By Cameron Sturdevant  |  Posted 2005-02-07 Print this article Print

Intrusion Prevention Systems have taken significant steps forward in terms of performance, accuracy and ease of management, but not to the point where they can replace firewalls or other security products. They are, however, becoming an important piece of the network security puzzle.

eWEEK Labs reviewed Top Layer Networks Inc.s newest IPS: the Attack Mitigator IPS 5500 Version 3.2 appliance. Our tests show that the product now matches competing systems by offering a high-availability configuration. Using this feature, we were able to seamlessly track network traffic coming to a single internal device from two separate, redundant network connections.

Network IPS hardware devices can augment perimeter firewalls and anti-virus tools and provide internal security by controlling traffic between enterprise network segments.

The Attack Mitigator should be seen as another layer of the security onion. Indeed, you can feel pretty well-protected with network security devices behind the Attack Mitigator, such as IDSes (intrusion detection systems) inside the network and firewalls at the perimeter.

While host-based IPSes are installed on individual computers, network-based IPSes such as the Attack Mitigator operate in-line at a choke point in the network through which all network traffic passes. Each packet is examined, and each flow of packets in a transaction is monitored to ensure that only legitimate traffic is passing through the IPS.

When correctly configured, these devices block and discard attack traffic. This is all well and good, provided that the traffic being blocked is really unwanted. In fact, when it comes to IPSes, fears that desired traffic will be blocked are a big—and so far valid—concern.

However, our tests of the Attack Mitigator and other IPS devices show that products in this category are getting smarter and faster, two of the most important factors to consider when judging security tools for use in high-performance environments such as server farms.

For more on the IPS market, click here. The tangential benefits to implementing an IPS are what make an investment in the equipment ultimately worthwhile. These benefits include enabling scheduled operating system patch updates, with a reasonable certainty that the IPS will prevent viruses and worms from immediately taking down systems.

To help IT managers develop a request for proposal for prospective IPS vendors, eWEEK Labs has put together a series of questions that can serve as a starting point. Click here for the sample RFP. The attack mitigator is available in three models, with prices starting at $25,000; eWEEK Labs performed tests with two Attack Mitigator IPS 5500 model 1000s, each of which costs $80,000. Attack Mitigator pricing is in line with offerings from competitors including TippingPoint Technologies Inc.s UnityOne product family. (TippingPoint was recently acquired by 3Com Corp.)

Using Attack Mitigators ProtectionCluster capability, which is offered at no additional cost, the Attack Mitigator devices protected eWEEK Labs test network without a hitch. The only downtime occurred during the seconds it took us to place the devices in-line.

Despite all other advances, including a series of enhancements to Top Layers Advanced Protocol Validation Modules, IT security managers will still need to run the Attack Mitigator in listen-only mode for at least several weeks to fully understand network traffic and how rules implemented on the device will affect traffic. We ran the Attack Mitigator for about a month during our exclusive tests of the product.

Setting up the Attack Mitigator required that we define server and client groups, specify IP address ranges, create rules, and identify services that we wanted to include in our overall protection model. This process is similar to the one IT managers go through when setting up a firewall.

However, the Attack Mitigator user interface is like no firewall interface weve seen, and it took us a while to get used to it. If youre new to the Attack Mitigator product line, expect to spend an intensive couple of weeks with product manuals in hand.

Click here for tips on testing an IPS. Even with the good results we saw during testing, we recommend that security managers carefully study network traffic and learn the ins and outs of the Attack Mitigators operation before fully relying on the product to stop known and new network-based attacks. For example, the product has only limited out-of-the-box application-specific protocol knowledge of some Microsoft Corp. products.

Once our protection policies were in place and we set up the Attack Mitigator to block bad traffic, we had almost no problems operating applications we use in the Lab, including several Web servers running on operating systems such as Red Hat Inc.s Red Hat Linux Enterprise and Windows Server 2003.

Labs Technical Director Cameron Sturdevant is at cameron_sturdevant@ziffdavis.com.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at csturdevant@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel