Ever wanted to know how effective a network-based intrusion prevention system (IPS) appliance was before putting it into production? Or, if you have them now, how well yours is doing?
TippingPoint, an IPS vendor, is the first to make an IPS testing tool freely available for testing any IPS or intrusion detection system (IDS). Available via open source, the tool, called Tomahawk, was recently announced and is currently
"TippingPoint is contributing Tomahawk to the public to make IPS testing easier and more affordable for end users," TippingPoint's CTO Marc Willebeek-LeMair said in a statement.
While IDS products simply notify administrators to potentially harmful or malicious network traffic, IPS devices work inline with the traffic and drop malicious or unwanted packets.
Determining effectiveness of IDS or IPS devices is difficult, as these network devices usually operate as black boxes, detecting malicious network actions based on rule sets or anomaly-based behaviors on the network.
Testing performance characteristics of IPS devices, while secondary to effectiveness, is still important. If traffic that passes through an IPS exceeds the device threshold, does it let malicious traffic onto the internal network? Another concern is the level of false positives. Because there's also the potential for blocking legitimate traffic, default settings on most IPSes err on the side of letting malicious traffic onto the network instead of accidentally stopping legitimate traffic.
Tomahawk can be leveraged to insure that IPS devices are working as advertised. Requiring a dedicated server with three network interfaces, the traffic capture component of Tomahawk "is like TCP-Replay on steroids," said Tomahawk author Brian Smith, who's TippingPoint's director of advanced solutions. He also alluded to Tomahawk's ability to mix and replay a variety of real-world traffic through the IPS undergoing testing.
While Tomahawk has been in testing and deployment at TippingPoint since 2002, it has only been recently released to the public. Being open source, Tomahawk has the potential to be a sort of self-imposed monitor for testing IPS devices -- allowing other IDS and IPS vendors to take up the torch and "potentially use Tomahawk to make an industry benchmark for these types of network and security devices," said Smith.