The Blaster attack came only 25 days after the patch was released, and Sasser was even faster–18 days.
In March, the Witty worm struck a buffer-overflow vulnerability one day after the flaw was discovered.
Network IPSs (intrusion-prevention systems) can help keep your systems safe by identifying and blocking suspicious traffic.
Fully 80 percent of respondents to Network Computing’s 2004 Reader Poll have a NIP in place or plan to implement one within a year.
We invited vendors to send their systems to our University of Florida partner labs during the height of the 2004 hurricane season for what turned out to be a storm-wracked test–literally.
Ultimately, we tested nine devices: Check Point Software Technologies’ InterSpect 610, Fortinet’s FortiGate-3600 Antivirus Firewall, Internet Security Systems’ Proventia G1000-400, Juniper Networks’ NetScreen-IDP 1000, Lucid Security’s ipAngel X3 AVS-400, Radware’s Defense- Pro AS-III/SME, SecurityMetrics’ Security Appliance Model 60, TippingPoint Technologies’ UnityOne-1200 and V-Secure Technologies’ V-Secure V-1000.
Determina, Mazu Networks, NetContinuum and Privacyware decided that their products did not fit our requirements.
Our invitation specified that each device must be a self-contained system able to identify network attacks and prevent them through its own action, rather than by sending commands to a firewall or other piece of network infrastructure.
We also requested systems capable of handling the expected 400-Mbps flow through our test network core switches.
As it turned out, we tested using traffic moving across the core of the university’s network, where flows averaged more than 600 Mbps, peaking at more than 800 Mbps with 180,000 to 250,000 simultaneous connections.
Of course, we wouldn’t penalize entrants for not coping with conditions we hadn’t told them to expect, but the larger flows did give us an off-the-record look at device capacity, revealing how the products handled a large amount of real network traffic with lots of live exploits and false positives.
Lucid’s and SecurityMetrics’ offerings, using applications such as Snort combined with proprietary console and management software, are more configurable than their proprietary brethren.
Some can rate-limit particular traffic streams, and Radware’s product offers sophisticated traffic-shaping capabilities.
In most cases, you’ll want to stop high-volume and disruptive attacks, knowing that attacks on the fringes of your definitions will get past the IPS and be stopped by other network components.
Because almost all IPSs are deployed inline, false positives are almost certain to generate more user complaints than attacks stopped by an application firewall.
In the first phase of testing, ISS’ Proventia identified the majority of attacks confirmed by our IDS with very few false positives.
This is in contrast to Radware’s DefensePro, which was tougher than a celebrity bodyguard, treating virtually anything anomalous as a possible undesirable.
The FortiGate’s signatures also discovered many of the attacks confirmed by our IDS, while flagging some activities that signature refinement would pass.
While Juniper’s NetScreen IDP identified a considerable amount of traffic as problematic in a default configuration, generating a high number of alerts that might be considered false positives, this product begs to be customized, with a toolset that will make the modification process quick for a security specialist.
They balanced solid default performance and easy setup with rich functions for drilling into attack details and writing custom signatures.
However, we award only one Editor’s Choice per review, and Juniper’s NetScreen has the edge.
FortiGate is reasonably priced and has tons of good features and a well-made interface, but NetScreen is the most flexible and powerful IPS we tested.
There are systems designed to make intrusion prevention an automated and unobtrusive process–and then there’s the NetScreen-IDP 1000.
If your security staff includes someone with the know-how and desire to delve into every detail of an attack and who will be tasked with writing custom signatures to handle the specific requirements of your network, the IDP 1000 is your kind of IPS.
As a signature-based device, Fortinet takes the automated approach, in which new signatures are pushed to the device through the management system after being downloaded from Fortinet’s signature service.
We found that with the system fully configured, the base latency peak with no device under test in the network was triple what it had been when the traffic flow went beyond 500 Mbps.
We agree–we tried running the two apps on a single server.
Although it was a well-configured server (dual Xeon processors and plenty of RAM), the management console’s performance was noticeably slow in several situations, particularly when we were trying to generate reports based on sizable log files.
In our live data testing, ISS identified the majority of attacks without blocking much legitimate traffic.
During the generated traffic testing, the G1000-400 stopped the Code Red worm with signatures and responses defined as a default event within the interface.
The management console showed the stopped attack as an event rather than a standard attack–all the individual facts of the event were correctly reported, but we were fascinated by the bin into which the attack was placed.
From a security standpoint, we found a solid level of paranoia built into the system; for example, when we started the sensor, it wouldn’t pass any traffic.
Once we configured interfaces and zones, we found that attacks were properly identified and stopped.
The rule was nice and tight, too, allowing legitimate traffic through, though similar in many respects to banned traffic.
Other traffic passed without noticeable latency being introduced at any traffic level up to the 400-Mbps rated throughput and beyond.
There’s a plug-in for using the ISS vulnerability-assessment scanner as part of the total management interface–useful for organizations looking to build integrated security capabilities.
In the final analysis, there are a lot of nice touches in this reasonably priced system.
If you need a constant stream of reports for management, or if you simply need an IPS with very solid reporting for your own analysis, the Proventia appliance is a sound choice.
Proventia Intrusion Prevention Appliance G1000-400, $29,314 (includes tech support, updates and advanced exchange; unlimited SiteProtector console costs are built into the appliance price).
TippingPoint’s UnityOne-1200 Intrusion Prevention System is the best unit we saw for out-of-the-box “set it and forget it” intrusion prevention.
If you want an appliance that will handle a lot of traffic with solid protection while insulating your network admins from the nitty-gritty details of the IPS, the UnityOne is for you.
But if you take a serious hands-on approach to tweaking an IPS, there are some portions of the interface that will give you pause.
TippingPoint starts with a clean user interface that didn’t give us too many places to go looking for things.
It almost feels like there aren’t enough things to do, but that might be related to the number of functions enabled out of the box, such as workable initial configurations for signature use, response and reporting.
Setup was quick and easy, but some daily administration items are hidden–TippingPoint made us jump through hoops to get raw data to verify which packets triggered events, for example, or for forensics purposes.
TippingPoint says it designed UnityOne to always be deployed inline; the company had serious reservations about the first phase of our testing.
When we looked at its performance results, we were puzzled by some jitter–latency increased, but individual packet latency varied widely because of the nature of our test traffic.
SecurityMetrics entered the IPS market with a system based on Linux, Snort, Nessus and other open-source software joined with a custom integration and management wrapper.
If your needs are more modest than the large-enterprise model we used in our testing, the Model 60’s bandwidth limitations should be of no concern.
Add in the fact that we got to know four separate Radware boxes, and we wound up with a high-performance product that finished in the middle of the pack.
We’re not sure what happened–nor are the Radware engineers–but three consecutive DefensePro devices didn’t like our lab.
DoS attacks, for example, can be limited to a small portion of your total bandwidth, minimizing the impact while letting legitimate traffic from the offending network (or server) continue.
The default settings from Radware were restrictive, and we ended up tweaking considerably (as you will with any product of this type) to limit the number of positive responses.
The InterSpect 610 lived up to our performance expectations, with no meaningful latency introduced, and it offers an easy-to-understand, mature user interface for configuring and administering its functions.
These devices continue to refine their detection and response characteristics over the life of their deployment, so it’s highly unlikely that any limited-duration test will showcase all their capabilities.
After looking at reports from the first portions of our testing, we did tweak settings so that the InterSpect was more active in reporting worm detection.
The facilities for writing your own signatures are built into the system’s software, with an interface that’s consistent with the product’s straightforward nature.
The ipAngel is one of two systems we tested that make use of the open-source software available to run on Linux.