- 10 Microsoft research projects
- 10 kitchen gadgets for the geek gourmet
- Verizon trounces competition
- Smartphone smackdown: Storm vs. iPhone
- FBI warns of holiday cyber scams
We installed two IPS sensors within our production network, one based on Sourcefire hardware and based on Nokia hardware. Because each sensor had multiple interface pairs, we ran two separate IPS engines, two IDS engines, as well as Realtime Network Awareness (RNA) on multiple interfaces and Realtime User Awareness (RUA). We also sent Netflow information from Cisco routers to the 3D System from some WAN network segments that could not be monitored any other way.
These two sensors fed into a Sourcefire Defense Center 1000, the central management console. We used the Defense Center for at least 10 hours a week over a one-month period, tweaking policies, analyzing events and verifying the correct operation of RNA and RUA.
We also used the compliance tools within the Defense Center to generate events and alarms based on IPS, RUA and RNA event data.
To test IPS coverage, we used the Mu-4000 Security Analyzer appliance, an attack generation and reporting tool, from Mu Security. For the Mu-4000 testing, we focused on published vulnerability attacks. We wanted to compare performance between this IPS and other IPSs we had tested with the Mu-4000 in a recent UTM firewall test, so we used the same methodology as in the UTM firewall test.
We broke up our testing into two directions: client to server, and server to client, as an IPS is generally either protecting end users or servers, but seldom both at the same time. In the end user case, the IPS is programmed to protect users who are browsing the Internet or downloading files, and thus, are susceptible to certain types of attacks focused on client applications, such as Web browsers and PDF readers. In the server case, the IPS is programmed differently, protecting Web, e-mail and other types of servers against attacks initiated by malicious users.
Sourcefire offers three levels of IPS profile, a conservative one, a balanced one and an aggressive one. After three weeks of testing in our production network, we determined that the false positive rate on the aggressive policy was low enough that most network managers will want to start with this policy. We used the recommended aggressive policy, then tested using the Mu-4000 to see the percentage of attacks blocked by the IPS. The client profile had approximately 400 attacks, while the server profile had approximately 500.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment