Network intrusion prevention systems
Carlsbad, Calif.-based NSS Labs said the network security technology has improved on average since 2009 to a 62% effectiveness rate using default policy settings. But the performance or thoroughput has decreased over the last year with one vendor achieving just 3% of its claimed throughput. Several vendors also failed certain tests, leaving gaping holes in defenses.
"Generally the more signatures or rules you have, the better the security but the slower the performance," said Rick Moy, president of NSS Labs. "That has to be figured into our analysis of these solutions."
The company's Network Intrusion Prevention System (IPS) Comparative Group Test Report for the fourth quarter of 2010 found some vendor default policy settings as low as 31% effectiveness, with tuning remaining an important part of most systems. The company said two vendors failed anti-evasion testing, an improvement over 2009 when half the vendors tested failed to detect exploits that use obfuscation techniques to evade detection.
Many stand alone IPS devices are being saddled by the rise in client-side attacks -- when end users browse to a malicious website and are victims of drive-by attacks.
"What has changed is that client side attacks are much more difficult to detect versus the remote attacker coming in from the outside so it takes more resources in the devices," Moy said.
The company tested the network IPS technologies from Check Point, Cisco, Endace, Fortinet, IBM, Juniper, McAfee, NSFOCUS, Palo Alto Networks, Sourcefire and Stonesoft. The testing was conducted independently and not paid by any vendor, NSS Labs said. The products were pitted against more than 1,170 live, enterprise-class exploits. Products were tested using the vendor's default or "recommended" settings and then again as tuned by a vendor representative, NSS Labs said.
NSS Labs requested that the full results not be published. McAfee's M800 IPS device had the highest overall block rate using only default settings followed by CheckPoint's Power-1 appliance. Sourcefire 3D 4500 and CheckPoint's Power-1 appliances had the highest achievable block rates when adding tuning – a process that is critical to improving system effectiveness, Moy said.
Tuning can be a significant issue for enterprises because certain policy rules can result in false positives and block valid traffic, Moy said. It can also be costly because a network security pro often has to address device tuning every month.
"This is not a set it and forget it device," Moy said. "In the IPS world when an update comes out you have to test it to make sure it doesn't stop some of your legitimate traffic from getting into your network; especially with custom applications."
The full report is available for $1,800. Specific vendor reports can be purchased separately.