Countersnipe APD 1000
Quick to configure; Dashboard management handles groups of sensors.
Simplistic reporting tools; sparse documentation.
Quick and simple interface, but the sparse documentation means that it is better for networks where you have highly-trained security experts.
The APD 1000 is a 1U, Pentium 4-based server running Linux. As such, the first configuration steps are to connect a keyboard and mouse, and enter a management IP address for its management Fast Ethernet interface. It's quick and easy to do, and then gives access to the ADP 1000's web-based management, the Dashboard.
Its well laid-out interface is a pleasure to use, and all the major settings are easy to find. From here, you can configure its dual Fast Ethernet interfaces (it can cope with 100Mbps of traffic) either to work in inline mode, or you can use a hardware tap and connect each interface to a different network segment.
For the inline mode, there's a choice of IDS, IPS or open modes. The latter is useful when the APD 1000 is in its learning mode. Once completed, it looks for network anomalies so that you can respond to zero-day attacks.
The Dashboard can be used to configure multiple sensors; it supports grouping, so that you can set the same configuration on multiple sensors all at once.
You can also create multiple users, so that you can delegate management and, for example, have one administrator who is just in charge of reports.
Configuring group policies is extremely easy. Attack signatures are split into well-defined groups, so it's just a matter of picking how you want to respond to each type of attack – block, alert, ignore, and so on. However, there are no dedicated Ethernet ports for sending resets. The system also has a default policy, so you can either override it for each group of sensors or choose to leave the defaults in place. The detection engine uses Snort, so you can easily write your own rules or, for new threats, use those generated by other users.
Reports are generated through the same console. There is a large selection available, sorted by a variety of different fields, although they fall short of the standards set by dedicated reporting packages.
The APD 1000 is a very simple product to use and one of the easiest to get running. However, it comes with sparse documentation and doesn't have the same depth and range of features as other products in this test, although its cheaper price means it's quite a bargain if you have well trained administrators.