Intrusion Prevention: Stonesoft's SGI-2000S IPS


This article can also be found in the Premium Editorial Download "Information Security magazine: How to dig out rootkits."

Download it now to read this article plus other related content.

Designed for gigabit networks, these beasts are equipped with an IPS engine that uses various techniques for misuse and anomaly detection, for effective intrusion detection, while minimizing the number of false positives.

Attacks are detected by using context-sensitive fingerprinting defined with regular expressions. For example, this expression matches any of the following patterns in the traffic: "/bin/{ash|bash|csh|ksh| sh|tcsh}." You can make it context-sensitive by defining situation elements that generate an alert only when the above expression is detected for traffic originating from untrusted sources.

StoneGate detects zero-day attacks through protocol and statistical anomaly detection techniques.

We tried multiple vulnerability scanners (Nessus, WebInspect, AppScan) and penetration-testing techniques--denial of service, gain remote shell, overflows, etc.--accompanied with evasion techniques, such as time delay and fragmentation. Most were detected without affecting the normal traffic when run in inline mode.

In sniffer mode, the sensors can respond to selected threats by sending TCP resets directly to the communicating parties or by giving a blacklisting command to a StoneGate firewall, if one exists on the

    Requires Free Membership to View


The use of regular expressions makes creating new rules and custom checks easy. For example, if installing a certain product is prohibited, administrators can create a custom situation element and add an HTTP request URI with a regular expression containing the address the forbidden software uses to send or receive data.

The UI offers various situation context elements to help users write intelligent context-sensitive regular expressions to detect malicious traffic. Users can create custom situations, category tags and even workflow for certain events or sets of events.

The management server provides extensive reporting tools for generating reports on the logged firewall and IPS events. You can create reports on log, alert and audit entries as well as statistical monitoring information. A variety of report designs are ready for use in the software and new reports can be designed and customized as needed. Reports can be exported into PDF or text.

Stonesoft has delivered another strong product (see review of StoneGate SG-4000 firewall appliance, February 2006) that thwarts attacks and monitors traffic on internal networks without noticeable degradation of bandwidth.

Testing methodology: In a typical lab setup with multiple Windows and Linux machines, we sent legitimate as well as malicious traffic back and forth between the machines and the Internet through the SGI-2000S IPS.

This was first published in September 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: