NFR's Sentivist IPS uses a combination of hardware sensors, and software for managing. It ships with a Java-based management console, which is good for monitoring and configuring individual sensors.
Larger installations can select the optional Enterprise Console, which provides centralized management and reporting for large installations; you will need a Red Hat Linux or Solaris server to run the software, though.
We stuck with our single sensor console for this review. Essentially, it is an Intel-based server, but with customized hardware and software. It comes with a custom NIC, which automatically bridges the connection in the event of power failure, while a special hardware driver ensures that there is low latency on the line and wire-speed data capture.
The Sentivist supports Passive IDS, Pass Through log-only and Full IPS modes. The initial modes are better suited to training the sensor for your network, the Full IPS mode is for attack blocking.
Management is easy thanks to the bright and colourful management application. Once the sensor has learnt a baseline for your network, you can use anomaly detection as well as its normal attack signatures, protocol analysis and deep packet inspection.
Traffic is blocked according to the installed policy. Signature-based attacks can be turned on or off for individual machines, and you can install a network-wide default policy; first, you just need to configure the network address ranges that you want it to protect.
Where the Sentivist differs is through its Confidence Indexing engine. It uses a range of methods to detect attacks and, at each point, raises the confidence level that you're being attacked. When it hits the threshold, you are protected – particularly useful against slow attacks, where other IPS appliances can miss the signs.
NFR's Sentivist provides a high level of protection out of the box and a reduction of false-positives thanks to its Confidence Indexing.