RSS
Email
Print
ShareIntrusion-Protection Systems
Posted by Jordan Wiens on January 14, 2005
Two-and-a-Half Approaches
We found significant differences in approach and results among the participants in this still-developing category. Our invitation specified that each device must be a self-contained system able to identify network attacks and prevent them through its own action, rather than by sending commands to a firewall or other piece of network infrastructure. We also requested systems capable of handling the expected 400-Mbps flow through our test network core switches.
As it turned out, we tested using traffic moving across the core of the university's network, where flows averaged more than 600 Mbps, peaking at more than 800 Mbps with 180,000 to 250,000 simultaneous connections. Busy students. Of course, we wouldn't penalize entrants for not coping with conditions we hadn't told them to expect, but the larger flows did give us an off-the-record look at device capacity, revealing how the products handled a large amount of real network traffic with lots of live exploits and false positives. We also generated traffic with specific simulated attack types to see how successfully the devices stopped common exploits (for more on our test setup, see "How We Tested Network Intrusion-Prevention Products").
In the final analysis, two-and-a-half distinct factions emerged in this comparison:
Add Your Comment: