IDS (intrusion detection system) products have been undergoing a renaissance of late. By incorporating application-layer packet-filtering capabilities, they are evolving to provide more than just notification of potential security threats.
The acronyms related to intrusion detection and prevention are gaining significant ground in IT mindshare; discussions of IDS vs IDP (intrusion detection and prevention), and the benefits and detriments of HIP (host-based intrusion prevention) can be heard the world over. Products such as the NetScreen Technologies’ IDP-100 continue to blur the lines marking the difference between the firewall and the intrusion prevention device.
Rather than simply monitoring traffic, the IDP-100 sits between the firewall and the internal network, permitting or blocking packets passed through the device based on known signatures. This is the clear difference between IDS and IDP. NetScreen IDP-100 fared well in our testing, proving that overall, it lives up to its billing.
On the inside
NetScreen leverages Linux and Dell Computer hardware in the IDP-100, which is essentially a Dell 1650 with a PIII 1GHz processor, 1GB RAM, and a single 18.2GB SCSI drive. The IDP-100 runs a customised version of Red Hat Linux 7.2, with the ability to handle logging functions locally or on a separate Linux or Solaris 8/9 system. The solution can be run with a single interface, which limits the unit to pure IDS functionality; it functions as intended when run in-line, thereby providing the P in IDP.
The IDP-100 is a fail-closed architecture, so NetScreen offers a $995 Bypass Unit to enable fail-open functionality. While it’s fortunate that the Bypass Unit is available, such a critical feature should really be included in the package. NetScreen also offers a $US2995 RAID-1 option, which seems a bit pricey.
The IDP-100 is limited to 100Mb throughput, with three 10/100 interfaces on the system. A standard deployment uses two interfaces as forwarding interfaces, with the third as a management interface. All the interfaces are capable of any function, however. NetScreen offers both a little and big brother to the IDP-100 in the IDP-10 and IDP-500. The IDP-10 has a 20Mb maximum throughput limit, and the IDP-500 functions at gigabit speeds.
The IDP-100’s Java-based management console is available for Linux or Windows and is identical on both platforms. The console communicates with the sensor and logging server to display log data and configure the policies applied to the sensor. The management interface is laid out well, mimicking Microsoft’s Management Console. It isn’t until you dig into the full range of capabilities, however, that the IDP-100 really shines.
I threw several thousand attacks at systems behind the IDP-100 and watched the management console’s dashboard display relevant information on the type and scope of the attacks. Digging into the log files, I was presented with volumes of data, but they were arranged in an orderly, logical layout. Marking events as false-positives, a very important capability of IDP/IDS solutions, was simple. During my first glance at the management GUI, I perused the built-in signature database in the management console. The range of applications represented is quite large, and I found many common application signatures, from AIM to Kazaa, and an impressively wide variety of attack signatures. Signature updates are applied by simply selecting a menu item in the management console.
The configuration is policy-based and rules can be defined to match a single host, a group of hosts, or the whole network. Additionally, every rule can trigger a variety of events, including e-mail alerts, SNMP trap generation, and even the invocation of custom Perl or shell scripts.
The IDP-100 also features a honeypot capability that impersonates IP services to a host scanning the network and sabotages the results of the scan. Also included are several very handy command-line utilities that show real-time traffic and attack statistics.
Getting down to business
Although NetScreen provided a default policy, I created a new one that included protections against several well-known worms, such as SQL Slammer and Nimda, protection for IIS and Apache Web servers, and a host of lower-level exploits. The policy also contained rules to capture and drop packets that matched signatures used by the Gnutella and Kazaa peer-to-peer file-sharing protocols and instant-messaging applications such as AIM, Yahoo Messenger, and ICQ.
The IDP-100 dutifully blocked all of my chat sessions and it was no longer possible to exchange files with Kazaa or Gnutella. Applications such as these that use port 80 or port hopping to dance around normal layer-4 firewalling have been the bane of many a firewall administrator; this functionality alone could make the IDP-100 a worthwhile investment for many organisations.
Another intriguing feature of the IDP-100 is its capability to generate custom signatures. For example, it’s possible to implement a policy that blocks all packets to a particular Web server or a group of Web servers based on a string in the HTTP header referrer field.
As with all policies, the action taken when the signature is matched ranges from dropping the packet to closing the connection. Another use could be to block the file-sharing aspects of certain instant-messaging protocols while allowing chat sessions to function undisturbed.
The IDP-100 performed very well during testing; it passed traffic at wire rate with a 256-signature policy applied, even while running the management server locally. The unit stopped all attacks that matched the applied signatures, with the obvious caveat that the unit cannot stop an attack for which no signature exists.
Throughput under load dropped an average of .5Mbps when the unit was configured as a router, but had nearly no impact when functioning in bridging or proxy-ARP modes. Latency testing showed an average increase of 0.23 milliseconds at idle, and 0.67 milliseconds under heavy load.
IT shops both large and small can derive concrete benefits from IDP, and NetScreen has delivered solid performance and value in the IDP-100.
Intrusion protection systems are newcomers on the security scene, and somewhat of a challenge to test. I was primarily concerned with initial setup, ease of configuration and administration, throughput and latency under load, and of course the performance of the unit when under attack.
To test the network performance of the IDP-100, I first measured throughput and latency to several Windows, Linux and Solaris servers without the unit, then placed the unit in-line — bridging, routing, and configured to proxy ARP requests — and measured again. Following this baseline, I used Nessus and Nmap to throw thousands of attacks at the servers behind the IDP-100 while running constant 100Mb TCP and UDP streams through the device. I also took the IDP-100 out of the lab and placed it in-line on a production network, monitoring its performance and event logging over a two-day period.
Perhaps the most important aspects of an intrusion protection system are administration and manageability. These are also some of the most subjective elements of testing. I perused the configuration options from stem to stern, looking for weaknesses in policy generation, signature validity, signature creation and logging, but also to get a good feel of the management console layout and function. The management console was tested on both Windows and Linux, with both interfaces used alternately throughout the tests. NetScreen in Australia can be reached on (02) 9959 2220.