Intrusion protection tools improve on tests

Many vendors declined to let NSS Labs test its products, even for free

The latest tests of crucial equipment used to protect Internet-facing corporate networks show they are improving but are far from perfect in stopping hacker attacks.

Intrusion prevention strategies for 11n

IPS (Intrusion protection systems) are often the front-line guard at the door of the Internet and used to detect sophisticated attacks designed to steal information or execute fraud. The systems detect attacks against applications or OSes intended to install malicious software such as keyloggers and rootkits.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The latest tests of crucial equipment used to protect Internet-facing corporate networks show they are improving but are far from perfect in stopping hacker attacks.

Intrusion prevention strategies for 11n

IPS (Intrusion protection systems) are often the front-line guard at the door of the Internet and used to detect sophisticated attacks designed to steal information or execute fraud. The systems detect attacks against applications or OSes intended to install malicious software such as keyloggers and rootkits.

NSS Labs tested 13 IPS products from 11 vendors. Those vendors voluntarily submitted their products, but nine vendors refused, said Rick Moy, president of NSS Labs. The refusal is not uncommon. Moy said more IPS vendors participated in the 2010 testing than the previous year.

"The vendors who had confidence in their products wanted to volunteer to participate," Moy said. "At some point, it's a marketing decision whether you participate or not."

NSS Labs measured the average default protection from exploits, which is the method by which malware is delivered. In 2009, products in their default configurations only caught on average 45 percent of attacks, but in 2010 that average was 62 percent.

McAfee's M-8000 and Cisco Systems' IPS 4260 Sensor proved the best in their default configurations at catching attacks designed to target desktop applications, with a 94.5 percent and 91.8 percent effectiveness, respectively.

When engineers from the companies were allowed to "tune" their products, or add more rules designed to catch specific types of attacks, the products upped their detection rates on average by 21 percent.

"There's a big difference between the default and the tuned for many vendors," Moy said.

Vendors also improved their performance on so-called evasion techniques, where attack techniques are combined to get past security products. In 2009, half of the vendors failed to counter basic evasions, and more continue to be discovered.

But this time all but three products from two vendors passed NSS Labs' evasion testing, showing that vendors are paying more attention to the issue.

One vendor, Stonesoft, missed several of the basic evasions in 2009 but has remedied its IPS 1205 and IPS 3205 products. Stonesoft created a stir last October when it said it had discovered new advanced evasion techniques.

Still, there is a wide variance in IPS products, ranging from a 31 percent to 98 percent effectiveness on average over seven years, depending on whether the product had been tuned.

NSS Labs has estimated what each product costs to protect 1Mbps (bit per second) of data over three years, including the cost of the product itself, yearly maintenance and ongoing costs for upkeep and tuning.

It's difficult to compare since no two products deliver the same security effectiveness or throughput. NSS Labs uses a formula that divides the total cost of ownership including labor by the percentage of threats it stops -- what NSS calls the "security effectiveness" -- and then multiples that by the device's throughput.

The IDG News Service is a Network World affiliate.