Product Group Tests

IDS/IPS (2007)

by Peter Stephenson August 08, 2007
products

GROUP SUMMARY:

Thanks to its features, ease of use and performance we award Top Layer IPS 5500 our Best Buy. It provides a lot of protection and flexibility for a good price.

Our Recommended rating goes to NitroGuard IPS for its excellent performance, ease of use and flexibility.

Protecting your network against intrusions is one of the basics of information security. So basic, in fact, that products are offering additional functionality to retain market share. By Peter Stephenson.

Intrusion detection/prevention systems (IDS/IPS) have been a staple of our annual group reviews schedule and this has given us a chance to track the evolution of these solutions and the markets they serve. This year there are two noticeable changes. First, the footprint we are seeing is decidedly distributed. Second, the functionality continues to approach universal threat management.

There is another trend that follows on from the increase in functionality: there are fewer real IDS/IPS products on the market. This is exactly the opposite of what we saw last month with UTM products, and that is no accident. Vendors see the writing on the wall: IDS/IPS as a stand-alone product are a dying breed. 

This time next year we will begin to see what this new UTM market really looks like. In the meantime, there are still very credible IDS/IPS products and, from our perspective, that's a good thing. The use of a distributed IDS/IPS is a step forward for most very large enterprises. There have been ways to gather data from multiple sensors, but the emerging architecture of separating the control centre from the sensors is a step forward.

Even with that change, we found there is a lot of data being fed to the consoles. These analysis devices come in two flavours: web-based thin clients with Java applets and fat clients that depend on Java. The fat clients require far more real estate in the desktop, especially in terms of memory. Some of our smaller computers, mostly laptops, failed under the load of a heavy attack stream against its sensor.

We saw one product that was software-based. In our view this is not the optimum approach for products of this type. Although there are some good reasons for using a software-only IDS/IPS (pricing tends to be lower and versatility arguably is greater), we found that the implementation can be unacceptably rigid when it comes to platforms.

Another trend we observed is the beginning of the export of IDS/IPS data into analysis tools by design. Of course we always could get the data if we wanted it, but we are seeing more analysis capability than ever before. We attribute this trend to the need for forensic analysis of network events at an increasing rate. Network attacks have become the province of specialised malware. The notion of the blended threat is old hat now, and we need to be able to analyse malicious activity at a far greater depth than we needed to in the past.

Buying an IDS/IPS product
Start with an understanding of your environment. If you have a large, distributed enterprise, a distributed footprint for the IDS/IPS tool is your best bet. Sensors should be placed where they can do the most good. Analysis of your data flows is a very useful starting point. This helps minimise the number of sensors - and thus the cost - required to get as much useful information as possible.

Understand what it is you want to see/do. Today's solutions are incredibly versatile. You may configure multiple sensors differently depending on your objectives. Product costs vary, but none are cheap. Match the tool to your need and look for extra features that at least approach UTM functionality. Protect your investment by looking at the vendor's development path to ensure that your new product will grow with both your needs and the vendor's plans.

How we tested
We evaluated the products under test for ease of setup and configuration, especially policy management, which has become quite flexible in most products.  We looked at reporting and the ability to block malicious traffic, and how well the product was supported with updates.

Finally, we subjected products to our Attack Pod, using both vulnerability scans and penetration tests from Nessus 3, NetClarity and Core Impact. Our test bed included a variety of patched and unpatched targets running different flavours of Windows and Linux. We used our new MU appliance on a few of the products, as a test of claimed zero-day protection. In most cases the tests confirmed the vendors' claims. We were able to improve our monitoring through the use of our new CriticalConneX CriticalTAP, which allowed us to monitor both sides of the test bed with a single sniffer.

The bottom line for this group test is that the products are becoming more versatile, more powerful as analysis tools and more distributed. They are not becoming exceptionally more difficult to use and manage, however. And that's very good news, indeed.

- For details on how we test and score products, visit http://www.scmagazineus.com/How-We-Test/section/114/

SC Webcasts UK

Sign up to our newsletters

FOLLOW US