Product Group Tests
IDS/IPSFebruary 01, 2011
IDS/IPS has evolved to support enterprise-wide deployment models, allowing admins to deliver an added layer of protection across any LAN segments or host systems they wish to protect.
These technologies have evolved to support enterprise-wide deployment models, allowing admins to deliver an added layer of protection across any LAN segments or host systems they wish to protect. So instead of focusing our intrusion technologies strictly at the gateway traffic, we now have technologies that allow us to gather and manage information as it moves around our networks and to mitigate risks wherever they are found.
Through easy-to-use policy tools - allowing admins to create custom rules and threat descriptions - and added technologies, such as sophisticated risk and threat modeling and behavioral analysis, these solutions bring us much closer to protecting our enterprise from zero-day threats. The distributed architectures allow for far greater deployment and protection options, while maintaining a central policy management and log collection.
How we tested
We tested these products by configuring our lab into a three-zone setup inclusive of firewalled internet connection and internal LAN and DMZ, also off a firewalled port. The DMZ consisted of a patched Windows 2003 domain controller and SQL server. The internal LAN consisted of an unpatched Windows XP SP2 PC and a CentOS Linux server. It is important to note that we were not testing the products for their ability to stop various threats. We reviewed the signature- and rule-based and zero-day capabilities to compare features and functions only.
We ran Nessus and NMAP scans against various hosts to generate alerts and log data so that we could evaluate the management, reporting, dash boarding and alerting capabilities. We tested the policy creation and deployment features and reviewed how each product kept its threat and vulnerability databases up to date. Of the five products reviewed, four shipped to us as appliances and one was a software deployment requiring a dedicated Linux server.
We didn't assume these products would be simple to deploy. All of the products we reviewed this month took quite an effort to deploy and configure. These technologies are definitely not plug and play, but what good security product is? Once deployed, all the products delivered graphical tools for configuration and management of the sensors. Some were more intuitive than others. We found vast differences in reporting, dashboarding and alerting. Most of the products had inline and passive modes for monitoring traffic. There were things we liked about each solution we reviewed, which means it will be very important to understand what one really wants in an IDS/IPS solution before deciding which platform to acquire. All the solutions delivered base IDS capabilities. The differentiators came in the form of the IPS capabilities and the technologies used to combat sophisticated and zero-day threats.
The documentation was not quite what we wanted to see from each of the participants. That forced us to use the support options available to us, and those were all very impressive.
The product sets we reviewed were flexible and delivered so many options - from out-of-the-box protection to elaborate, customized policy rules and risk and threat heuristics. If one has the time to evaluate multiple technologies, these are definitely tools that justify a full evaluation to help determine the best solution for the enterprise's needs.
All products in this group test
Sign up to our newsletters
SC Magazine Articles
- Long list of devices believed to be affected by NetUSB vulnerability
- Website observed serving 83 executable files, more than 50 percent malware
- Scammers target oil companies with sneaky attack
- CareFirst BlueCross BlueShield breached, more than one million individuals notified
- TeslaCrypt used to extort over $76K in recent months
- Hackers exploit Starbucks auto-reload feature to steal from customers
- Study: Nearly all SAP systems remain unpatched and vulnerable to attacks
- Former Nuclear Regulatory Commission employee arrested for alleged spear phishing campaign
- Millions of WordPress websites vulnerable to XSS bug
- FireEye first cybersecurity firm awarded DHS SAFETY Act certification
- Thousands of Bellevue Hospital Center patients notified of data breach
- Study: 86 percent of websites contain at least one 'serious' vulnerability
- Investigation ongoing in reported multimillion member Adult FriendFinder breach
- Report: $19M breach settlement between MasterCard, Target terminated
- FTC gives thumbs up to companies that cooperate during breach probes