An IPS is a complex, frequently updated combination of hardware and software that protects against active hostile network attacks.
To help IT managers develop an RFP (request for proposal) for prospective intrusion prevention system vendors, eWEEK Labs has put together a series of capacity and performance questions that can serve as a starting point.
With this product area, adding organization-specific details could expose vulnerabilities that are too sensitive for a sales proposal. We recommend adding dummy data to the proposal to mask the true composition of the network.
For an IPS evaluation to have a meaningful outcome, there is no substitute for knowing and understanding the up-to-the-minute configuration of your network. Many IPS vendors have told us that theyve found traffic flows on their customers networks that were previously unknown. Such a surprise during an IPS test should signal not only that an IPS is needed but also that additional focus on network security is warranted.
1. Who are the top two scientists in charge of technical development of the IPS?
2. Assuming that power to the unit will not be interrupted, under what conditions can the device become a single point of failure?
3. What is the minimum amount of network downtime required to install the IPS?
4. What is the maximum number of computer systems that can be protected per IPS? Or, if the answer depends on the computing environment, describe a formula including factors such as IP connection setup/tear-down per second, traffic types and at least three other factors that could be used to reasonably predict the minimum number of IPS devices required to protect 100 Web servers.
5. As clearly as possible, describe the essential hardware that differentiates your product from other available products.
6. As clearly as possible, describe the essential software that differentiates your product from other available products.
7. What is the capacity (usually measured in gigabits per second) of the backplane of the IPS models offered by your company?
8. Assuming the OSI seven-layer network model, specify all the layers at which your product offers protection.
9. Describe a reasonable scenario that would produce a 500-microsecond latency in a packet flow.
10. Does the IPS provide rate shaping to ensure that known, normal traffic flows are given priority over unknown traffic flows?
11. In the last six months, what was the shortest period of time between the releases of two signature updates?
12. Define “high availability” for your product (that is, hot failover or load balancing or a combination thereof) and provide a diagram showing how the high-availability options work.
13. For all the following, cite the most relevant user documentation (book and starting page number) for the following characteristics:
a. Handling anomalous traffic
b. DoS and DDoS
c. Syn flood
d. Process table flood
e. Managing multiple IPS device configurations
f. Reporting blocked traffic
14. For all the following network equipment, indicate if the IPS provides specific protection:
(Reader: Provide a list of all the routers, switches and firewalls used at your organization that will also be protected by the IPS. Be specific, providing model and operating system information.)