Juniper, Cisco all-in-1 devices hit on intrusion-prevention

Security Purists will be happy with configurability and control features

Comments

Architecturally, Secure Computing has the right idea, however, because you can define sets of signatures and apply them on a rule-by-rule basis. Unfortunately, the management controls in the version shipping today need so much work that the Sidewinder can't be considered seriously as an enterprise-class IPS at this juncture.

The IPS implementations found in the Fortinet FortiGate 3600A, SonicWall Pro 5060 and WatchGuard Firebox Peak X8500e are more appropriate for the small-to-midsize business market. All three have a general lack of configuration capability. For example, the FortiGate 3600A has every signature enabled or disabled systemwide, and there are no capabilities to handle signatures as groups. As with other Fortinet advanced features, the only way to get to some parts of the IPS, such as adding trusted IP addresses to certain signatures, is via the CLI. In our testing, we were not able to create different server-protective and client-protective profiles in the FortiGate 3600A or the SonicWall Pro 5060 without investing what we considered to be unrealistic amounts of time in understanding and manually enabling or disabling thousands of signatures.

WatchGuard's Firebox Peak X8500e is the closest of these three to be heading in the right direction, with very coarse, predefined "server," "client" and "both" profiles that can be applied on a per-rule basis. However, enterprise managers looking for greater configuration control will be just as quickly frustrated, because the Firebox Peak doesn't have those controls.

IBM/ISS' Proventia MX5010 was the top scorer in client and server scenarios, catching more of the attacks we threw at it than any other product, in most cases by a very wide margin. With a 75% catch rate in client attacks and a 44% catch rate in server attacks using default settings, the Proventia has strong IPS coverage for the tests we used. Juniper's ISG-1000 fell just below the Proventia, catching as many of the server attacks when set to default settings, but not as many client attacks.

When looking at client-protective IPS features, WatchGuard slipped in just below Juniper's ISG-1000; and Check Point platforms, Secure Computing and SonicWall performed solidly as well. For server-protective IPSs, Astaro Internet Security's ASG 425a fell in just below Juniper's ISG-1000 and the IBM/ISS Proventia MX5010.

One interesting result came out of testing the Sidewinder and ISG-1000 firewalls with no IPS features turned on. Secure Computing has long promoted its proxy architecture as more secure than the packet filtering used by such vendors as Check Point, Cisco and Juniper. Our IPS tests don't support that claim. We tested the Sidewinder 2150D with proxies only and no IPS, then compared it with a Juniper firewall with no IPS enabled.

We found the Sidewinder proxies without IPS are no more effective at blocking attacks than a packet-filtering firewall without IPS. The Sidewinder blocked 7% of client attacks and 14% of server attacks; the packet-filtering Juniper firewall blocked 5% of client attacks and 17% of server attacks.

Sidewinder may offer additional security in some areas, but the proxies are no substitute for an IPS.