Symantec Corp.s Symantec Network Security 7160 network intrusion prevention appliance capably detects and stops attacks. Despite a limited number of activity reports and some inflexibility in monitoring traffic flows, the SNS 7160 identified every attack that eWEEK Labs generated to test the system. The SNS 7160 also did a good job of protecting our network when we put the 2U (3.5-inch) hardware appliance in-line between the Labs firewall and the Internet.Prior to this year, the chief failing of most of these tools was their propensity to issue false positives, incorrectly identifying desirable network traffic as an attack on the network. The impact of a false positive can be severe because IPSes actually block trafficin contrast to IDSes (intrusion detection systems), which issue an alert but allow suspect traffic into the network. Click here to read more about IPSes. We tested the SNS 7160, a competitively priced rack-mountable device with eight 10/100/1000G-bps copper ports. The Symantec Network Security 7160 appliance is available for bandwidths of 250 Mbps to 2 Gbps and costs $21,995 to $82,995, including one year of support. TippingPoints UnityOne, which costs $24,995 to $89,995, also has gigabit-per-second capacity. (UnityOne received an eWEEK Excellence Award in the fourth annual program.) The Symantec product family also includes the SNS 7120, with a licensed bandwidth of 50M bps to 200M bps and four 10/100M-bps Ethernet network ports; and the SNS 7161, which (like the SNS 7160 we tested) has a licensed bandwidth of 250M bps to 2G bps but is configured with 4G-bps copper ports and four 1000BaseSX Fibre Channel ports. During tests of the SNS 7160, which started shipping last month, we used a variety of template rules and rules that we wrote to block attack traffic from entering our network, with no false positives. However, writing rules that blocked attacks without generating false positives required extensive training. IT managers should ensure that experienced network security staffthe only people who should operate an IPShave access to the training programs offered by Symantecs service organization. IT security staff will likely be able to use the 11 protection policies included with the product to quickly create effective detection and prevention rules. For example, we used an SNS 7160 protection policy template called "all threat and audit policy"a purposely broad policy provided by Symantecto create a custom blocking rule that placed greater emphasis on stopping Microsoft Corp. Messenger log-in attempts. The SNS 7160 has two features that we really liked and arent done quite as well in other IPSes. The first is a policy search engine that let us wade through hundreds of variables to find specific rules based on our criteria. This meant, for instance, that we could readily search for all rules that block traffic using the Gnutella protocol. This made it easier to review and edit rules than with other products weve used. The second feature is the integration of Symantecs Live Update service to automatically install both engine and security updates daily. Although once-a-day updating will likely be too infrequent for the probable increase in the pace of network attacks, the daily update worked well in tests. Labs Technical Director Cameron Sturdevant can be reached at firstname.lastname@example.org. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
We believe network IPSes (intrusion prevention systems), including Symantecs products, TippingPoint Technologies Inc.s UnityOne line and Latis Networks Inc.s StillSecure Border Guard, have sufficiently advanced to the point where they should be included in the perimeter defense of any enterprise network.