Product Details
Product Rating
Countersnipe APD 1000
DP Inspector 100e
Intrushield 2700
IPS 5500 Attack Mitigator
Proventia G400
Sentivist IPS Sensor 500
SonicWall Pro 5060
Sourcefire 3D System
Symantec Network Security 7120
TippingPoint 50
V-Secure V-100
XSGuard C-Series
In this test, we found a huge range in the level and type of protection from externally managed boxes all the way up to multi-appliance systems. Our Best Buy award goes to the Sourcefire IS-2000. Its high level of protection and simple rule writing using the Snort engine make it a good standalone product. But it is when it is used as part of the 3-D System that it really takes off. Sourcefire's Defense Center provides excellent centralized management and reporting, and its Realtime Network Analysis appliances give a wider look at the network to help secure it. Our Recommended product is The Top Layer IPS 5500 Attack Mitigator. The name says it all – it deflects and blocks attacks before they hit your network. It works at wire speed and is particularly effective at blocking DDoS attacks, arguably the most prevalent kind of attack that networks face today. Combined with Top Layer's SecureCommand management appliance, it becomes an enterprise-class management and defense system.
Intrusion prevention (2005)
Catching malware and hackers means you need to do more than know what's going on – you need to act on that knowledge. Christopher Moody gets his hands dirty with a range of IPSs
The old saying that prevention is better than cure has never been truer as far as network security goes. But this has been hard to achieve. Take intrusion detection systems, for example, which will warn you when they detect attacks, but will not stop the attack. It leaves you to run around and reconfigure the firewall to block the attack.
In today's environment, it is not good enough to react in this way – which is where intrusion prevention systems (IPSs) come in.
The exact definition of what constitutes an IPS is a difficult one. A firewall with integrated IDS is one example, a Layer-7 switch another. The first works particularly well inside a company, while the latter does a good job between the traditional firewall and the outside world blocking DDoS attacks. The important thing is that these appliances can recognize threats and block them automatically.
In this test we have 12 IPS appliances, covering a wide range of different approaches. We have application-layer switches, dedicated IPS appliances and firewalls with IPS, so there is something on offer for all kinds of networks.
In all cases we had a clear sense of what we wanted from each product. Starting with the basics, we looked at the number of ports and how they can be configured. Essentially, there are two ways to install an IPS. The first way requires a hardware tap, which splits an Ethernet connection, so that one end runs into the IPS, while the other continues as normal, so you can capture all network traffic without disturbing the connection. It also means that if the IPS fails, the network connection continues to run as normal, although without protection.
The other way is to install an IPS in inline mode, which requires two network ports. The network connection you want to monitor is run through the appliance without the need for a hardware tap. However, in this mode it is important that the hardware can bridge the connection if it loses power or fails, so that you always have network connectivity. Inline is the preferred method, as it does not require any additional hardware.
Both methods mean the monitoring ports on the IPS do not have an IP address. This makes the device invisible on the network, and its monitoring ports will not respond to any queries. Instead, each device has a separate management port, which is the only way to configure the IPS.
For each appliance, we have examined how fast it can capture data. It is important to get an IPS that has the same throughput as the connection you want to monitor, or it will start to miss data and, potentially, attacks. Finally, for the high-end products, we looked at the way they deal with sending TCP resets. Better products have dedicated ports for this job.
Hardware is important but detection and management are more important. We paid particular attention to the range of detection methods. The base level was always the attack signature database. As with antivirus software, it enables the IPS to detect and block known attacks with ease. For this method we examined the management. It should, for example, be easy to configure an IPS monitoring a Sun server to only detect Sun-specific attacks.
Next, there's the threat of zero-day attacks, which have not yet had a signature written for them. An IPS should be able to deal with these by building a baseline view of the network, so anomalies can be dealt with instantly.
If there is not an attack signature for something you want to detect, there should be the ability to write one.
Finally, there should be a range of methods for dealing with a detected threat including, for most events, blocking it immediately.
As for management, while most products come with a standard web-based interface we also looked into other management tools. For large installations, centralized management is incredibly important. Some products on test go one step further, with a dedicated management appliance.
Reporting is another important feature. By getting regular reports on threat types detected and blocked you can fine tune your network and, perhaps, filter some problems at an earlier stage or take other preventative steps.
All these products are very complex so the type and size of network is likely to be a defining choice when choosing an IPS. We've rounded up a large range of the market. Over the next seven pages you can find out the strengths and weaknesses of each, to help narrow your choice down.
It's still a fairly new area of the market, but it's one to get involved in now, as a network that defends itself is a far better creature than the alternative.
