Intrusion Prevention Systems have taken significant steps forward in terms of performance, accuracy and ease of management, but not to the point where they can replace firewalls or other security products. They are, however, becoming an important piece of the network security puzzle.
Click here to read the full review of the Attack Mitigator IPS 5500.
2
Intrusion Prevention Systems have taken significant steps forward in terms of performance, accuracy and ease of management, but not to the point where they can replace firewalls or other security products. They are, however, becoming an important piece of the network security puzzle.
eWEEK Labs reviewed Top Layer Networks Inc.s newest IPS: the Attack Mitigator IPS 5500 Version 3.2 appliance. Our tests show that the product now matches competing systems by offering a high-availability configuration. Using this feature, we were able to seamlessly track network traffic coming to a single internal device from two separate, redundant network connections.
Network IPS hardware devices can augment perimeter firewalls and anti-virus tools and provide internal security by controlling traffic between enterprise network segments.
The Attack Mitigator should be seen as another layer of the security onion. Indeed, you can feel pretty well-protected with network security devices behind the Attack Mitigator, such as IDSes (intrusion detection systems) inside the network and firewalls at the perimeter.
While host-based IPSes are installed on individual computers, network-based IPSes such as the Attack Mitigator operate in-line at a choke point in the network through which all network traffic passes. Each packet is examined, and each flow of packets in a transaction is monitored to ensure that only legitimate traffic is passing through the IPS.
When correctly configured, these devices block and discard attack traffic. This is all well and good, provided that the traffic being blocked is really unwanted. In fact, when it comes to IPSes, fears that desired traffic will be blocked are a big—and so far valid—concern.
However, our tests of the Attack Mitigator and other IPS devices show that products in this category are getting smarter and faster, two of the most important factors to consider when judging security tools for use in high-performance environments such as server farms.
The tangential benefits to implementing an IPS are what make an investment in the equipment ultimately worthwhile. These benefits include enabling scheduled operating system patch updates, with a reasonable certainty that the IPS will prevent viruses and worms from immediately taking down systems.
The attack mitigator is available in three models, with prices starting at $25,000; eWEEK Labs performed tests with two Attack Mitigator IPS 5500 model 1000s, each of which costs $80,000. Attack Mitigator pricing is in line with offerings from competitors including TippingPoint Technologies Inc.s UnityOne product family. (TippingPoint was recently acquired by 3Com Corp.)
Using Attack Mitigators ProtectionCluster capability, which is offered at no additional cost, the Attack Mitigator devices protected eWEEK Labs test network without a hitch. The only downtime occurred during the seconds it took us to place the devices in-line.
Despite all other advances, including a series of enhancements to Top Layers Advanced Protocol Validation Modules, IT security managers will still need to run the Attack Mitigator in listen-only mode for at least several weeks to fully understand network traffic and how rules implemented on the device will affect traffic. We ran the Attack Mitigator for about a month during our exclusive tests of the product.
Setting up the Attack Mitigator required that we define server and client groups, specify IP address ranges, create rules, and identify services that we wanted to include in our overall protection model. This process is similar to the one IT managers go through when setting up a firewall.
However, the Attack Mitigator user interface is like no firewall interface weve seen, and it took us a while to get used to it. If youre new to the Attack Mitigator product line, expect to spend an intensive couple of weeks with product manuals in hand.
Even with the good results we saw during testing, we recommend that security managers carefully study network traffic and learn the ins and outs of the Attack Mitigators operation before fully relying on the product to stop known and new network-based attacks. For example, the product has only limited out-of-the-box application-specific protocol knowledge of some Microsoft Corp. products.
Once our protection policies were in place and we set up the Attack Mitigator to block bad traffic, we had almost no problems operating applications we use in the Lab, including several Web servers running on operating systems such as Red Hat Inc.s Red Hat Linux Enterprise and Windows Server 2003.
Labs Technical Director Cameron Sturdevant is at cameron_sturdevant@ziffdavis.com.