Proventia G Series is a new range of turnkey intrusion prevention appliances from ISS. They are designed to proactively block malicious attacks from entering the network, including denial-of-service (DoS), intrusions and malicious code, backdoors and hybrid threats like MS Blaster or SQL Slammer. Proventia G Series blocks attacks in real-time, minimizing the need for active administrator involvement in most security events.
Built upon the Proventia code base and modified for in-line appliance configurations, the Proventia G200 appliance features a pre-installed network agent on a standard Intel platform. The device features two 10/100/1000Mbps ports for management and for sending tcp resets when monitoring in passive mode, and a dual copper port 100/1000Mbps network card which is capable of operating in pass-through mode when power is not applied to the appliance.
Proventia G Series appliances analyze over 100 network protocols and include over 2,500 checks. They can operate in three modes: Active (in-line, blocking), Passive (not in-line, no blocking), and Simulation (in-line, no blocking).
Much effort has been put into designing the Proventia hardware to cope with the bandwidth claimed (200Mbps on the G200) and in producing custom drivers for the built-in network cards. This care allowed Proventia to detect and block 100 percent of attacks under all of our test conditions. We have no hesitation in rating the Proventia G200 as a true 200Mbps device.
Overall, the Proventia offers outstanding performance coupled with surprisingly low latency under normal traffic conditions. The G200 will not cause bottlenecks in any normal 200 Mbps environment unless it is subjected to heavy DoS attacks, which it nevertheless mitigates effectively.
We also found the Proventia G200 to be to be very stable and reliable, coping with our extensive reliability tests with ease and without blocking any legitimate traffic or succumbing to common evasion techniques. Signature recognition and blocking performance was excellent out of the box, and was increased to 100 percent after the application of a signature pack update which was provided to us in less than 48 hours.
With the removal of the aged Workgroup Manager Console and its replacement with the more scalable and flexible SiteProtector, Proventia has taken a leap forward. The SiteProtector management system has been well designed to handle management and configuration of large numbers of IPS and IDS sensors across the enterprise.
The only significant portion of "legacy" code remaining in the user interface is the Policy Editor, which is certainly showing signs of the strain involved in making two quite different technologies – BlackICE and RealSecure – work together as seamlessly as possible. This should be replaced in the not too distant future with the new Java-based Common Policy Editor which, as its name implies, will provide a common policy management interface across the entire Proventia range.
The old Workgroup Manager Console was one of the most comprehensive and easy-to-use out of the box, and for a long time was the benchmark against which all other IDS consoles were measured. With SiteProtector, ISS has done it again, producing one of the best consoles we have seen in our labs to date. It is worth pointing out that this is no longer an extra cost option, but is included in the price of the sensor (the SecurityFusion module is still an extra-cost option).
Sensor and policy management are amongst the most straightforward and scalable that we have seen to date. Policies can be applied to multiple sensors at the click of a mouse, and the use of rules to auto-group assets together with the ability to apply policies at site or group levels means it is very easy to install and activate sensors with little or no administrator intervention. At the moment, Proventia is one of the easiest products to deploy across a large, distributed network.
Alert handling is excellent, with SiteProtector simplifying the life of the administrator via automatic impact analysis and event correlation across vulnerability assessment tools and network sensors. The result should be the ability to reduce the number of critical alerts appearing at the Console to a more manageable level in even the largest installations by grouping them together and tracking them as "incidents."
The ability to report and annotate at an incident level is useful, as is the ability to manually correlate multiple events into a single incident if required.
Built in reports have given way to infinitely customizable views which provide the means to drill down into the event data from almost any angle. The resulting views can be saved and recalled on demand or run at regular intervals via a scheduler, and the Dashboard provides high level graphical summaries.