GCN Hot Topics:

How we tested intrusion prevention systems

In order to test devices designed to detect and block network intrusions, the GCN Lab needed something to mimic attacks. We decided to partner with Core Security (www.coresecurity.com) of Boston, which has been in the information security business for 10 years. The company’s Core Impact penetration testing software is used by many of the companies represented in this review, as well as many government agencies and commercial organizations.

In order to create a base environment in which to compare the different appliances, we set up a single system within our test network to be the target of Core Impact’s simulated attacks. We chose a system running the most vulnerable operating system we could think of—Windows 2000 Service Pack 2 with no additional service packs or security updates.

We temporarily opened the channels on the test network’s firewall and installed Core Impact on a system outside the network. We then proceeded to detect and “attack” the Windows 2000 system to identify its vulnerabilities. Of the hundreds of attack modules available, we picked 85 of the most applicable.

Knowing how our target system was vulnerable and the attacks we could launch against it, we connected each IPS in turn according to its recommended configuration. We then allowed each IPS to function in a real-world network environment for a day or more.

Eventually we rebooted the Windows 2000 machine and ran Core Impact to simulate a barrage of intrusions. Finally, we adjusted the security profiles of each IPS and ran the tests one more time. The result was a complete picture of how effective each IPS was at preventing attacks—both out of the box and after fine-tuning. The good news is, we were able to tweak each IPS to completely shut down the Core Impact attacks.