By Cameron Sturdevant  |  Posted 2006-03-20 Print this article Print

Hark, who goes there?

IPS functionality is often finicky to configure and almost always a high-maintenance item during the first several weeks of operation.

Symantec ships the SGS appliances with what we found to be useful default IPS settings, allowing IT managers to get up and running relatively quickly and easily.

During tests, the default intrusion prevention policies worked well enough, and extensive user-configurable options will allow IT administrators to mitigate impact on the network. For example, we were able to apply the low-security policy to our trusted inside interfaces and configure the intrusion event profile to determine which traffic types to monitor and which to block.

Read more here about why columnist Larry Seltzer says that its time for anti-virus businesses to talk testing. Each network service that can be monitored—including the usual suspects DNS (Domain Name System), NetBIOS, TCP, UDP (User Datagram Protocol) and ICMP (Internet Control Message Protocol)—can be further refined by associating protocols such as HTTP that can be monitored by the SGS 1660 IPS module.

The IPS module is based on signatures that can be added or fully modified only by Symantec through Live Update. While the effect on network traffic speed was negligible in our test environment, we hope that subsequent versions of the IPS module will allow IT managers to make manual adjustments to the policies to enable more fine-grained control of blocked traffic.

During tests, we spent quite a bit of time balancing among different combinations of the preset policies that we assigned to the various interfaces on the SGS 1660.

We recommend that network managers start off with the lowest settings to ensure that desired network traffic is allowed through the SGS 1660. Based on our work, it shouldnt take more than a week of monitoring to safely adjust the IPS blocking policies to reach the right mix of network protection and business enablement.

New in this version of the SGS 1660 Version 3.0 software are more than 100 new reports that significantly ease the administration of the appliance. We ran the reports from each of our SGS 1660 appliances, and both the SGS 1660 and 1620 can send event and alert data to the Advanced Manager 9500 appliance for organizationwide reports.

Some of the most useful reports didnt have to do with performance or network events but, rather, with device configuration. When it comes to controlling ongoing management costs of a complex, policy-driven device such as the SGS 1660, configuration reports are crucial.

Symantec gets caught in a Norton rootkit flap. Click here to read more. We were able to generate content-filtering profile, DNS record and global IKE (Internet Key Exchange) policy reports that detailed how our SGS 1660 was configured.

Many of the policy reports also have corresponding performance reports, which network managers use to keep business managers apprised of network performance.

Although not entirely new, content filtering is handled more gracefully in the Version 3.0 software that is supplied with the SGS 1600 models. We focused our testing on English language sites. However, the software supports double-byte characters for handling content violations in any language.

Next page: Evaluation Shortlist: Related Products.

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel