Juniper, Cisco all-in-one devices hit on intrusion-prevention controls

By Joel Snyder
Network World, November 12, 2007

Original Article on Network World Web Site

Juniper Networks' ISG-1000 and Cisco's ASA5540 with its add-on SSM-20 IPS module offer no-compromise IPS products that will make the security purist happy with their configurability and control features.

We rank the ASA5540 slightly behind the ISG-1000, because of Cisco's fairly loose link between firewall policy and IPS policy. Although Cisco has made enormous strides in its management with the release of Cisco Security Manager, the firewall and IPS are not as integrated as they should be. For example, you can't apply different policies to different streams of traffic (such as internal-to-external and internal-to-internal). Only a single policy applies to the IPS. With a new feature called "virtual sensor," you can create multiple policies, but these are applied to virtual LANs or interfaces and still don't match up to the firewall policy.

One of the most interesting IPS implementations tested was IBM Internet Security Systems' Proventia MX5010, because it came to the UTM space as an IPS first, a firewall second. While the Proventia has every bit of IPS configurability stripped out of it -- you essentially get two check-boxes in the GUI to turn IPS on or off for all interfaces, all traffic, all the time -- our test results show that this black-box IPS blocks more bad traffic than any other tested.

With the optional SiteProtector management appliance, you do get all of the powerful IBM/ISS IPS and IDS forensics and reporting tools. This creates a strange dichotomy: an almost unmanageable IPS that does a great job. Our fear, though, is that enterprise network managers won't be happy with this level of configuration, because as soon as a false positive shows up, the IT reaction to the Proventia MX5010 configuration goes from "wow" to "you've got to be kidding." IBM/ISS has taken a branch-office UTM and scaled the performance up to astonishing highs, but hasn't scaled the management and control up to enterprise standards.

Applying rules to traffic flows

In a UTM firewall that mediates internal and external communications, or even just protects user networks and a demilitarized zone or service network, having different policies for Web clients and Web servers seems an obvious requirement. While some of the IPS implementations let you define specific addresses to be protected by each signature, the burden of doing that for hundreds or even thousands of signatures is obscenely high and we didn't consider that a realistic alternative to having multiple policies.

Juniper's ISG-1000 and SSG-520M have a tight linkage between firewall policy and different IPS policies, as does the WatchGuard Firebox. For example, when each firewall policy rule in the Juniper ISG-1000 is created, the rule can specify whether this traffic also is sent to the IPS. Then, at the IPS each traffic flow can select a different set of IPS signatures to apply. The other firewalls we looked at don't offer that flexibility about linking rules to traffic flows.

Secure Computing's Sidewinder does support different IPS policies in different zones. The Sidewinder got its IPS capabilities only in the latest version of its software -- so recent that for our initial tests, Secure Computing had to fix bugs in the firewall to get the IPS to detect and block attacks. The GUI used in this version to manage the IPS is extremely weak. To see any information about a signature, you have to log on using the command-line interface (CLI), navigate to a directory on the firewall and look at a file where the signatures are stored.

Architecturally, Secure Computing has the right idea, however, because you can define sets of signatures and apply them on a rule-by-rule basis. Unfortunately, the management controls in the version shipping today need so much work that the Sidewinder can't be considered seriously as an enterprise-class IPS at this juncture.

The IPS implementations found in the Fortinet FortiGate 3600A, SonicWall Pro 5060 and WatchGuard Firebox Peak X8500e are more appropriate for the small-to-midsize business market. All three have a general lack of configuration capability. For example, the FortiGate 3600A has every signature enabled or disabled systemwide, and there are no capabilities to handle signatures as groups. As with other Fortinet advanced features, the only way to get to some parts of the IPS, such as adding trusted IP addresses to certain signatures, is via the CLI. In our testing, we were not able to create different server-protective and client-protective profiles in the FortiGate 3600A or the SonicWall Pro 5060 without investing what we considered to be unrealistic amounts of time in understanding and manually enabling or disabling thousands of signatures.

WatchGuard's Firebox Peak X8500e is the closest of these three to be heading in the right direction, with very coarse, predefined "server," "client" and "both" profiles that can be applied on a per-rule basis. However, enterprise managers looking for greater configuration control will be just as quickly frustrated, because the Firebox Peak doesn't have those controls.

IPS lite

We found other lightweight IPS technologies with less configuration complexity, including Check Point Software's SmartDefense (available on all platforms), Cisco's Protocol Inspection (which is built into the ASA 5540 and does not require the add-on IPS module discussed above), Juniper's Deep Inspection (which we tested on the SSG-520M), and proxy technology built into both WatchGuard Technology's Firebox Peak X8550e and Secure Computing's Sidewinder 2150D.

These lightweight IPSs provide a lower level of protection than a more traditional, signature-based IPS, because they cover fewer attack and misuse scenarios and are less able to cover alternate ports and protocols. However, they also have dramatically lower configuration complexity, flexibility and fewer customization options, and require less technical understanding than the heavy, signature-based IPSs from Juniper and Cisco.

A network manager who wants some IPS in a perimeter firewall but isn't particularly concerned with specific policies and streams probably will find that Check Point's SmartDefense provides significant additional protection at a low cost. However, it's clear that SmartDefense needs some adjustment from a management point of view. When it was first introduced to the market, there were only a few dozen options to set. As the Check Point team has improved SmartDefense, it has added many more options, which makes it difficult to properly configure. Rather than a small handful of check-boxes, now there are hundreds of options divided up into a bewildering set of protocols and applications. Since Check Point has acquired IPS-IDS vendor NFR, we hope there will be a significant reworking of capabilities, configuration options and management style in future versions.

IPS catch rates

We used the Mu Security Mu-4000 testing tool to give us some idea of how well these products protect against published vulnerabilities, a place where signature-based IPSs should shine (see graphic). We could not measure false positives in the context of this test.

IBM/ISS' Proventia MX5010 was the top scorer in client and server scenarios, catching more of the attacks we threw at it than any other product, in most cases by a very wide margin. With a 75% catch rate in client attacks and a 44% catch rate in server attacks using default settings, the Proventia has strong IPS coverage for the tests we used. Juniper's ISG-1000 fell just below the Proventia, catching as many of the server attacks when set to default settings, but not as many client attacks.

When looking at client-protective IPS features, WatchGuard slipped in just below Juniper's ISG-1000; and Check Point platforms, Secure Computing and SonicWall performed solidly as well. For server-protective IPSs, Astaro Internet Security's ASG 425a fell in just below Juniper's ISG-1000 and the IBM/ISS Proventia MX5010.

One interesting result came out of testing the Sidewinder and ISG-1000 firewalls with no IPS features turned on. Secure Computing has long promoted its proxy architecture as more secure than the packet filtering used by such vendors as Check Point, Cisco and Juniper. Our IPS tests don't support that claim. We tested the Sidewinder 2150D with proxies only and no IPS, then compared it with a Juniper firewall with no IPS enabled.

We found the Sidewinder proxies without IPS are no more effective at blocking attacks than a packet-filtering firewall without IPS. The Sidewinder blocked 7% of client attacks and 14% of server attacks; the packet-filtering Juniper firewall blocked 5% of client attacks and 17% of server attacks.

Sidewinder may offer additional security in some areas, but the proxies are no substitute for an IPS.