Strengths: Very sophisticated IPS solution, highly versatile inspection policies, application identification, centralised management console, as well as detailed reporting
Weaknesses: Disappointing product support
Verdict: A powerful IPS solution that's easy to deploy and offers sophisticated policy-based traffic inspection and application controls
Stonesoft's StoneGate Intrusion Prevention System (IPS) appliances provide protection for internal networks and are designed to work together with its firewalls to deliver a complete security solution. The IPS-1205 represents the middle ground and is aimed at businesses requiring Gigabit performance.
This 1U appliance is equipped with six Gigabit ports, but lacks power redundancy. However, two pairs of ports are configured with hardware bypass switches, so if the appliance fails it can be set to allow all traffic through.
All StoneGate appliances are monitored and managed via the log server service and management server (MS) components. A separate management client is used to access the MS, and these can run on the same system or separately and provide all the facilities you need to handle multiple appliances from a centralised console.
Installation of the management components on a Windows Server 2008 R2 64-bit system took only a few minutes, and then we declared the IPS to the MS. Two methods are available, as you can access the appliance via its CLI and run a setup wizard, where you define a management port and decide whether the other Gigabit ports should be sensors, analysers or both. The IP address of the MS is entered at the CLI along with a one-time password, which is generated from the management console. For large deployments it's quicker to copy the configuration to a USB stick, plug it into the appliance and power it up. This way it contacts the MS automatically, downloads a predefined base IPS policy and is operational within a few minutes.
At this stage the appliance can be left to monitor all traffic so you can see what's occurring on the network and decide how to tune IPS policies to suit. A base set of predefined policies are included to provide initial protection, but you can easily copy these and use them as templates to create your own.
Policies contain multiple rules that determine how the sensors and analysers behave. You can use Ethernet rules to decide whether an incoming packet is allowed, add connection tracking and access rules to handle new connections and then apply traffic inspection rules.
A big advantage of the Stonesoft management server is that multiple administrators can have their own copy of the client and log in simultaneously. This allows them to manage appliances they have permission for and the level of control goes right down to specific subsets of policy rules.
Plenty of predefined rules are already provided that should cover most eventualities. Permit or deny actions can be applied to individual elements or entire rule groups, and you can elect to log events, assign alerts and store the offending payload as well.
Alerting facilities are extensive and use channels to define email, SMS, custom scripts and SNMP trap notifications. Alert policies are linked to situations that are elements created in the management console that look for specific sets of events, malicious traffic patterns and vulnerabilities.
Situations can be used to monitor and report on many other areas, such as on the use of a particular application. They can also be used to block websites.
When a situation or rule triggers an alert, the log server issues a notification as requested by the assigned channel. A valuable feature is the ability to escalate alerts using time periods, so if the first recipient doesn't respond another alert can be sent to another administrator until it has been acknowledged.
Traffic identification rules make the IPS-1205 versatile, as these can be used to spot specific applications being used and apply an action. We tested this by modifying a rule in our main policy to allow only the use of IE7 and above on our test clients. We ran IE6 on one system and it was not allowed internet access.
HTTPS traffic inspection comes as standard and allows the appliance to decrypt and
re-encrypt this traffic prior to passing it on. As this feature requires secure connections to the requesting client and to the server handling the request, the sensors must be used inline.
Web filtering is available for around £3,000 per annum via the BrightCloud hosted service.
So far, so good, but we weren't impressed with Stonesoft's support. On two occasions we requested licences to activate specific functions but were left waiting for more than a week, which is unacceptable.
On a brighter note, the level of reporting provided by the management console is impressive. You can select an appliance and view full statistics and performance data, display alerts, create custom reports on specific areas of log data and schedule them to run regularly.
The IPS-1205 is capable of providing strong protection for internal networks and its traffic inspection policies are flexible.