Based on standard and custom-designed processors, the NAI IntruShield system is a high-performance appliance that offers real-time network intrusion detection and prevention against known and unknown, denial-of-service (DoS) attacks for enterprise networks.
IntruShield enables network attack detection and prevention at up to 2Gbps, and is capable of operating in-line, or as a passive IDS, or both at the same time using different ports in the same appliance.
Overall, the performance of the I-4000 is very impressive, combining near-perfect security effectiveness with excellent latency under normal traffic loads. With the latest software update, we found the IntruShield handled our demanding extended false positive, false-negative and evasion tests easily, and without blocking any legitimate traffic or succumbing to common evasion techniques.
Management of the IntruShield system benefits from the company being a relative newcomer to the IDS/IPS market place and therefore learning from the mistakes of others. The admin domains and user roles make it easy to delegate the most fine-grained control across the largest organization, while the rule-based policy definition makes it easy to define complex policies that can be rolled out to a single sensor or the entire network at the click of a mouse. Once the policies have been applied, the alert handling and forensic analysis capabilities are incredibly powerful and flexible.
One unique feature is the Virtual IDS capability, which enables the administrator to apply separate policies down to the individual host level if required.
Performance at all levels of our load tests was impeccable, with 100 percent of attacks being detected and blocked under all load conditions. For normal network conditions, we rate the IntruShield I-4000 as a true 1Gbps device (the device actually supports up to 2Gbps).
Latency figures were excellent under normal network conditions, and always under one millisecond. A significant increase in latency figures was noted when the device was under heavy SYN flood attack, though the attack was mitigated successfully. During eight hours of extended attack, it passed legitimate traffic while blocking attack traffic consistently.
Signature recognition and blocking performance was excellent. Accuracy was high in terms of the types of alerts raised, although the descriptions are sometimes "generic," with several alerts raised for the same exploit. This can necessitate some investigation to determine the exact exploit detected.
The IntruShield I-4000 also performed extremely well in all of our evasion tests. It was one of the few products to have a clean sheet in this section of the test plan following the signature pack update.
The Manager Server and Console have been designed to handle large distributed deployments, and they contain several useful features to make this type of deployment easier to handle. To begin with, the ability to define up to 1,000 Virtual IDS across the four ports and assign an individual policy to each of them makes this one of the most flexible systems we have seen. That flexibility is boosted by the fact that each port or port pair can be configured in different ways – in "traditional" SPAN mode, in tap mode, or in in-line mode for ultimate protection. Ports can be grouped together as a port cluster and the traffic aggregated across them. The Virtual IDS capability is unique and impressive in operation.
The GUI and Manager Server needs work – the product still needs a seamless alert archiving facility (in development) and there are bugs in its incident generation and viewing tools. The Policy Editor can also be improved to provide a search facility within it to make it easier to find multiple signatures to apply bulk changes.
In general, the GUI is attractive and relatively easy to use. The alert handling capabilities are extremely comprehensive and easy to use once the interface has been mastered. The latest release has included a window manager to help control the numerous windows that can be spawned when mining data in the Alert Viewer.