|
Setup and Deployment
We worked with technical support to help us through each of the installations. The Top Layer product was the easiest to set up and deploy; the appliance came with a complete setup guide, administration manual and a virtual front panel in the GUI application. Using the front panel configuration feature, we were able to set up the management port, configure the IPS port bridge and apply signatures with little of the guesswork required for other products.
ISS was pretty easy to plug into our network and tweak with no real problem, but lacked Top Layer's intuitive deployment GUI.
By default, the Sourcefire product operates as an inline IDS, detecting attacks but not blocking anything. We needed about a half-hour on the phone with Sourcefire technical support to create a reasonable configuration.
Cisco's technical support guided us through a set of command-line scripts to make the product work in our environment. While not too complicated, this hour-long walk through an arcane command-line session made deployment less smooth than with other products.
Radware was problematic. When applying the default rule set for a corporate gateway device, the appliance would not block any of our attacks. We spent more than two hours on the phone with Radware troubleshooting this dilemma. We finally had to apply signatures to the interface by enabling all the corporate policies (Gateway, LAN, DMZ, etc.) to get the Radware device to block anything.
| SCOREBOARD |
 |
|
Final Score
Top Layer gets our overall nod, with its solid detection capabilities and crisp management interface. Close behind were Sourcefire and ISS, reflecting two very different philosophies. Sourcefire features great customizability of both workflow and signature sets, but you'll need adequate staff resources to create custom configurations that block adequately in your environment. If you lack the resources for fine-tuning signatures, the ISS product's out-of-the-box blocking and anti-evasion capabilities are top-notch.
Cisco's product did very well in our evasion and DoS tests, and performed reasonably well elsewhere. Radware lagged in each of our tests.
The one thing that really surprised us, however, was how two security engineers could bypass most of these IPS devices within a few hours of testing. We strongly recommend setting up a similar test bed for these tools while you pilot them for your enterprise. Your feedback to the vendor plays a critical role in the improvement of the product space.
Send your thoughts on this article to feedback@infosecuritymag.com.
|
