• United States
Neal Weinberg
Contributing writer, Foundry

Apr 15, 20042 mins
Network SecuritySecurity

* A look at the managed, customer-premises-equipment-based IPS service, Sentinel, from

Last week, we talked about intrusion prevention tools. Here’s a look at a, a company selling a managed, customer-premises-equipment-based IPS service.

The offering, called Sentinel, uses an edge IPS device sitting outside the corporate firewall. Sentinel is a signature-based IPS with some additional features, such as virus scanning, but without any rate-based controls or SYN flood protection.

With Sentinel, isn’t just taking on the burden of managing a CPE-based IPS product; it’s an entirely proprietary system sold on a subscription basis and running on commodity Intel-based PCs.

As a managed service, Sentinel doesn’t give the network professional a lot of information. Unlike the other IPS devices we tested, you can’t see anything about any of the IPS features activated on the Sentinel. A Web-based GUI defines a small set of parameters, such as a network whitelist of systems that should never be blocked and the networks that Sentinel protects. Network managers who want to know what is going on will not find the configuration very enlightening. Sentinel appliances also have local reporting and limited forensics capabilities, with copies of all logs also shipped to’s operations center.

There are some local management options for the network professional. For example, if you want to whitelist a system, that’s fine. But if you want to disable IPS for only a particular port on a system, you have to request that from Other IPS features need to be negotiated as well, such as the ports Web servers listen on. By default, Sentinel only looks on Port 80 for Web-based attacks.

Sentinel depends heavily on its blacklisting function and applies it with the heaviest hand of any IPS product tested. Any IP address getting on the bad side of Sentinel is blacklisted, along with its adjacent IP addresses, for a period of 30 to 60 days. Fortunately, the network professional has easy access to a Web-based display of blocked IP addresses and attack events, and can remove an improper block easily. Sentinel sends e-mail to a designated e-mail box when an IP address is added to the block list.