Intrusion prevention as a service

Our review of intrusion-detection system devices attracted the attention of EcoNet.com, a company selling a managed, customer-premises-equipment-based IPS service.

Our review of intrusion-detection system devices attracted the attention of EcoNet.com, a company selling a managed, customer-premises-equipment-based IPS service. The EcoNet.com offering, called Sentinel, uses an edge IPS device sitting outside the corporate firewall. Sentinel is a signature-based IPS with some additional features, such as virus scanning, but without any rate-based controls or SYN flood protection.

With Sentinel, EcoNet.com isn’t just taking on the burden of managing a CPE-based IPS product; it’s an entirely proprietary system sold on a subscription basis and running on commodity Intel-based PCs.

As a managed service, Sentinel doesn’t give the network professional a lot of information. Unlike the other IPS devices we tested, you can’t see anything about any of the IPS features activated on the Sentinel. A Web-based GUI defines a small set of parameters, such as a network whitelist of systems that should never be blocked and the networks that Sentinel protects. Network managers who want to know what is going on will not find the configuration very enlightening. Sentinel appliances also have local reporting and limited forensics capabilities, with copies of all logs also shipped to EcoNet.com’s operations center.

The system engineer assigned to our test pushed all the burden of managing Sentinel back to EcoNet.com. For example, we asked about a false positive on our device and were told that the general answer is to change the network, not the device, to stop generating the alarms. If we insisted, the Sentinel team would change the signature database — possibly for an extra charge.

There are some local management options for the network professional. For example, if you want to whitelist a system, that’s fine. But if you want to disable IPS for only a particular port on a system, you have to request that from EcoNet.com. Other IPS features need to be negotiated as well, such as the ports Web servers listen on. By default, Sentinel only looks on Port 80 for Web-based attacks.

Sentinel depends heavily on its blacklisting function and applies it with the heaviest hand of any IPS product tested. Any IP address getting on the bad side of Sentinel is blacklisted, along with its adjacent IP addresses, for a period of 30 to 60 days. Fortunately, the network professional has easy access to a Web-based display of blocked IP addresses and attack events, and can remove an improper block easily. Sentinel sends e-mail to a designated e-mail box when an IP address is added to the block list.

Although tuning Sentinel isn’t controlled locally, EcoNet.com does have a methodology for deploying the product. After dropping it into your network (it appears as a Layer 2 bridge), Sentinel runs in “alert-only” mode for a week. At the end of the week, the Sentinel team works with the network manager to identify false positives before enabling the device to block traffic.