The last time we tested XSGuard’s IPS appliance, we could not complete the test due to internet connection difficulties (SC, July 2005, p58). This time, we used a similar methodology as in the earlier test, but went into more detail.
XSGuard’s products are IPS appliances with a managed service component. The customer is expected to do no management at all besides viewing the occasional report. In fact, the devices do not even have IP addresses: there is no way to connect to it yourself.
The product performs well enough as an IPS and is sufficiently hands-off that we like it for small environments, but in a high-end site we weren’t so sure. However, having given it a go, we are happy that it does perform as promised, so long as you take a couple of concerns into account.
XSGuard takes pains to keep the product as simple as possible and, regardless, of the model the box is as Spartan as possible. Two network ports (labeled “Inside” and “Outside”) and a power socket are all you get, so it is quite difficult to get the setup wrong.
In some ways, we feel XSGuard has gone a bit too far with stripping the box down. For example, the network ports do not even have link lights, meaning it could be a pain to trace cable or patch problems – especially as the documentation notes that in some situations you may require a cross-over cable on the Inside segment.
In its standard configuration, the unit is intended to sit at the very extreme edge of the network, outside the firewall, where it transparently forwards traffic across its ports. Because the box has no IP address of its own, it is nearly invulnerable to attack.
And by operating at up to 100mbps, it should handle all but very large internet connections. We tested a 10mbps version, but the operation is identical. Only the capacity varies.
Being on the edge of the network, the XSGuard is outside any VPN/HTTPS termination, so attacks in encrypted tunnels will definitely bypass the unit and host IPS is still a must. You could place it behind your VPN terminator, of course, and the company tells us it is working on man-in-the-middle decryption capabilities.
The device silently forwards normal traffic, filtering as it goes. Our first concern was that the unit forwards traffic even when it is switched off. In other words, it fails open, which is something of a security no-no. The company claims that most customers prefer this, and does offer the option of a fail-closed model, but you cannot change modes yourself as doing so requires an engineer to rewire the network connections inside the box.
The management web interface is hosted at XSGuard, and offers facilities for delegating management to multiple administrators (useful for multiple appliances spread out at remote sites) with limited roles.
Being primarily a managed service, there is little enough to do at the site besides generate reports. Almost no control over the service or devices is available.
The reports are good, with activity graphs and information on exploits, but we were mildly disappointed to find reports could only be downloaded in Microsoft Excel format, rather than plain CSV.
The lack of control did worry us a little, because while the device did very well blocking known exploits, it did less well against web application attacks. If you have custom applications and discover an ongoing attack, you must rely on XSGuard’s support team to put a rule in place to block it: you cannot do it yourself.
The attacks that were blocked were handled very effectively, though. The XSGuard minimizes false positives by allowing traffic through until a definite exploit is identified. You might find a network IDS firing on some of that initial traffic, but the payloads were still blocked effectively.
Some attacks are allowed through by design: port scans and DDoS attacks will not be blocked because they are not actual exploits. This is a feature not a bug (XSGuard tells us), but it does mean you might want to cover those avenues of attack some other way.
While online, the box receives management commands from the central XSGuard service by the simple expedient of intercepting specially crafted port 80 traffic. This is rather clumsy, but effective.
And the management packets are encrypted, so interception will not do an attacker much good.
We were concerned that no notification was received when the box went offline (we simulated outage by simply yanking the plug out), and because it fails open the network segment was effectively unprotected. Customers can receive emails in such an event, but we would like to see options to notify an administrator by pager, phone or IM.
Overall, the XSGuard concept – the managed service/appliance – is a logical one for most appliance vendors. But there is room for improvement, and we are not sure that we would be willing to give up so much control without having conventional IPS as a backup.
But for organizations lacking dedicated security specialists, this is great: IPS without any of the hassle.