IPS usability is a mixed bag

How usable are network intrusion-prevention systems?

The most important feature of an IPS is whether or not it does the job you bought it for. That said, it also needs to be usable in the sense that it can support the network manager in the day-to-day tasks that go hand in hand with using an IPS in an enterprise setting. After shaking out the IPS products for performance, we took them back into the test lab to look at them from another angle entirely: usability.

The clear winner in terms of usability was the TippingPoint’s Security Management System used to drive the TippingPoint 5000E, a product that turned in above-average performance on every task we set for it. Honorable mention goes to both NFR's Sentivist Management Platform used to control its Sentivist boxes and Top Layer’s IPS 5500. Anyone trying to manage an IPS would find both products could meet their needs easily, with a minimum of wasted effort.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The most important feature of an IPS is whether or not it does the job you bought it for. That said, it also needs to be usable in the sense that it can support the network manager in the day-to-day tasks that go hand in hand with using an IPS in an enterprise setting. After shaking out the IPS products for performance, we took them back into the test lab to look at them from another angle entirely: usability.

The clear winner in terms of usability was the TippingPoint’s Security Management System used to drive the TippingPoint 5000E, a product that turned in above-average performance on every task we set for it. Honorable mention goes to both NFR's Sentivist Management Platform used to control its Sentivist boxes and Top Layer’s IPS 5500. Anyone trying to manage an IPS would find both products could meet their needs easily, with a minimum of wasted effort.

On the dark side of our scoring, though, were the management wares provided with Demarc’s Sentarus, Fortinet’s FortiGate 3600 and Ambiron TrustWave’s (formerly Lucid Security) ipAngel. While each of these three has its administrative bright spots, all three need substantial work before they can handle the tasks we think concern an IPS manager.

However, it’s important to keep in mind that both Demarc and Fortinet offer multifunction products (the Fortinet box is a UTM device, while the Demarc product is a combination of host and network-based IPS), where network-based IPS is only a piece of a bigger offering. Network managers may be willing to trade off IPS usability and features in exchange for the other security functions shipped with these products.

We set up a VPN between our test labs in California and Arizona to see how these products would work in an enterprise WAN environment. Because all of the performance testing was done at Network Test’s lab in California, we did all our usability testing from Opus One’s lab in Arizona. Where vendors provided stand-alone management tools for their products, we used those tools. Otherwise, we used whatever native tool was built into the IPS itself.

To evaluate products for usability, we set out five major task areas all geared toward operating an IPS in an enterprise-class network. We started looking at configuration and alerting capabilities, because these are the first tasks any security manager will do and subsequently be revisited repeatedly as networks, systems and security policies change.

Next, we looked at the dashboard features for each product, to see how easy it is to get an update on the security status of your network. We looked carefully at forensics features. Although an IPS is not a replacement for an IDS, most IPS products have a fairly strong set of IDS forensics and analysis features in them, and we wanted to see how well this was put together. Finally, we looked at the reporting features of each product.