Network Computing

Upcoming Events

Are you caught between a desire for the benefits of the cloud and concerns about security and control? Then you should attend this insight-packed webinar to learn how private data networking technologies like MPLS IP-VPNs can address your concerns and allow you to safely and intelligently reap the savings, agility and other benefits associated with cloud computing.

Join us to hear top industry experts discuss the private data network technologies that are best suited for enterprise cloud access requirements. You won't want to miss this opportunity to learn how your organization can best mitigate risk while reaping the full potential benefits of the cloud.

Register Now!

R E V I E W

NIP Attacks in the Bud

September 4, 2003
By Mike Fratto

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	Name That Tune
	Detect This
	Network Associates McAfee IntruShield 4000
	NetScreen Technologies NetScreen-IDP 500
	How We Tested \| Report Card
	NIP Lessons Learned

You've probably been on the receiving end of at least one NIP system vendor's marketing machine. We've certainly gotten a call or two. Although we were sure the promise of absolute protection against all attacks, known and unknown, was a bit much to hope for, we figured there had to be more to the claim than hot air. So we asked vendors to let us put their NIP devices to the test.

We limited participation in our network intrusion-prevention review to devices that install inline with the network (though we did use one-arm mode as well during our tests), don't require changes in IP addressing, and detect and block attacks based on signatures. We were not interested in intrusion-detection systems that monitor traffic and send rule changes to firewalls, because firewall support is often limited to Check Point FireWall-1 and Cisco PIX--combined, these comprise the majority of the market--but other firewalls are in use. And, as we explained in "Inside the NIP Hype War", setting firewall rules dynamically isn't wise.

That left us with three potential vendors: NetScreen Technologies, Network Associates and TippingPoint Technologies. TippingPoint declined to participate in our tests, claiming it didn't have a device for testing because all available units were promised to customers. (And we thought Dell had a tight supply chain!)

We set up NetScreen's IDP 500 and Network Associate's McAfee IntruShield 4000 in our Syracuse University Real-World Labs® and scrutinized their detection, management, performance and reporting capabilities (see "How We Tested NIP Devices"). We were impressed--though each device had some quirks, we were able to work around them without too much pain.

Network Intrusion Prevention Setup

click to enlarge

The Setup

We installed each product sensor in both inline and one-arm mode. The sensors were configured to communicate with one management server, and we used a management client on a workstation. Our criteria were simple: Products must detect attacks and anomalies accurately while minimizing false positives (alerts generated by legitimate traffic) and false negatives (letting attacks go undetected).

Effective intrusion prevention depends on effective intrusion detection. Any vendor claiming to have zero false positives is feeding you a line. There are too many attacks and variations of attacks, and too much legitimate traffic that looks like attack traffic, for a claim of "no false positives" to hold water. It's laughable, really.

Sure, on our controlled test bed, we didn't find any false positives, but we didn't expect any because the traffic was manufactured to our exacting specifications. When we placed the devices on our live network, however, we initially had numerous false positives, including supposed application-protocol anomalies, such as a TTL of 255 in a RIP packet, various SNMP messages, HTTP header-length messages and apparent Unicode encoding generated from the Mac OS X AOL Instant Messenger client. Tuning reduced the false-positive rate considerably.

We are convinced both of these products will block known malicious traffic, though we did need to carefully choose which alerts to block because of the potential for blocking legitimate traffic.

However, we are not convinced these products are sufficiently accurate at spotting unknown attacks through protocol-anomaly detection. Application vendors don't always write network-protocol stacks that conform to standards, thus causing legitimate traffic to be pegged as anomalous and malicious. We can't stress this enough: You must know what constitutes malicious traffic, then use existing signatures or develop your own signatures to block it.

So should you buy a NIP device? If you're planning to implement a new IDS or replace an existing IDS, we recommend choosing a NIP appliance instead to take advantage of easy deployment, good conformance to stated performance claims and flexible network integration. Plus, you get the option of blocking attacks. But we don't recommend NIP in addition to an existing IDS deployment. Better to spend the cash patching server vulnerabilities--that's something you should be doing anyway. Throwing money in that direction is a more direct way to ensure that your servers are protected because even if attack traffic gets through, patched hosts should be immune. Blocking attacks is not as critical as proper patch management (see "PatchLink Helps Keep Windows Closed,", and "Patching Patch Problems").