Product Group Tests

IDS/IPS 2007

Group Summary

The Top Layer IPS 5500-150E v 5.12 is a solid product with all the features you need. For its features, ease of use and performance we award Top Layer our Best Buy. The NitroGuard IPS from Nitro Security Inc. is a solid product with good integration to other NitroView products though a bit high priced in its full configuration with the ESM. For its excellent performance, ease of use and flexibility we award NitroView IPS our Recommended rating.

Scroll To Full Group Summary Below

Click for a side by side comparison of products
Click for a side by side comparison of products

Full Group Summary

This month we looked at some of the leading IDS/IPS products. This has been a staple of our annual Group Test reviews schedule and that has given us a chance to track the evolution of these products and the markets they serve. This year there are two noticeable changes. First, the footprint we are seeing is decidedly distributed. Second, the functionality continues to approach universal threat management.

There is another trend that, really, is an outgrowth of the functionality trend. There are fewer real IDS/IPS products in the marketplace. This is exactly opposite from the trend we saw last month in UTM products and that is no accident. IDS/IPS vendors see the writing on the wall: the IDS/IPS as a stand-alone product is a dying breed. We made the same observation the month before relative to anti-malware gateways.

The die is cast and the future written. Next year at this time we will begin to see what this new UTM market really looks like. In the meantime, there still are very credible IDS/IPS products, and from our perspective here at SC Labs, that’s a very good thing. The use of a distributed IDS/IPS is a step forward for most very large enterprises. To date there have been ways to gather data from multiple sensors to be sure, but the emerging architecture of separating the control center from the sensors is a step forward.

Even with that change, we found that there is a lot of data being fed to the consoles. These analysis consoles come in two flavors. We see web-based thin clients with Java applets and we see fat clients with heavy dependence upon Java. The fat clients require far more real estate in the desktop than do the thin clients, especially in terms of memory. Some of our smaller computers failed under the load of a heavy attack stream against its sensor.

Another trend we saw is the beginning of the export of IDS/IPS data into analysis tools by design. Of course we always could get the data if we wanted it, but we are seeing more analysis capability than ever before. We attribute this trend to the need for forensic analysis of network events at an increasing rate. Network attacks have become the province of specialized malware. The notion of the blended threat is old hat now and we need to be able to analyze malicious activity at a depth beyond that which we were used to in the past. We are beginning to see analysis tools built into IDS/IPS products.

How to buy IDS/IPS

Start with an understanding of your environment.

If you have a large distributed enterprise, a distributed footprint for the IDS/IPS is your best bet. Sensors should be placed where they can do the most good. Analysis of your data flows is a very useful starting point. This helps minimize the number of sensors required to get the most useful information.

Understand what it is you want to see/do.

Today’s products are incredibly versatile. You may configure multiple sensors differently depending on your objectives. Product costs vary, but none are cheap. Match the product to your need and look for extra features that approach UTM functionality. If not fully UTM functional today, most will be tomorrow. Protect your investment by looking at the vendor’s development path to ensure that your new product will grow with your needs.

How we tested

We evaluated the products for this Group Test for ease of set-up and configuration, especially policy management, which has become quite flexible in most products. We looked at reporting and the ability to block malicious traffic, as well as how effectively the product was supported with updates.

Finally, we subjected products to our Attack Pod using both vulnerability scans and penetration tests from Nessus 3, NetClarity and Core Impact. Our test bed included a variety of patched and unpatched targets running different flavors of Windows and Linux. We used our new Mu appliance on a few of the products as a test of claimed zero-day protection. In most cases, the tests confirmed the vendors’ claims. We were able to improve our monitoring through the use of our new Network Critical CriticalConneX CriticalTAP, which allowed us to monitor both sides of the test bed with a single sniffer.

The bottom line for this Group Test is that the products are becoming more versatile, more powerful as analysis tools, and more distributed. They are not becoming exceptionally more difficult to use and manage, however. And that’s good news, indeed.

- Mike Stephenson contributed to this Group Test.

All Products In This Group Test