Americas

  • United States
Neal Weinberg
Contributing writer, Foundry

Captus IPS 4000

Opinion
Mar 25, 20042 mins
Intrusion Detection SoftwareNetwork SecuritySecurity

* The Reviewmeister continues test driving IPS products

Continuing our tour of intrusion prevention products, the Captus IPS 4000 offers a very sophisticated set of reaction options. You could identify an overload on an FTP server, for example, and initially start throttling traffic for a minute. If the overload continued, you could cut off access from the client overloading the server. If things went on for several minutes, you could send an alert. In all, Captus gives you four responses to bad traffic: send an alert, limit traffic levels, drop traffic entirely and reroute traffic.

The methodology question was somewhat troubling with Captus, which has a 12-step methodology program. Of course, it’s only a one-time process assisted by a trained system engineer. But the IPS 4000 itself doesn’t provide good performance statistics, which is a shame because the product is very labor intensive to configure. The problem with any rigorous methodology, including Captus’, is that the cost to tune the product is high and thus discourages changes, even though traffic patterns change continually.

Captus’ overall management scheme is massive, with graphical elements sitting all over the place, zooming in and out, and providing multiple views of network topology. But it only talks to the IPS devices. It seems that Captus started with an enormous concept of a carrier-class network management station and then seriously underutilized it in its enterprise IPS product.

At the same time, the part of the GUI used to manage the parameters of the IPS was almost ignored. Defining a policy for the Captus product would be much easier from the command line – a nod to the Cisco-familiar workforce that likely would install and configure this product.

Captus’ IPS 4000 has an astonishing level of detail and control when it comes to managing packet flows. The Captus product fits better into a service provider or corporate Web hosting environment where you can get a precise measure of what it is you want to do in a static environment.

For the full report, go to https://www.nwfusion.com/reviews/2004/0216ipsrate.html