Hark, who goes there?
IPS functionality is often finicky to configure and almost always a high-maintenance item during the first several weeks of operation.
Symantec ships the SGS appliances with what we found to be useful default IPS settings, allowing IT managers to get up and running relatively quickly and easily.
During tests, the default intrusion prevention policies worked well enough, and extensive user-configurable options will allow IT administrators to mitigate impact on the network. For example, we were able to apply the low-security policy to our trusted inside interfaces and configure the intrusion event profile to determine which traffic types to monitor and which to block.
Each network service that can be monitored—including the usual suspects DNS (Domain Name System), NetBIOS, TCP, UDP (User Datagram Protocol) and ICMP (Internet Control Message Protocol)—can be further refined by associating protocols such as HTTP that can be monitored by the SGS 1660 IPS module.
The IPS module is based on signatures that can be added or fully modified only by Symantec through Live Update. While the effect on network traffic speed was negligible in our test environment, we hope that subsequent versions of the IPS module will allow IT managers to make manual adjustments to the policies to enable more fine-grained control of blocked traffic.
During tests, we spent quite a bit of time balancing among different combinations of the preset policies that we assigned to the various interfaces on the SGS 1660.
We recommend that network managers start off with the lowest settings to ensure that desired network traffic is allowed through the SGS 1660. Based on our work, it shouldnt take more than a week of monitoring to safely adjust the IPS blocking policies to reach the right mix of network protection and business enablement.
New in this version of the SGS 1660 Version 3.0 software are more than 100 new reports that significantly ease the administration of the appliance. We ran the reports from each of our SGS 1660 appliances, and both the SGS 1660 and 1620 can send event and alert data to the Advanced Manager 9500 appliance for organizationwide reports.
Some of the most useful reports didnt have to do with performance or network events but, rather, with device configuration. When it comes to controlling ongoing management costs of a complex, policy-driven device such as the SGS 1660, configuration reports are crucial.
We were able to generate content-filtering profile, DNS record and global IKE (Internet Key Exchange) policy reports that detailed how our SGS 1660 was configured.
Many of the policy reports also have corresponding performance reports, which network managers use to keep business managers apprised of network performance.
Although not entirely new, content filtering is handled more gracefully in the Version 3.0 software that is supplied with the SGS 1600 models. We focused our testing on English language sites. However, the software supports double-byte characters for handling content violations in any language.