Intrusion Prevention: iPolicy Network's ISM Express 1000

iPolicy Network's ISM Express 1000

This article can also be found in the Premium Editorial Download: Information Security magazine: The power of SIMs for visibility and compliance:

INTRUSION PREVENTION


ISM Express 1000
REVIEWED BY STEVE WEIL
iPolicy Networks

Price: $30,000

@exb


@exe

Bigger, faster boxes have created the need for an enterprise market segment for unified threat management (UTM). Beyond performance, how-ever, strong central management of multiple UTM appliances is critical for distributed environments.

That's where iPolicy Networks' ISM Express appliances come in, managing up to 15 iPolicy Intrusion Prevention Firewalls (IPF). The IPF (see Information Security review, December 2004) is a stateful inspection firewall with integrated IDS, IPS, anomaly detection and Web-filtering capabilities.

Policy Control B
For an organization with multiple IPFs, ISM Express can enable centralized and consistent rule enforcement and management across multiple networks. Its intuitive and well-designed management console allowed us to apply granular firewall, IDS, IPS and URL filtering rules across multiple IPFs. Rules can apply to individual IPFs or globally.

We were able to successfully create and apply many different rules--such as allowing inbound SSH, blocking access to a specific Web page and sending an alert when a port scan occurred.

Configuration/Management B
iPolicy's thorough documentation made it easy to configure initial IPF management.

We liked the layout of the management interface, which provides a unified view of IPF configuration and real-time monitoring of IPF events. We found it easy to modify rules and view events. We were able to create multiple administrators, who could manage global and local security policies per specific privileges. Local or RADIUS authentication can be used.

Security updates such as attack, worm and spyware signatures are regularly released by iPolicy; ISM Express can automatically download the updates and then apply them to all managed IPFs.

Device Security C-
It is critical that a security management system be fully secured, so we were quite concerned when we discovered several security weaknesses in ISM Express. A compromise could be catastrophic for an organization, possibly giving an attacker control of multiple IPFs.

A Nessus scan found high-risk vulnerabilities in the appliance's Oracle database (patches have been available since January 2005 or earlier). We also found the appliance had a remotely reachable Web page containing sample JSP and Servlet examples plus a management application, which could be exploited to compromise the appliance.

ISM Express was running Oracle's HTTP server with a Web page containing sample scripts, though the scripts could not be reached remotely. Finally, we found that two basic security hardening steps had not been taken--renaming the Windows administrator account and not displaying the last logged-in user (making it an easier chance for an attacker to log in if he can just obtain the user's password).

@exb

More information from SearchSecurity.com

Information Security magazine contributor Joel Snyder delves into unified threat management in our Intrusion Defense School.
@exe

Reporting B+
ISM Express offers both real-time and historical reporting. It can collect and display events from multiple IPFs, and alarms can also be forwarded to syslog, SNMP and SMTP servers. The customizable monitoring console provides a unified, near real-time view of system events and rule-enforcement actions.

Administrators can create a variety of predefined reports ranging from high-level executive summaries to detailed technical reports about specific IPFs. Reports can be exported as HTML or PDF documents.

Verdict
ISM Express is a powerful, useful product with strong reporting and policy management capabilities, which can provide centralized, consistent management across distributed IPFs. However, its surprisingly lax security should be tightened.

Testing methodology: Our test network included an ISM 1000 Express (a lower-performance 400 model is also available), an unmanaged switch, a Windows server and an IPF 3300 appliance.

This was first published in September 2006

Dig deeper on Network Intrusion Prevention (IPS)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close