It has been just over 12 months since we last looked at network Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS). There have certainly been some changes since then. The most obvious are in the command and control capabilities.
Contents
Introduction
CyberGuard SG710
Fortinet Fortigate 200A
Juniper IDP 200
SonicWALL 5060
WatchGuard X1000
Tier-3 Huntsman
Specifications
How we tested
Test Analysis
Editor's choice
About RMIT
Intrusion Detection Systems came first, originally as a signature-orientated system that compared network traffic flows at the point where the system/device was placed. Usually in a transparent or bridged mode, this form of IDS just logged and alerted security administrators/operators about suspected intrusions, the rest was hard manual labour -- searching through the neck-high log of information, often down to the individual packets.
There were also a notoriously high number of false positives. The signature-detected traffic can trigger a number of things in an IPS environment, from dropping the connection, to re-directing the file to a honey pot system.
The majority of IPSes these days can be configured in virtually unlimited ways, enabling them to be tailored to fit their intended environments. This includes basic external IDS functionality through to detecting new threats externally and internally. Some IPS's now incorporate technologies which attempt to detect anomalies in traffic that is passing through it. These anomalies can be treated in a similar way to signature-detected traffic.
Issues with both IDSes and IPSes revolve around false positives, overwhelming amounts of logged data, and performance. If IDS/IPS devices are incorrectly matched to the network environment they can form bottlenecks in the data traffic. If insufficient redundancy/failover is built into the deployed IDS/IPS systems, then they may default to closed if faults, or errors will occur. Typically, being bridge devices, these can cut off all network traffic. Naturally the more expectations, policies, rules, and logging the systems are expected to keep up with, mean more additional strain on their ability to perform high speed. The moral here is to test, plan, and even consider over-specifying the equipment to ensure no issues are encountered down the track.
Multiple sensors deployed at logical points around the network assist enterprises in reducing these performance issues and bottlenecks as well as enable external and internal traffic monitoring. Some vendors have a whole family of sensors that cater for different network sizes and environments. For example, a remote office with 30 workers can have a smaller sensor than their corporate headquarters that has 1000 workers and requires several large sensors. The best news is that centralised and remote management of most of these devices has become well refined -- most medium-to-large IDP deployments, particularly those covering diverse geographical locations, would send their logs to a central server.
IPS/IDS systems can come as either software solutions, dedicated appliances, or can be integrated in to other security appliances such as gateway devices or firewalls. These are commonly known as Unified Threat Management (UTM) appliances.
This review deals with the hardware side of the equation, namely dedicated IPS sensors/solutions and integrated security appliances or UTMs that have some level of IDS or IDP options. Vendors who submitted appliances in this review were: SonicWALL, CyberGuard, Fortinet, Juniper, and WatchGuard.
