Full Text

The in-line products we tested were Check Point's InterSpect, EcoNet.com's Sentinel IPS, Internet Security Systems Proventia G Series, Lucid Security's ipAngel, NetScreen Technologies' NetScreen-IDP 100, StillSecure's Border Guard and TippingPoint Technologies' UnityOne. Because EcoNetcom is a managed service rather than a stand-alone product, we discuss it separately (see Managed IPS alternative, www. nwfusion.com, DocFinder: 9725).

We installed each of these in our labs in Los Angeles, San Jose and Tucson, Ariz., (see How we did it, DocFinder: 9726) and assessed them from the perspective of network professionals looking to put an IPS into a production network.

* What does the product catch? What kind of malicious traffic is this designed to identify? Where did the engineers design this product to go in a network?

* How does the IPS block traffic? What other reactive techniques are available?

* How can the IPS be controlled? What features are available for management, configuration and tuning?

ISS, NetScreen and TippingPoint clearly fit our model of how an enterprise product should be built.

All six had some level of signature-based intrusion detection to help identify malicious or anomalous traffic. After that, we found four with limited rate-based control capabilities, two with connection flood (also called SYN flood) controls and one with built-in honeypot technology

Finding intrusion-detection system (IDS)-style signatures and protocol-anomaly detection in these IPS devices was no surprise. IDS vendors are ideally situated to design IPS products because they've already thought about what it takes to identify malicious traffic. In three cases, the IDS inside looked very familiar. IpAngel and Border Guard are built on top of the open source Snort IDS engine. Proventia uses the ISS IDS engine inside.

Proventia ships with the entire ISS signature library but only about 250 rules are enabled by default for the IPS function. These are rules that ISS is willing to guarantee will not generate false positives. We found a similarly reduced list in InterSpect and UnityOne. Balancing a short signature list to reduce false positives with enough signatures to make IPS useful is a constant battle for vendors as these products are installed and updated.

NetScreen has a huge signature library but you have to define your internal...