Intrusion prevention (2006)

In the past two years, since ourlast SC group test of intrusionprevention systems (IPSs), theyhave become more effective, morewidely distributed and morecomplicated to deploy. What’smore, the more complicatedsystems are consistent with today’smore complex networks.

For an IPS to be effective, itneeds a proper installation. Thiscan be a daunting task, so be sureyou include on your deploymentteam the best experts on yournetwork that you can find.

As you plan for deployment, youneed to remember that the morecomplex (configurable) the IPS,the more opportunities you haveto make errors. If you intend todepend on it to protect you, thatcan be a serious problem. Also,the more detail and customisationis required when writing policies,the more likely errors are.

However, although we were,generally pleased with this batch,one area that disappointed us wasthe lack of dependable, comprehensiveprotection. While all theproducts performed better thantheir peers two years ago, abouthalf were unable to prevent ourmore aggressive attacks. All weregood at blocking simple attacks,such as port scans and vulnerabilitysweeps, but when we unleashedour big guns, several buckledunder the strain – a fundamentalflaw for this type of product.

Another area of disappointmentwas support. While all vendorsoffer support of some type, manyask you to purchase it. In its mostextreme example, this evenextended to access to the vendor’ssupport website. For a class ofproduct where more than half thevendors offered us our own,personal onsite support engineer(and one even recommended in itsmanual that you use an onsitesupport engineer to deploy itsproduct), we think that customersupport should be free, at least forthe first year while the bugs ringout of the implementation.

This group was also full ofsurprises. In a field where a midrangeproduct can cost around£15,000, the real standout was aproduct that measured about eightinches long, looked like a squareorange tube and cost £500. It wasthe only product we tested thatperformed flawlessly in all areas.So we selected two Best Buys: onein the large appliance category andthe other for products that workwell in small enterprises.

Before we tested this group, weconfigured an appropriate test bed– an interesting challenge, becausesome products were in-line, somehad multiple sensors, and somewere self-contained. The architecturefor IPSs is varied and usuallyreflects the complexity of theenterprise in which it is to beused. Multi-sensor products fitwell with large, distributed enterprises,for example.

Once the product was in its testbed, we configured it to its defaultsettings and attempted to see it andits sensors over our isolated testnetwork. Network-facing sensorsshould not be bound to an IPaddress in order to keep them safefrom attacks intended to disablethem. Address scans should notreveal the presence of any sensor.

Our next task was the soft scans.These were comprehensive vulnerabilityscans using a NetClarityAuditor Enterprise 4.1 vulnerabilityscanner. This is the vulnerabilityassessment workhorse in our laband it gives us a comprehensivepicture of a target’s vulnerabilities.We scanned both the IPS (usuallyjust the console if the sensor isstealthed) and the target networkbeing protected.

Our final test used Core Impact5.1. This let us configure specificpenetrations based upon exploitsthat we believed would get pastthe IPS. First, we ran a generalpenetration test on both the IPSand the target. Finally, we ran oursuite of IPS evasion tests and triedto bypass the IPS. About half thetime we succeeded. Core Impactis very powerful and our evasiontests include such capabilities aspacket fragmenting.

We ended our tests with mixedemotions. First, the improvementover the past two years has beenremarkable. Two years ago, someproducts simply did not work, andwere easy to penetrate becausethey were based on unhardenedLinux OSs.

Today, many products hadpurpose-built operating environmentsand they could not bepenetrated using our tool sets.

On the other hand, these toolsare very complicated, and followthe current trend of requiringcomplexity to support today’smore complex networks – a trendseen in almost every productgroup test this year.

We wish that some vendorwould recognise that complexityin the tool is not necessary, even ifthe enterprise is complicated. Likemany things in life, simplicity isbetter. Some IPS products couldcertainly use some designed infrom the start.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.