The in-line products we tested were Check Point's InterSpect, EcoNet.com's Sentinel IPS, Internet Security Systems Proventia G Series, Lucid Security's ipAngel, NetScreen Technologies' NetScreen-IDP 100, StillSecure's Border Guard and TippingPoint Technologies' UnityOne. Because EcoNet.com is a managed service rather than a stand-alone product, we discuss it separately (see Managed IPS alternative).
We installed each of these in our labs in Los Angeles, San Jose and Tucson, Ariz., (see How we did it) and assessed them from the perspective of network professionals looking to put an IPS into a production network.
• What does the product catch? What kind of malicious traffic is this designed to identify? Where did the engineers design this product to go in a network?
• How does the IPS block traffic? What other reactive techniques are available?
• How can the IPS be controlled? What features are available for management, configuration and tuning?
ISS, NetScreen and TippingPoint clearly fit our model of how an enterprise product should be built.
All six had some level of signature-based intrusion detection to help identify malicious or anomalous traffic. After that, we found four with limited rate-based control capabilities, two with connection flood (also called SYN flood) controls and one with built-in honeypot technology.
Finding intrusion-detection system (IDS)-style signatures and protocol-anomaly detection in these IPS devices was no surprise. IDS vendors are ideally situated to design IPS products because they've already thought about what it takes to identify malicious traffic. In three cases, the IDS inside looked very familiar. IpAngel and Border Guard are built on top of the open source Snort IDS engine. Proventia uses the ISS IDS engine inside.
Proventia ships with the entire ISS signature library, but only about 250 rules are enabled by default for the IPS function. These are rules that ISS is willing to guarantee will not generate false positives. We found a similarly reduced list in InterSpect and UnityOne. Balancing a short signature list to reduce false positives with enough signatures to make IPS useful is a constant battle for vendors as these products are installed and updated.
NetScreen has a huge signature library, but you have to define your internal hosts and vulnerable ports for the signatures to apply. For a large network, that would be a fairly tedious process. NetScreen will add automation tools in the next version of its IDP, shipping this quarter.
In a unique tack on turning signatures on and off, Lucid Security configures its ipAngel detection engine based on feedback from a vulnerability scan from a Nessus open source network scanner. If the scanner finds something vulnerable, ipAngel enables the IPS/IDS signature. Otherwise, it's turned off.
Border Guard and UnityOne use a built-in nmap vulnerability scanner, but neither are as sophisticated in their use of scan data as Lucid is. Strangely enough, ISS, which sells one of the top vulnerability scanner products, has not yet linked its vulnerability scanner and IPS products.
We also found honeypot technology in NetScreen's IDP. The idea behind a honeypot is that most attackers will do very broad-scale reconnaissance on a network as part of an attack. If you put a system out there that should never be legitimately connected to, then any connection to that honeypot system is suspect and represents potential malicious traffic, no matter the content. IDP can use specifically configured honeypot addresses and services to initiate a block against further traffic from the system connecting to it.
Rate-based controls were a welcome feature in these content-oriented IPS products, even if they did not meet the sophistication of other rate-based IPSs we looked at. Check Point, ISS, NetScreen and TippingPoint all brought rate-based controls to the table.
Check Point and NetScreen included sophisticated protection for connection floods with a TCP proxy. For example, NetScreen's SYN Protector feature lets you define a combination of IP addresses and an application, then enable the protector. All TCP connections are proxied by the SYN Protector, eliminating some classes of connection flood attacks. The content-based IPSs we tested don't have any sophisticated tools for User Datagram Protocol (UDP)-based protocols.
UnityOne, with its traffic management features, best straddles the line between the rate-based and content-based IPS camps. While it doesn't offer comparable intrusion-protection power of the best rate-based products we tested, it does offer detailed bandwidth controls (source and destination addresses and application), and signatures that detect high connection rates.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment