Product Details
Product Rating
Intrusion prevention (2003)
Your 'network police' should complement and incorporate with existing firewalls and intrusion detection systems, but never replace them. By Rene Millman
The mere mention of intrusion prevention systems (IPS) is enough to send shivers down the spine of any security professional who has had to install such a system. It is not for the faint of heart, and fine-tuning them to get the right results can be tricky.
These systems should not be thought of as firewalls with whistles and bells attached. Managed firewalls on their own are not enough to cut it when it comes to protecting vital network and data assets. Security now needs to be thought out in many layers, and this must incorporate some form of intrusion prevention.
Incorporating solutions
IPS should complement and incorporate with a comprehensive intrusion detection system but should never replace or displace a conventional firewall. Not just yet at least.
In this month's Group Test we looked at a range of systems, each with their own distinctive personality. They range from the traditional (ISS's RealSecure Guard) to the avant-garde (Sana Security's Primary Response). In between there are differing opinions as to what an IPS actually is. What most people agree on is that they detect and block attacks from hackers and other nefarious people. However, exactly how they go about their business as the network's police diverges quite widely.
Some products in the test had a different raison d'ĂȘtre, such as eEye's RETINA scanner. Its main task is to probe the network for weaknesses and highlight problems for remediation. Others, such as Primary Response, looked after applications and how they react with the rest of the network ecosystem.
Most of the other products were tested on a number of different criteria. We looked at how easy was it to install and get the product running with its default settings - not that anyone would want to run a product in default mode as this is almost always the most prone to attacks. However, most products blocked the majority of attacks from script kiddies and the like straight from of the box.
Next was how long it took to configure the units to work with our test network. We wanted to run a series of test attacks on each product, so we set about configuring the unit to withstand and block such attacks. This gave us a good indication of how well the product could be configured.
Documentation was a mixed bag, with some products thoroughly explaining what everything was, what it did and how it fitted into most networks. Others were scant in their paperwork and a few wildly misleading.
Fine-tuning for results
Luckily all products could block all attacks thrown at them in this test, but for some this meant more tweaking than others. Again this can be construed as subjective, as some interfaces are more intuitive than others. Some people are more at home with browser-based consoles while others favor the command line interface approach for total control and flexibility. A number of products offer a choice of consoles in order to please both sides of this argument.
We watched for false positives as these are the bane of most security set-ups. A lot of the vendors stress how much their particular products flag fewer false positives than the others. This could not be proved quantitatively as it is as much to do with how the system is set up as how well programmed the system is to start with.
Support was another area we looked at. This was more than just how good the vendor was in supplying timely advice, either over the phone or face to face. Online help was judged, as well as support and troubleshooting documentation that was provided within the application.
The cost of security
Lastly, value for money was taken into account. Many vendors warn against putting a price on security, but tight budgets are a cold, hard fact of business life in today's economic climate. We found that what goes for many areas of life rings pretty true for intrusion prevention - the more you spend, the more you get. It is up to the security professional to judge whether they want to spend another thousand dollars on a system that catches two percent more intrusions.
As this area of technology develops there will be a greater convergence of firewalls, IDS and IPS. Indeed many companies are targeting their efforts on developing or obtaining an all-round ability to detect and block attacks while letting through normal business traffic. But, at the moment, not one product can protect the entire network from all forms of attack all the time. Each one has different levels of protection.
Depending on the type of network deployed it may be the case that two or more of these products need to be combined in the infrastructure to get the best results. As this technology is still relatively young, so new products will come along to fill the voids and combine different disciplines.
