Price: $3,995 for unlimited users
Many SMBs are looking to consolidate security systems and respond to increasing threats with smarter spending. In the past, packet-filtering firewalls may have been sufficient, but with application and client-side attacks on the rise, many organizations are turning to intrusion prevention.
The TippingPoint X505 appliance hits the sweet spot for SMB value, combining IPS, firewall and VPN technologies, and supporting around 500 concurrent users. It also adds content filtering and traffic shaping. The X505 features a stateful inspection firewall and a standards-based VPN that works with Windows, Linux and Mac OSX.
We set up a simple network with the external link being monitored by the X505. The attack network was connected to the WAN, and the inside protected network was connected to the LAN. An IPSec VPN connection bridged the WAN and the X505.
What's really exceptional is how the IPS, firewall and VPN interact. One of the key security concerns with VPN technology is the possibility of malicious code traversing the tunnel undetected. The X505 performs firewall and intrusion prevention capabilities inside an IPSec VPN tunnel--a huge advance.
The IPS features more than 2,300 filters designed to protect against malicious attacks on network services, applications and clients, but the majority of these are disabled by default. This allows organizations to enable them gradually, testing for false positives and/or deciding which filters match with corporate security policies. We'd like to see at least detection turned on by default in most cases. This is especially significant because TippingPoint does not make its attack signatures public; this can hamstring analysts who need to trouble-shoot a false positive that blocks legitimate traffic or to create a tighter filter.
The X505's IPS performed well in our test lab, blocking common attacks such as Metasploit's RPC DCOM and the LSASS buffer overflow attack, and it resisted minor evasive techniques such as fragmentation and invalid checksum combinations.
The X505 can filter URLs and content based on policy and/or subscription from TippingPoint. Traffic shaping allows managers to allocate or constrict bandwidth based on protocol and port to restrict applications and protocols, such as peer-to-peer traffic. The traffic shaping extends into the VPN tunnel as well.
Setup and management is relatively easy and flexible. We ran a quick install via a terminal console with little incident. We enabled the SSL Web management portal and reconnected via a browser-based interface. The Web-based management interface is simple, quick and logically designed. Management is also offered over SNMP, HTTP, HTTPS and SSH.
The firewall and VPN are completely configurable, with users being able to change the state and action taken when IPS filters get tripped. The default logging information displayed by the X505 is limited. The usual information for time, source, destination and filter name is provided, but the events are not hyperlinked to any further information. Analysts can download the logs in CSV format, but remote logging (syslog or other) is not available.
Intrusion prevention systems have been touted as network panaceas as well as IDS killers, but IPSes should be gunning for the firewall, not the IDS. Products like the X505 may mark a turning point in the market, redefining the role of the IPS in the small organization: IPSes with firewall and VPN technology will eventually replace the packet-filtering firewall, not the IDS.
This product review originally appeared in the May 2006 issue of Information Security magazine.