IDS/IPS 2007

August 31, 2007

This month we looked at some of the leading IDS/IPS products. Thishas been a staple of our annual Group Test reviews schedule and thathas given us a chance to track the evolution of these products and themarkets they serve. This year there are two noticeable changes. First,the footprint we are seeing is decidedly distributed. Second, thefunctionality continues to approach universal threat management.

There is another trend that, really, is an outgrowth of thefunctionality trend. There are fewer real IDS/IPS products in themarketplace. This is exactly opposite from the trend we saw last monthin UTM products and that is no accident. IDS/IPS vendors see thewriting on the wall: the IDS/IPS as a stand-alone product is a dyingbreed. We made the same observation the month before relative toanti-malware gateways.

The die is cast and the future written. Next year at this time wewill begin to see what this new UTM market really looks like. In themeantime, there still are very credible IDS/IPS products, and from ourperspective here at SC Labs, that’s a very good thing. The use of adistributed IDS/IPS is a step forward for most very large enterprises.To date there have been ways to gather data from multiple sensors to besure, but the emerging architecture of separating the control centerfrom the sensors is a step forward.

Even with that change, we found that there is a lot of data beingfed to the consoles. These analysis consoles come in two flavors. Wesee web-based thin clients with Java applets and we see fat clientswith heavy dependence upon Java. The fat clients require far more realestate in the desktop than do the thin clients, especially in terms ofmemory. Some of our smaller computers failed under the load of a heavyattack stream against its sensor.

Another trend we saw is the beginning of the export of IDS/IPS datainto analysis tools by design. Of course we always could get the dataif we wanted it, but we are seeing more analysis capability than everbefore. We attribute this trend to the need for forensic analysis ofnetwork events at an increasing rate. Network attacks have become theprovince of specialized malware. The notion of the blended threat isold hat now and we need to be able to analyze malicious activity at adepth beyond that which we were used to in the past. We are beginningto see analysis tools built into IDS/IPS products.

How to buy IDS/IPS

Start with an understanding of your environment.

If you have a large distributed enterprise, a distributed footprintfor the IDS/IPS is your best bet. Sensors should be placed where theycan do the most good. Analysis of your data flows is a very usefulstarting point. This helps minimize the number of sensors required toget the most useful information.

Understand what it is you want to see/do.

Today’s products are incredibly versatile. You may configuremultiple sensors differently depending on your objectives. Productcosts vary, but none are cheap. Match the product to your need and lookfor extra features that approach UTM functionality. If not fully UTMfunctional today, most will be tomorrow. Protect your investment bylooking at the vendor’s development path to ensure that your newproduct will grow with your needs.

How we tested

We evaluated the products for this Group Test for ease of set-up andconfiguration, especially policy management, which has become quiteflexible in most products. We looked at reporting and the ability toblock malicious traffic, as well as how effectively the product wassupported with updates.

Finally, we subjected products to our Attack Pod using bothvulnerability scans and penetration tests from Nessus 3, NetClarity andCore Impact. Our test bed included a variety of patched and unpatchedtargets running different flavors of Windows and Linux. We used our newMu appliance on a few of the products as a test of claimed zero-dayprotection. In most cases, the tests confirmed the vendors’ claims. Wewere able to improve our monitoring through the use of our new NetworkCritical CriticalConneX CriticalTAP, which allowed us to monitor bothsides of the test bed with a single sniffer.

The bottom line for this Group Test is that the products arebecoming more versatile, more powerful as analysis tools, and moredistributed. They are not becoming exceptionally more difficult to useand manage, however. And that’s good news, indeed.

- Mike Stephenson contributed to this Group Test.

prestitial ad