TippingPoint Technologies Inc.s UnityOne-1200 ably handled both real and staged attacks on eWEEK Labs test network, attached to the Internet for nearly a week, earning the IPS appliance an Analysts Choice award. However, given the high price of the technology, we recommend that IT managers begin any intrusion prevention system evaluation with a comprehensive vulnerability scan to determine the scope and severity of the security problem.
TippingPoint Technologies Inc.s UnityOne-1200 ably handled both real and staged attacks on eWEEK Labs test network, attached to the Internet for nearly a week, earning the IPS appliance an Analysts Choice award.
However, given the high price of the technology, we recommend that IT managers begin any intrusion prevention system evaluation with a comprehensive vulnerability scan to determine the scope and severity of the security problem.
The UnityOne appliance family ranges in throughput from 200M bps to 2G bps and in cost from $24,995 to $89,995. The UnityOne-1200 device that eWEEK Labs tested has 1.2G bps of throughput and costs $64,995.
All UnityOne appliances include built-in, Web-based Local Security Manager software. A $9,995 Security Management System appliance can be acquired for additional management capabilities or for managing more than one UnityOne appliance.
During tests, we put the UnityOne-1200, updated last month, in front of our perimeter firewall, in line with all network traffic. Any traffic the UnityOne-1200 deemed “bad” was immediately dumped from the network before it reached the firewall.
Hardware advances have made intrusion prevention more compelling, but our tests show that TippingPoint also has made significant improvements in the logic used to analyze traffic and has a good understanding of how to implement security policies.
Even so, the UnityOne-1200 requires fairly significant and ongoing tuning to achieve optimum protection. Constantly changing and emerging network threats will require that IT managers make decisions about default settings when TippingPoint makes one of its Digital Vaccine updates available.
For example, during tests, many of the recommended protection settings for several SNMP reconnaissance probes were set to “permit and notify.” With this setting, the initial vulnerability scan performed by Counterpane Internet Security Inc. engineers (see Real-world attacks put UnityOne to the test) identified several SNMP configuration weaknesses in our infrastructure. We worked with TippingPoint engineers to change the UnityOne-1200 rule sets to “block and notify” when these reconnaissance probes were discovered.
However, for the vast majority of attack signatures and evaluative rules, the setting recommended by TippingPoint worked fine in rebuffing probes and DoS attacks on our test network.
We left our WatchGuard Technologies Inc. Firebox V80 firewall in place while testing the UnityOne-1200. Although the UnityOne-1200 performs stateful packet inspection, it is not intended to replace the VPN capabilities and other access policies of the firewall. We used firewall logs to monitor for any leaks in the UnityOne-1200, and no attacks were detected during a week of testing.
We made only minor changes during installation of the UnityOne-1200 and then let Counterpane run a security-scanning session overnight. Probes usually are not attacks but rather precursors to possible attacks, so we did not initially block reconnaissance of our test network. After Counterpane identified several WebDAV (Web-based Distributed Authoring and Versioning) buffer overflow vulnerabilities along with a host of DLL problems, we spent several hours tuning the UnityOne-1200 to block any attack on these vulnerabilities. After subsequent scans, we were able to close security holes with minimal effort.
Although the UnityOne-1200 ran with almost no ongoing oversight on our part, IT managers should plan to put at least one or two staff members in charge of accessing and configuring the rule sets. During testing, we found the user interface somewhat confusing even after performing procedures several times in a row. This is especially true for distributing new Digital Vaccines as they become available from TippingPoints Threat Management Center.
The Security Management System appliance can automate much of the update process, but we think that IT staffers will have to spend at least several hours reviewing the updates and the recommended actions that TippingPoint assigns to the Digital Vaccine rules. However, this is time well-spent, considering that properly configured rules will likely prevent Internet-based attacks that could result in revenue loss and tie up hours of IT staff time.