By Cameron Sturdevant  |  Posted 2004-03-29 Print this article Print

TippingPoint Technologies Inc.s UnityOne-1200 ably handled both real and staged attacks on eWEEK Labs test network, attached to the Internet for nearly a week, earning the IPS appliance an Analysts Choice award.

However, given the high price of the technology, we recommend that IT managers begin any intrusion prevention system evaluation with a comprehensive vulnerability scan to determine the scope and severity of the security problem.

The UnityOne appliance family ranges in throughput from 200M bps to 2G bps and in cost from $24,995 to $89,995. The UnityOne-1200 device that eWEEK Labs tested has 1.2G bps of throughput and costs $64,995.

All UnityOne appliances include built-in, Web-based Local Security Manager software. A $9,995 Security Management System appliance can be acquired for additional management capabilities or for managing more than one UnityOne appliance.

During tests, we put the UnityOne-1200, updated last month, in front of our perimeter firewall, in line with all network traffic. Any traffic the UnityOne-1200 deemed "bad" was immediately dumped from the network before it reached the firewall.

Hardware advances have made intrusion prevention more compelling, but our tests show that TippingPoint also has made significant improvements in the logic used to analyze traffic and has a good understanding of how to implement security policies.

Even so, the UnityOne-1200 requires fairly significant and ongoing tuning to achieve optimum protection. Constantly changing and emerging network threats will require that IT managers make decisions about default settings when TippingPoint makes one of its Digital Vaccine updates available.

For example, during tests, many of the recommended protection settings for several SNMP reconnaissance probes were set to "permit and notify." With this setting, the initial vulnerability scan performed by Counterpane Internet Security Inc. engineers (see Real-world attacks put UnityOne to the test) identified several SNMP configuration weaknesses in our infrastructure. We worked with TippingPoint engineers to change the UnityOne-1200 rule sets to "block and notify" when these reconnaissance probes were discovered.

However, for the vast majority of attack signatures and evaluative rules, the setting recommended by TippingPoint worked fine in rebuffing probes and DoS attacks on our test network.

We left our WatchGuard Technologies Inc. Firebox V80 firewall in place while testing the UnityOne-1200. Although the UnityOne-1200 performs stateful packet inspection, it is not intended to replace the VPN capabilities and other access policies of the firewall. We used firewall logs to monitor for any leaks in the UnityOne-1200, and no attacks were detected during a week of testing.

We made only minor changes during installation of the UnityOne-1200 and then let Counterpane run a security-scanning session overnight. Probes usually are not attacks but rather precursors to possible attacks, so we did not initially block reconnaissance of our test network. After Counterpane identified several WebDAV (Web-based Distributed Authoring and Versioning) buffer overflow vulnerabilities along with a host of DLL problems, we spent several hours tuning the UnityOne-1200 to block any attack on these vulnerabilities. After subsequent scans, we were able to close security holes with minimal effort.

Although the UnityOne-1200 ran with almost no ongoing oversight on our part, IT managers should plan to put at least one or two staff members in charge of accessing and configuring the rule sets. During testing, we found the user interface somewhat confusing even after performing procedures several times in a row. This is especially true for distributing new Digital Vaccines as they become available from TippingPoints Threat Management Center.

The Security Management System appliance can automate much of the update process, but we think that IT staffers will have to spend at least several hours reviewing the updates and the recommended actions that TippingPoint assigns to the Digital Vaccine rules. However, this is time well-spent, considering that properly configured rules will likely prevent Internet-based attacks that could result in revenue loss and tie up hours of IT staff time.

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at csturdevant@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel