Client-protective IPS
With client-protective IPS, there are fewer attacks, but you have to look at the full data stream to find them. For example, if you're looking for an image buffer-overflow attack, that could be at the front, middle or end of the image.
We discovered, with one notable exception, a massive variation in how fast or slow each device ran with IPS turned on. The astonishingly fast exception was the IBM/ISS Proventia MX5010, which handled IPS at just less than 1Gbps in the only configuration it had -- "on."
For all the others, however, the choice of profile makes a huge difference. The IBM System x3650 running Check Point's firewall blew past everything (except Proventia) in the server-protective scenario, turning in a blistering 816Mbps. But when we put everyone into client-protective configurations, Fortinet's FortiGate 3600A and Secure Computing's Sidewinder 2150D led the pack after Proventia, with performances of 624Mbps and 581Mbps respectively.
It is important to note that Check Point asked us to configure the UTM-1 2050 appliances and the Nokia IP290 appliances in active/active mode. All other devices were configured in active/passive mode. This means that the performance numbers reported for these appliances are higher than they would have been in a more traditional active/passive configuration.
Because Check Point and its partners submitted four separate platforms running what was essentially the same software, we allowed this slightly irregular configuration to help show the different options that are available from Check Point's partners.
Security vs. speed
You can easily build an IPS that runs really fast if you don't care how many attacks it blocks or how many false positives it throws. We used Mu Security to help normalize the IPS performance numbers. With the Mu-4000 appliance, we could get a very rough comparison of the ability of each IPS to block attacks.
To generate our scorecard values, we took the speed of the IPS and scaled it by how effectively the IPS blocked attacks. Thus, an IPS that ran at 750Mbps but blocked 10% of attacks was given a lower score than an IPS that ran at 250Mbps but blocked 50% of attacks. Going fast is good, but our scoring favors devices that catch a greater number of attacks.
Again, the Proventia MX5010 turned in such astoundingly good results that we captured a number of packet traces to verify that something wasn't wrong with our configuration. When normalized performance was taken into account across client and server profiles, the MX5010's score was three times higher than that of the next platform (Juniper Networks' ISG-1000). As a superfast, superaccurate IPS, nothing in our testing came close to the Proventia MX5010.
Overall testing showed that while there can be a significant drop in performance when IPS is enabled, careful choice which traffic should be scanned and which signatures are enabled -- along with the right piece of hardware -- lets an IPS and firewall be collocated.
High performers here include Fortinet's FortiGate 3610A, the IBM System x3650 with Check Point's VPN-1 running, Juniper's ISG-1000 with its integrated IPS blade, IBM/ISS' Proventia MX-5010, Secure Computing's Sidewinder and SonicWall's Pro 5060. Also, Check Point's UTM-1 2050 and Juniper's SSG-520M both hit 200Mbps and 400Mbps respectively, as long as we used server-protective IPS signatures.