Intrusion Prevention Systems Getting Better

Sunday, January 30, 2011

Bill Gerneglia


Article by Mark Henricks

Today’s intrusion prevention systems are doing a significantly better job at blocking hackers from corporate networks than as recently as a year ago, according to a new study.

But some products from major vendors still fare poorly in intrusion tests, and the better security operation has come at the expense of performance.

These results come from the latest Network Intrusion Prevention System Comparative Group Test Report by independent security testing organization NSS Labs, which was released Jan. 10. During the last quarter of 2010, NSS examined 13 IPS products from leading vendors.

Products tested included Check Point Power-1 11065, Cisco IPS 4260, Endace Core-100 (IDS), Fortinet Fortigate 3810, IBM GX6116, Juniper IDP 8200, Juniper SRX 3600, McAfee M-8000, NSFOCUS NIPS 1200, Palo Alto Networks PA-4020, Sourcefire 3D 4500, Stonesoft IPS 1205, and Stonesoft IPS 3205.

The products were subjected to 1,179 enterprise-class exploits using NSS’s testing methodology. The products were first tested using the default or “recommended” settings and then again after they were further tuned by a representative from the vendor.

None of the vendors were charged for the tests. NSS is selling an analysis and report of the results for $1,800 but made public some highlights. They include:

- On average, the security effectiveness of the devices as a group improved to 62 percent when tested with their default settings.

- Some systems using default settings tested as low as 31 percent effective, meaning that tuning factory systems is crucial for most solutions.

- Several products still failed anti-evasion testing, which NSS Labs said meant there were “gaping holes in defenses.”

- The performance of the IPS devices has declined. One achieved just 3 percent of claimed throughput, NSS said.

CSO Online said that details from the testing included the fact that using default settings the McAfee M-8000 scored the highest at 92 percent effectiveness. The IBM GX6116 was worst, with 31 percent effectiveness, the publication said. After tuning, Sourcefire’s 3D 4500 topped the scores, at 98 percent. The Endace Core-100 was least effective at 43 percent.

Overall, the testing organization said, some of the multifunction gateways for the first time provide credible alternatives to stand-alone IPS products for mid-market deployments. The last time the company tested such products, at the end of 2009, the group of seven vendors included TippingPoint. However, this time the HP subsidiary declined to participate, according to published reports.

“Cyber criminals have all the time in the world to plan and attempt attacks. Our data and analysis are based on multiple man-years of complex, real-world testing that mimic how cyber-criminals are working to penetrate corporate defenses,” said Rick Moy, president of NSS Labs.

“This report answers the critical questions on product capabilities and limitations that enterprises cannot answer without great effort and investment in time, equipment, and specialized expertise.”

Cross-posted from CIO Zone

Possibly Related Articles:
Network Access Control
Access Control Penetration Testing Exploits Network Security vendor Intrusion Detection
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.