The IDP-500 is a turnkey appliance-based system which uses as many as eight detection methods to detect malicious network traffic. This Intrusion Detection and Prevention (IDP) System is capable of operating in in-line mode as an Intrusion Prevention System (IPS) or as a passive Intrusion Detection System (IDS) attached to a span or mirror port on a switch.
Although it is equipped with Gigabit interfaces, NetScreen rates this product at a maximum of 500Mbps. This was verified in our tests when using "normal" traffic, as it appears the hardware platform is operating close to its limits.
This can reduce the effective rating in environments which experience very high TCP connection rates. For example, we noted an apparent "ceiling" of 5,000 http connections per second, before the device began to drop packets and lose connections (while occasionally blocking legitimate traffic). At 10,000 connections per second this behavior was very noticeable. Providing traffic loads are kept within the bounds indicated in our tests (i.e. in particular "normal" traffic with less than 5,000 http connections per second), then we would expect the IDP-500 to be able to handle its rated 500Mbps of traffic. Even under extreme conditions, we expect the device to be capable of handling around 250Mbps of traffic with no problems.
We noted latency could be an issue in some environments, particularly when the device is very heavily loaded or under a heavy denial-of-service (DoS) attack. You would not want to place more than one of these devices in your data path, and thus the IDP-500 is best suited as a perimeter device in a corporate WAN or behind an internet gateway where latency is not as much of a concern (although latency is within acceptable limits for sub-Gigabit networks).
In all other respects we found the IDP-500 to be to be very stable and reliable, coping with our extensive reliability tests with ease and without blocking any legitimate traffic or succumbing to common evasion techniques. It also proved impervious to extended IP Stack Integrity Checker (ISIC) attacks.
Signature recognition and blocking capability was excellent. The NetScreen IDP-500 does have a tendency to be "noisy" on occasion with respect to the number of alerts it will raise for a single exploit. This is generally as a result of exploits which trigger both protocol errors and pattern matches within the same attack, and while we could not fault the accuracy of those alerts, we did feel that the number could be reduced in some cases.
Resistance to false positives was generally very good, and the NetScreen IDP-500 performed impeccably in almost all our evasion tests as well as proving itself resistant to stateless flooding tools such as Stick and Snot. Out of the box, the device maintained state on up to 500,000 open connections.
As for day-to-day operation, the NetScreen-IDP 500 demonstrates high levels of usability with an excellent set of centralized management tools. The three-tier architecture should scale well, particularly given the claims for the proprietary inter-device communications protocol and high-performance alert logging database.
The management system has been designed to handle management and configuration of large numbers of sensors across the enterprise. Policy definition and deployment is flexible and powerful, and the alert handling and reporting/forensic capabilities are extensive. Signature updates occur regularly and the update procedure is excellent, allowing the administrator to "vet" the changes before new signatures are downloaded.
The facility to create custom signatures is also offered, and is also very straightforward to use. An extensive search facility within the Policy Editor provides the administrator with the means to effect very precise searches for specific signatures, which can then be easily copied or modified.
Once policies have been created or updated, a single button provides the means to deploy them to all sensors in a single operation. One really nice feature is the automatic version control, with a complete audit trail of all previous policies applied to each sensor, and the ability to roll back to a previous version if required.
The administrator is provided with a high degree of flexibility and control in how policies are defined, stored and deployed, and we found policy management to be very strong in this product. Alert handling was well implemented.
Alerts appear quickly at the UI Console, and the descriptions are generally very accurate. The ability to apply filters and drill down to more detailed views within the Log Viewer and Log Investigator makes it a useful tool for the forensic investigator. Additions in the latest release include custom reports, Quick Reports (created from the Alert Viewer) and the excellent Enterprise Security Profiler.