Price: $2,495 to $57,995
Lucid Security's ipAngel goes far beyond standard IPS fare, integrating intrusion prevention, vulnerability assessment, port scanning and firewalling in a single box.
Beyond the value of an integrated security appliance, the combination of capabilities in the newest ipAngel release (4.0) reduces false alarms, issuing alerts only against vulnerable machines.
For example, a Windows Server 2000 exploit is irrelevant if the port scan discovery shows only Windows 2003 Server devices on your network, or the vulnerability scanner shows that your 2000 boxes are patched.
ipAngel is capable of stopping a wide array of attacks. It is supported by LucidWatch, Lucid's expert security team, which researches the latest vulnerabilities and exploits, and creates detection and assessment signatures that are released daily.
We set up a mid-range 400 appliance inline on our test network without any fuss, simply by supplying the administrative interface with an IP address. System discovery is performed by port scans and can be configured to be done by common ports, a full port scan or a custom scan.
ipAngel's Nessus-based vulnerability scanner can be customized to scan entire networks, groups of machines or single devices. Our test scan successfully detected the known vulnerabilities present in our lab, which included Windows 2003, UNIX and Linux machines, all in various stages of patching. ipAngel produced a low number of false positives, a significant point for intrusion detection, but vital for intrusion prevention--the last thing you want is your device to mistakenly block legitimate traffic.
At this point, the device was auto-tuned, having learned the devices and vulnerabilities on the network and activating the applicable signatures. For those wary of letting the device make these decisions automatically, manual tuning of both the firewall and detection functions is easy.
We also liked the ability to delegate mitigation tasks by assigning assets to the appropriate network and/or support personnel, and alerting them via e-mail when vulnerabilities are discovered. This frees up the overtaxed security staff.
Rules for the Snort-based IPS are flexible and can be set to pass traffic, pass but alert, or drop, depending on user confidence in the detection.
IPS performance was excellent, stopping our repertoire of attacks even under heavy network load, leaving no doubt in the advertised 400 Mbps throughput performance. The appliance provides failover through bypass NICs, as well as load balancing for multiple boxes. Our only issue with the box itself was the noisy cooling fan.
ipAngel is available in five models, from the 10 Mbps ipAngel 10 to the 1.2 Gbps 1200. A 2 Gbps appliance is scheduled for later release.
The Web interface is generally clean and easy to navigate, considering the amount of information. However, the system page is somewhat cluttered and would be improved with the type of tabs we saw in other pages.
A large number of canned reports allow managers to view such items as most recent attacks over a specified time period, and the number of events from within the last hour to the last month. Reports can be exported in CSV format.
ipAngel is a cleverly integrated package that will help stop exploits at your perimeter and assess the security of your network, as well as perform basic firewalling and access controls. It's an attractive combination at a good price.
This product review originally appeared in the February 2006 issue of Information Security magazine.