This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."
Download it now to read this article plus other related content.
Price: $3,995 for unlimited users
|TippingPoint/3Com's TippingPoint X505|
TippingPoint X505 proves a good value for SMBs by combining IPS, firewall, VPN, content filtering and traffic-shaping capabilities.
Many SMBs are looking to consolidate security systems and respond to increasing threats with smarter spending. In the past, packet-filtering firewalls may have been sufficient, but with application and client-side attacks on the rise, many organizations are turning to intrusion prevention.
The TippingPoint X505 appliance hits the sweet spot for SMB value, combining IPS, firewall and VPN technologies, and supporting around 500 concurrent users. It also adds content filtering and traffic shaping. The X505 features a stateful inspection firewall and a standards-based VPN that works with Windows, Linux and Mac OSX.
We set up a simple network with the external link being monitored by the X505. The attack network was connected to the WAN, and the inside protected network was connected to the LAN. An IPSec VPN connection bridged the WAN and the X505.
What's really exceptional is how the IPS, firewall and VPN interact. One of the key security concerns with VPN technology is the possibility of malicious code traversing the tunnel undetected. The X505 performs firewall and intrusion prevention capabilities inside an IPSec VPN tunnel--a huge advance.
The IPS features more than 2,300 filters designed to protect against malicious attacks on network services, applications and clients, but the majority of these are disabled by default. This allows organizations to enable them gradually, testing for false positives and/or deciding which filters match with corporate security policies. We'd like to see at least detection turned on by default in most cases. This is especially significant because TippingPoint does not make its attack signatures public; this can hamstring analysts who need to trouble-shoot a false positive that blocks legitimate traffic or to create a tighter filter.
The X505's IPS performed well in our test lab, blocking common attacks such as Metasploit's RPC DCOM and the LSASS buffer overflow attack, and it resisted minor evasive techniques such as fragmentation and invalid checksum combinations.
The X505 can filter URLs and content based on policy and/or subscription from TippingPoint. Traffic shaping allows managers to allocate or constrict bandwidth based on protocol and port to restrict applications and protocols, such as peer-to-peer traffic. The traffic shaping extends into the VPN tunnel as well.
Setup and management is relatively easy and flexible. We ran a quick install via a terminal console with little incident. We enabled the SSL Web management portal and reconnected via a browser-based interface. The Web-based management interface is simple, quick and logically designed. Management is also offered over SNMP, HTTP, HTTPS and SSH.
This was first published in May 2006