Attack Mitigator IPS 1000
July 01, 2003
Corero Network SecurityProduct:
- Ease of Use:
- Value for Money:
- Overall Rating:
Quick to set up and get running as no routing adjustments are needed.
Sits behind the WAN link so can do nothing to stop bandwidth saturation there.
A complementary item designed to work in tandem with other security products.
Top Layer Networks' Attack Mitigator lies at the traditional end of intrusion prevention. It aims to defend against both internal and external hackers using denial-of- service (DoS) and distributed denial-of-service (DDoS), as well as giving broad protection against other well-known attacks. This is done using a mixture of stateful inspection hardware and packet inspection software.
With this product came Top Layer's SecureWatch data collector software, used to report on network flow by taking data collected from other Top Layer products within the network.
The box may be deployed between the WAN router and the perimeter firewall of the network, as well as outside the firewall or in front of public-facing servers and internal server farms. It analyses data packets for attacks by comparing them against a range of packet sequence signatures, packet filters, TCP, ICMP and UDP flow counters as well as HTTP URL filters. When the product suspects a dubious packet it pulls it into a 'discard' port for later analysis. This allows for deployment without changing the routing pattern of the network.
Setting up was largely easy to accomplish. The front panel of the appliance houses twelve ports: one each for the internal and external networks, six for other internal and external network segments, and four further ports for management, flow mirroring and 'discarded' packets. Also available are two optical ports for fiber connections.
Installation involved connecting to the box via a serial port to configure initial IP settings on the management LAN. Once set, the box could connect to an isolated management LAN we set up on the test network. From here the browser-based console takes over for the rest of the configuration.
We set the box to 'mitigate' mode to see what kind of possible attacks it could pick up. We tried a SYN flood attack to overload our server behind the Attack Mitigator but failed as the product limits the number of partial TCP connections. As it sat behind the router it was difficult to stop flooding of the WAN link.
The browser console uses a number of filters to protect against these attacks and others like them. Not only does it protect against a single hacking attempt but it can carry out connection and bandwidth limiting to groups of server and from groups of clients.
The network-based approach to defense will easily complement a network's firewall and detection systems.