• United States
Neal Weinberg
Contributing writer, Foundry

NetScreen IPS

Apr 08, 20043 mins
Intrusion Detection SoftwareNetwork Security

* The Reviewmeister checks out NetScreen-IDP 100

If you’re looking for a clean implementation of intrusion prevention that’s solid in every way, check out NetScreen Technologies’ NetScreen-IDP 100.

NetScreen has a huge signature library, but you have to define your internal hosts and vulnerable ports for the signatures to apply. For a large network, that would be a fairly tedious process. NetScreen says it will add automation tools in the next version of its IDP, shipping this quarter.

As an added bonus, we found honeypot technology in NetScreen’s IDP. The idea behind a honeypot is that most attackers will do very broad-scale reconnaissance on a network as part of an attack. If you put a system out there that should never be legitimately connected to, then any connection to that honeypot system is suspect and represents potential malicious traffic, no matter the content.

IDP can use specifically configured honeypot addresses and services to initiate a block against further traffic from the system connecting to it.

NetScreen also includes sophisticated protection for connection floods with a TCP proxy. For example, NetScreen’s SYN Protector feature lets you define a combination of IP addresses and an application, then enable the protector. All TCP connections are proxied by the SYN Protector, eliminating some classes of connection flood attacks. The content-based IPSs we tested don’t have any sophisticated tools for User Datagram Protocol (UDP)-based protocols.

One of the first management features we looked for was the ability to put the system into alert-only mode. The idea is to keep the IPS running, but never drop any traffic. You would want to do this for tuning purposes, and a network professional might want to run it in this mode if the IPS is ever suspected of causing network problems.  NetScreen has a configuration versioning capability which would let you create two configurations, one alert-only and one not, along with the ability to easily switch between them. All the other IPSs we tested had a hard time with this simple request, either requiring some hardware rewiring or a more detailed modification of the security policy that was not easily reversible.

We also thought that most network professionals would want to have a whitelist capability: Tell the IPS that certain systems are not to be blocked for any reason. NetScreen  gave us nice levels of detail, down to the port or, even to the signature level. 

For the full report, go to