GOLD | TippingPoint Intrusion Prevention System
One of the most critical components of any IT security program is the ability to detect or prevent network intrusions before the attacker is able to do real damage. Asked which IDS/IPS system best meets the challenge, readers gave the highest marks to TippingPoint's Intrusion Prevention System (IPS).
The TippingPoint IPS is an inline device that gives packets a thorough inspection to determine if they're malicious. This instantaneous protection is the most effective means of preventing attacks from reaching their targets, says Neal Hartsell, TippingPoint's vice president of marketing. TippingPoint is a division of 3Com.
"Customers are looking for an inline device that actively takes malicious traffic out of their network--plain and simple," he says. "Customers come to us and say they want the traffic removed in a transparent way that doesn't affect network infrastructure or user connectivity."
According to the vendor's Web site, TippingPoint IPS provides application, performance and infrastructure protection at gigabit speeds through total packet inspection. Application protection capabilities provide fast, accurate, reliable protection from internal and external attacks. The product is designed to protect VoIP infrastructure, routers, switches, DNS and other critical infrastructure from targeted attacks and traffic anomalies.
The system is built upon TippingPoint's Threat Suppression Engine (TSE)--a hardware-based intrusion prevention platform consisting of state-of-the-art network processor technology and TippingPoint's custom ASICs. The TSE architecture utilizes a 20-Gbps backplane and high-performance network processors to perform total packet flow inspection at Layers 2-7. Parallel processing ensures that packet flows continue to move through the IPS with a latency of less than 84 microseconds, independent of the number of filters applied.
SILVER | Symantec Network
Security 7100 Series
The silver medal is readers' sendoff for the Symantec Network Security 7100 Series intrusion prevention appliances. Symantec announced last year it was getting out of the appliance business; through a partnership with Juniper, Syman-tec will provide IPS signatures for Juniper UTM boxes.
The appliance, powered by Symantec's Intrusion Mitiga-tion Unified Network Engine (IMUNE), combines protocol anomaly, signature, statistical and vulnerability attack interception techniques to keep known and unknown attacks from spreading throughout networks. Symantec says the appliance requires no network reconfiguration and supports aggregate network bandwidth from 50 Mbps to 2 Gbps to meet deployment needs at branch offices, distribution sites and the network core.
BRONZE | Juniper Networks IDP
Juniper Networks' Intrusion Detection and Prevention (IDP) is an inline appliance, and readers praised its low rate of false positives. Juniper says its IDP targets vulnerabilities, not attacks, in warding off zero-day attacks and known worm, Trojan and spyware attacks.
The device also provides information on rogue servers and applications that may have been unknowingly added to the network. Administrators can have the Juniper Networks IDP enforce application usage policies or check if the resource usage meets desired application policies. A centralized, rule-based management approach offers granular control over the system's behavior with access to extensive auditing and logging, and fully customizable reporting.
The Juniper Networks IDP product line includes Juniper Networks IDP 50, 200, 600 and 1100 for small to large enterprises.
In the trenches
The trouble within
IT pros have two big headaches when it comes to intrusion defense--getting support from upper management and getting users to clean up their computing habits.
Ask IT professionals which intrusion defense challenges keep them awake at night and few will mention the performance of their IDS or IPS devices or the tenacity of remote hackers.
Sure, for some users, headaches abound when it comes to their IDS devices giving off false positives and needing too much configuring. Dave Bixler, CISO for Siemens Business Services, says it was too much trouble tuning his IDS and babysitting it 24/7 to ensure it was properly monitoring everything. So he outsourced those tasks to a MSSP.
"We cured our pain points by passing the buck," Bixler jokes. "We decided to do this because of our earlier experiences with IDS/IPS, the expertise required to adequately tune it and the need for 24/7 monitoring, plus the added overhead of proving to auditors that we responded to every alert made."
For most IT security pros, however, the biggest obstacles to an adequate intrusion defense don't come from imperfections in their IDS or IPS. They come from executives who don't always understand the need for security investment or employees whose computing habits make it easier for the bad guys to steal sensitive data.
Of 307 IT professionals who took a SearchSecurity.com survey on intrusion defense early last year, 50 percent cited a lack of upper management support as a problem, while 71 percent cited cash constraints. Jon Payne, vice president of IT at Wild Oats Markets, and other IT professionals have found that top brass can be won over by explaining how certain investments and policies could boost regulatory compliance efforts and prevent a headline-grabbing security breach.
Dealing with the rest of the workforce is another matter. They may leave USB keys with sensitive data in hotel rooms and airplanes, lose laptops, or open malicious attachments.
To deal with that problem, Bixler and other IT professionals rely on user education programs and an array of security devices--everything from IDS and IPS to antivirus software and firewalls, content-scanning filters and vulnerability management tools. That way, if an intruder punches through one end of the network, he can be stopped by devices and procedures deployed in other parts of the network.
City of North Vancouver IT manager Craig Hunter agrees user education is important. But he says the average employee will never become an infosecurity expert. That's why good security technology is important.
"The best you can do is embed security into systems so the users don't see it," he says. His philosophy: "Make it easier for users to do it right than to do it wrong."
- Magic Quadrant for Intrusion Detection and Prevention Systems –Alert Logic
- Basefarm: Scaling Intrusion Detection Systems with Big Monitor Fabric –Big Switch Networks
- 100G+ IDS/IPS Solutions that Enable Monitoring –ADLINK Technology
- App-ID Tech Brief: Traffic classification that identifies applications ... –Palo Alto Networks