, network managers should anticipate that an IPS will not add more than 300 millisec of latency. But if IPS devices are deployed at LAN segments, which is increasingly the case, the traffic slowdown might be more noticeable.
"I've seen a file copy that would have ordinarily taken 40 seconds take several minutes as it went through two or three IPSs," he says.
IPS customers say such difficulties usually can be resolved if the IPS vendor is responsive.
The University of North Carolina at Chapel Hill, which deployed half a dozen IPS appliances from TippingPoint inside the campus LAN to guard against worm outbreaks, hasn't had trouble with latency, but does cope with occasional false positives.
One instance occurred when someone tried to download a copy of Windows 2003 Server and the IPS flagged it as an attack and blocked it, says Doug Brown, manager of security resources at the university.
However, such problems get resolved through discussion with the vendor, Brown points out. He adds that using the IPS over the past year has made a huge difference in automatically containing worm and virus outbreaks brought about by infected student computers. "We've had a 70% reduction in trouble tickets since using the IPS," he says.
In addition to its IPS rollout, Cisco is also unveiling the PIX Security Appliance 7.0. This software-based change for the PIX VPN/firewall lets it perform application inspection and prevent some types of spyware and peer-to-peer network traffic, and provide "logical firewalls" within a single firewall. "You can create extranet and intranet zones," Ullal says, by portioning internal firewalls with PIX Security Appliance.
She acknowledges this was Cisco's first step into adding application-layer protections to the PIX firewall, and the PIX Security Appliance 7.0 wouldn't detect or block cross-site scripting, a function available in most application firewalls, such as those from Teros and Imperva.
RELATED LINKS
