Sleuth9 and NetProtect

The Reviewmeister ran two more rate-based IPS products through our lab: Sleuth9 from DeepNines Technologies and NetProtect LG100 from Vsecure Technologies.

Rate-based IPS devices must provide detailed control of traffic flow. Tuning the IPS means telling it which traffic to look at and what the limits are on that traffic. We discovered wide variation in product capabilities and in how much you must know about your network to use them.

Both products let you define what applications and servers you want to protect, usually by identifying a combination of source and destination IP addresses, along with source and destination port and protocol. In most cases, either the source or destination address will be a wildcard (indicating “the Internet”). For example, you might limit queries to your DNS server to 1,000 per second. Simple rules covering bandwidth and connection limiting (often called SYN flood protection) are something you can do in any rate-based IPS.

With NetProtect LG100, you can define a connection flood protection for a service on a particular system, but you can’t say how many connections that service can support. You have to pick one of four values for “sensitivity”: minor, low, medium or high. NetProtect detects idle connections building up from a single source, but not more sophisticated attacks that slowly keep sending small bits of data or are distributed across a large number of systems.

Other types of limiting technologies might be useful in environments where the traffic mix and parameters are known. For example, Vsecure detects the mix of protocols (TCP vs. User Datagram Protocol [UDP] vs. Internet Control Messaging Protocol) and can shut things down if the mix doesn’t fit within your parameters.

Once an IPS identifies that reconnaissance activity or an attack is happening, the bigger question is: What are you going to do about it? For certain kinds of attacks, such as a port scan or a Code Red worm, the obvious answer is drop those packets. When you get into rate-based IPS, the options get more complex, and the issues at hand, more subtle.

Both NetProtect and Sleuth9 offer the ability to block traffic.

IPS management was very inconsistent. Our litmus test was whether each device offered an alert-only mode where it watches for bad packets but does not block them. With Vsecure, it’s trivial to flip the device into and out of alert-only mode. For DeepNines changing mode means making bigger – not easily reversible – changes to the configuration.

DeepNines and Vsecure brought in more elaborate tools to handle multiple IPS devices. Although central management was an enterprise-oriented feature with these three products, none let us manage the configuration on more than one device at a time.

The most common additional feature shipping with these products was a firewall, either stateful or simple packet filtering. Both products can block traffic and act as a basic firewall, limiting exposure to services that should not ever be accessible through the IPS device. They could also identify and block port scanning.

Beyond that, DeepNines and Vsecure had some capability to block protocol-based attacks, such as illegal TCP flag combinations used by hackers during reconnaissance. DeepNines also was able to look for viruses.

For the full report, go to https://www.nwfusion.com/reviews/2004/0216ipsrate.html