Intruder alert, intruder alert
The GCN Lab tests five intrusion prevention systems and finds them effective'with some tweaks.
- By Greg Crowe
- Sep 07, 2006
Defense against malicious attacks usually is right at the top of a network administrator's list of security concerns. While it is hard to quantify the monetary loss associated with penetration attacks, recent surveys have shown an increase in recent years.
Last year, the Computer Security Institute/Federal Bureau of Investigation Computer Crime and Security Survey estimated that the cost of a security breach averaged more than $200,000.
And losing secrets or being unable to access important information on a government network are costs nobody can adequately calculate.
One solution is to install an intrusion prevention system, or IPS. An IPS is a network appliance designed to attach to your network, detect incoming attacks and block them.
Generally, it does this in one of two ways. If the attack is a known threat, the IPS will check a list, or signature file, and stop it. If the attack is not known (typically one that's new), the IPS relies on a set of rules to detect behavioral anomalies that most attacks exhibit.
The GCN Lab brought in five IPS appliances'the Cisco IPS 4240, eSoft ThreatWall 200, ForeScout Technologies ActiveScout 100, Juniper IDP 200 and McAfee Intrushield 2700'and hooked them up to our test network, one after the other.
We rated them not only on their ability to defend against attacks (see sidebar on how we tested, Page 44), but also on how easy they were to set up and maintain. We noted features such as extra ports and interface options. And, as always, bang for your buck was a consideration.What we found
As we expected, all the IPS appliances, once properly configured, were able to stop the simulated attacks on our Windows 2000 system.
What was vastly different, however, was the level of complexity involved in making changes to the security profiles necessary to prevent attacks.
And because the ease with which an appliance was set up often differed from the ease of setting its security options correctly, we established separate grades for setup and configuration.
For instance, we had no problem getting the ThreatWall 200 running, but tweaking its security settings proved to be a hassle. Fortunately, it came with predetermined security profiles that we could apply all at once, depending on the characteristics of our test system.
Conversely, the Juniper IDP 200 was actually the most difficult to set up (not by much), but it was our favorite product. A few quick tweaks to the security profile and the Juniper IPS was blocking any and all attacks we directed its way. Your mileage will vary, but overall, we're impressed with the state of IPS devices.
Greg Crowe is a staff writer covering mobile technology for GCN. Follow him on Twitter: @GCNLabGuys.