Proventia from ISS

In the past few newsletters, we’re talked about rate-based intrusion prevention tools. Now let’s turn to content-based IPS, products that block attacks based on the signature patterns of the traffic.

For this test, we asked three basic questions:

1. What does the product catch? What kind of malicious traffic is this designed to identify?

2. How does the IPS block traffic? What other reactive techniques are available?

3. How can the IPS be controlled? What features are available for management, configuration and tuning?

Let’s start with the Proventia G Series from Internet Security Systems.

Proventia G Series  uses the ISS Intrusion Detection System (IDS) engine inside. Proventia ships with the entire ISS signature library, but only about 250 rules are enabled by default for the IPS function.

These are rules that ISS is willing to guarantee will not generate false positives. Balancing a short signature list to reduce false positives with enough signatures to make IPS useful is a constant battle for vendors as these products are installed and updated.

One component of IPS products is a blacklist of known attack signatures that should be blocked automatically. In the ISS approach, you have quite a bit of flexibility in terms of how to configure the blacklist.  For each signature, ISS lets you define a variety of reactions, including simply dropping packets, closing connections or updating a blacklist.

If you do update a blacklist, it’s not just a “drop everything from the attacker” choice. ISS lets you define many different blacklisting strategies. The defaults let you block future traffic from the same attacker to the same victim or combine IP addresses and applications.

Other vendors offer a simpler “drop everything” type of approach. It’s hard to say which is the “right” way to handle bad traffic, but the conservative approach ISS offered seemed like it would get you in a lot less trouble with self-inflicted denial-of-service attacks over the long run.

We also were concerned about how these products behaved when they encountered bad traffic: what information was kept and how could the network manager use it. Products took two tacks on this. The ISS product behaved like an IDS, providing a comprehensive forensics capability and detailed information about what happened and when.

One of the first management features we looked for was the ability to put the system into alert-only mode. The idea is to keep the IPS running, but never drop any traffic. You would want to do this for tuning purposes, and a network professional might want to run it in this mode if the IPS is ever suspected of causing network problems. ISS understands this issue and gave us a nice big button in the GUI to put its Proventia into alert-only mode.

For the full report, go to https://www.nwfusion.com/reviews/2004/0216ipscontent.html