Intrusion Prevention: Stonesoft's SGI-2000S IPS

SGI-2000S IPS

This Content Component encountered an error
This article can also be found in the Premium Editorial Download: Information Security magazine: How to dig out rootkits:

INTRUSION PREVENTION


SGI-2000S IPS
REVIEWED BY PHORAM MEHTA

Stonesoft
Price: SGI-2000S, $31,900; SGI-200ANZ, $8,950


The implementation of intrusion detection/prevention systems has increased considerably, in part because of improved effectiveness and the need to comply with federal and industry regulations. Stonesoft offers a strong new entry into this crowded market with its StoneGate IPS products.


Installation/Configuration B+  
StoneGate's security platform is highly flexible and scalable, featuring a three-tier architecture--user interface, management and IPS (and firewall if you own it as well). Organizations can deploy clusters with up to 16 nodes.

We tested the SGI-2000S IPS sensor appliance and SGI-200ANZ analyzer device (for event correlation).

Since the appliances come with IPS engines installed, we only needed to install the three management components, which we put on a single Windows server. (Linux and Solaris OS versions are available.)

Wizard-driven installation and configuration of the management server, which can manage all Stonesoft products, is fairly simple.

There's no auto-update capability, so we recommend you download and install the latest IPS signature updates (released about once per week) as regularly as possible.


Effectiveness/Performance B+  
Designed for gigabit networks, these beasts are equipped with an IPS engine that uses various techniques for misuse and anomaly detection, for effective intrusion detection, while minimizing the number of false positives.

Attacks are detected by using context-sensitive fingerprinting defined with regular expressions. For example, this expression matches any of the following patterns in the traffic: "/bin/{ash|bash|csh|ksh| sh|tcsh}." You can make it context-sensitive by defining situation elements that generate an alert only when the above expression is detected for traffic originating from untrusted sources.

StoneGate detects zero-day attacks through protocol and statistical anomaly detection techniques.

We tried multiple vulnerability scanners (Nessus, WebInspect, AppScan) and penetration-testing techniques--denial of service, gain remote shell, overflows, etc.--accompanied with evasion techniques, such as time delay and fragmentation. Most were detected without affecting the normal traffic when run in inline mode.

In sniffer mode, the sensors can respond to selected threats by sending TCP resets directly to the communicating parties or by giving a blacklisting command to a StoneGate firewall, if one exists on the network.


Administration/Management B+  
The use of regular expressions makes creating new rules and custom checks easy. For example, if installing a certain product is prohibited, administrators can create a custom situation element and add an HTTP request URI with a regular expression containing the address the forbidden software uses to send or receive data.

The UI offers various situation context elements to help users write intelligent context-sensitive regular expressions to detect malicious traffic. Users can create custom situations, category tags and even workflow for certain events or sets of events.


Reporting B  
The management server provides extensive reporting tools for generating reports on the logged firewall and IPS events. You can create reports on log, alert and audit entries as well as statistical monitoring information. A variety of report designs are ready for use in the software and new reports can be designed and customized as needed. Reports can be exported into PDF or text.


Verdict
Stonesoft has delivered another strong product (see review of StoneGate SG-4000 firewall appliance, February 2006) that thwarts attacks and monitors traffic on internal networks without noticeable degradation of bandwidth.


Testing methodology: In a typical lab setup with multiple Windows and Linux machines, we sent legitimate as well as malicious traffic back and forth between the machines and the Internet through the SGI-2000S IPS.

This was first published in September 2007

Dig deeper on Security Resources

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close