Attack Mitigator IPS 2400
March 25, 2004
Corero Network SecurityProduct:
List price for the IPS 2400 is $80,000
: High levels of performance ; Extremely low latency ; Excellent attack mitigation and traffic shaping capabilities
; Poor signature coverage compared to traditional IDS/IPS devices (better as a pure attack mitigator)
: Lowest latency we have seen of any IPS device in our labs. Although limited in terms of coverage of common exploits, the IPS 2400 is designed to sit in front of a firewall and provide attack mitigation and traffic-shaping capabilities rather than traditional IPS/IDS functions.
Top Layer's Attack Mitigator IPS is actually a family of ASIC-based Network Intrusion Prevention Systems (NIPS), with blocking and control against certain types of cyber attacks. The product tested is the Attack Mitigator IPS 2400, a combination of multiple Attack Mitigator IPS 1000 and load-balancer units.
Top Layer has improved the performance of the individual IPS 1000 units considerably since we last tested them in our labs, and when clustered and load balanced in the configuration under test here the solution scales extremely well, providing excellent performance on Gigabit networks.
Performance at all levels of our load tests was impeccable, with 100 percent of all attacks being detected and blocked under almost all conditions. We rate the IPS 2400 as a true 1Gbps device. Latency figures were also outstanding at all traffic loads and with all packet sizes – the lowest that we have seen for a device of this type under normal traffic conditions.
Syn flood mitigation is the strong point of the IPS 2400, because it proxies all syns until it is sure that the connection is legitimate.
Although increased latency through the device during the syn flood attacks may cause problems with legitimate traffic, mitigation was complete with not one invalid syn making it through to the protected network.
We also found the IPS 2400 to be very stable, surviving our extended reliability tests without missing a beat, and without blocking any legitimate traffic or succumbing to common evasion techniques.
There is some ongoing discussion in this industry about whether a true IPS is an evolution of the firewall or the IDS. The Top Layer IPS approach is much more closely aligned to the traditional firewall model than the traditional IDS model. In fact, the Top Layer IPS 2400 has very few "traditional" IDS features, providing little in the way of built-in forensic analysis capabilities and a smaller set of "attack signatures" than you would expect to see in an IDS/IPS product. Bear in mind also that those signatures are limited purely to http URI filters, and do not cover other common protocols such as ftp or smtp. Nor do they perform any protocol analysis.
Attack recognition capabilities are thus not as good as you would expect from a traditional IDS/IPS product. However, it should be recognized that the strongest feature of this particular product is actually in its ability to protect a network from the denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks which are becoming more and more prevalent in today's networks. This is the task for which the IPS 2400 was primarily designed, and it is a task which it fulfils admirably.
Because of this, we would not recommend the purchase of an IPS 2400 as a pure IPS/IDS product to be installed behind a firewall to protect against "known" exploits of common protocols and applications. Instead, this device is best employed in front of a firewall where it can protect both the firewall and the network from high-volume DoS and DDoS attacks – a common threat in today's networks.
Although the initial cabling-up of the IPS 2400 is not as straightforward as for a single-box solution, Top Layer would normally install, connect and configure the cluster as part of its after-sales service. From the end-user's point of view, this is about as easy as it gets.
The device immediately begins operating in Monitor mode to provide an indication of which traffic would be mitigated or limited without the risk of inadvertently creating a DoS condition. It is important with in-line devices such as this that sufficient features are given over to the task of traffic profiling, and the IPS does provide some good graphical monitoring tools to help determine optimum bandwidth and connection rates for various applications before limiting traffic.
There are a number of features to help control and limit legitimate traffic, as well as mitigate malicious traffic, and the management interface is relatively easy to use both for management and monitoring. It would be nice to see some form of centralized multi-device management capabilities in a future release – at the moment, each console is limited to managing a single device at a time, and thus it is difficult to create a single policy for multiple devices and then push them out from a central point.
In the Attack Mitigator IPS 2400, alert management is extremely basic, but the main job of the Attack Mitigator IPS is to stop malicious or suspicious traffic rather than analyze it, and it does this extremely well. Most users would probably be content to leave it at the fact that the bad traffic never made it onto their network, but for those who want additional forensic analysis on the mitigated traffic, this product does provide the Forensic port to route that traffic to a third party collection and analysis product.