By Cameron Sturdevant  |  Posted 2004-09-13 Print this article Print

Symantec Corp.s Symantec Network Security 7160 network intrusion prevention appliance capably detects and stops attacks. Despite a limited number of activity reports and some inflexibility in monitoring traffic flows, the SNS 7160 identified every attack that eWEEK Labs generated to test the system.

The SNS 7160 also did a good job of protecting our network when we put the 2U (3.5-inch) hardware appliance in-line between the Labs firewall and the Internet.

We believe network IPSes (intrusion prevention systems), including Symantecs products, TippingPoint Technologies Inc.s UnityOne line and Latis Networks Inc.s StillSecure Border Guard, have sufficiently advanced to the point where they should be included in the perimeter defense of any enterprise network.

Prior to this year, the chief failing of most of these tools was their propensity to issue false positives, incorrectly identifying desirable network traffic as an attack on the network. The impact of a false positive can be severe because IPSes actually block traffic—in contrast to IDSes (intrusion detection systems), which issue an alert but allow suspect traffic into the network.

Click here to read more about IPSes. We tested the SNS 7160, a competitively priced rack-mountable device with eight 10/100/1000G-bps copper ports. The Symantec Network Security 7160 appliance is available for bandwidths of 250 Mbps to 2 Gbps and costs $21,995 to $82,995, including one year of support. TippingPoints UnityOne, which costs $24,995 to $89,995, also has gigabit-per-second capacity. (UnityOne received an eWEEK Excellence Award in the fourth annual program.)

The Symantec product family also includes the SNS 7120, with a licensed bandwidth of 50M bps to 200M bps and four 10/100M-bps Ethernet network ports; and the SNS 7161, which (like the SNS 7160 we tested) has a licensed bandwidth of 250M bps to 2G bps but is configured with 4G-bps copper ports and four 1000BaseSX Fibre Channel ports.

During tests of the SNS 7160, which started shipping last month, we used a variety of template rules and rules that we wrote to block attack traffic from entering our network, with no false positives. However, writing rules that blocked attacks without generating false positives required extensive training. IT managers should ensure that experienced network security staff—the only people who should operate an IPS—have access to the training programs offered by Symantecs service organization.

IT security staff will likely be able to use the 11 protection policies included with the product to quickly create effective detection and prevention rules. For example, we used an SNS 7160 protection policy template called "all threat and audit policy"—a purposely broad policy provided by Symantec—to create a custom blocking rule that placed greater emphasis on stopping Microsoft Corp. Messenger log-in attempts.

The SNS 7160 has two features that we really liked and arent done quite as well in other IPSes. The first is a policy search engine that let us wade through hundreds of variables to find specific rules based on our criteria. This meant, for instance, that we could readily search for all rules that block traffic using the Gnutella protocol. This made it easier to review and edit rules than with other products weve used.

The second feature is the integration of Symantecs Live Update service to automatically install both engine and security updates daily. Although once-a-day updating will likely be too infrequent for the probable increase in the pace of network attacks, the daily update worked well in tests.

Labs Technical Director Cameron Sturdevant can be reached at cameron_sturdevant@ziffdavis.com.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at csturdevant@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel