Intrusion prevention is a key component in many enterprise security strategies, especially in the data center where it plays a particularly critical role. After all, that’s where a company's most important assets reside. NSS Labs tested five data center intrusion-prevention systems to gauge their performance, effectiveness in combatting security threats, and total cost of ownership.
According to NSS Labs, an IPS deployed in the data center usually handles significantly higher traffic levels than an IPS deployed at the corporate network edge. At the edge, IPS protects users browsing the web while the data center IPS protects servers, applications, and databases.
"What an attacker can target is very different in a data center environment than a user environment…That data center is where the core technologies live and are the ones you want to protect very ardently," Jason Brvenik, chief technology officer at NSS Labs, told me in an interview.
Data center IPS must provide a high level of performance while maintaining low latency so as not to interfere with application performance. "More than anything, it's the ability to tailor the protections of the device to the environment…If you took a peanut-butter spread approach to security in the data center, you'd slow traffic down too much," Brvenik said.
In its DCIPS group test, NSS Labs tested these products: Fortinet FortiGate 3000D v5.4.5 GA Build 3273; FortiGate 7060E v5.4.5 GA Build 6355; Juniper Networks SRX5400E v15.1X49-D100.6; McAfee Network Security Platform NS9100 Appliance v126.96.36.199; and Trend Micro Tipping Point 8400TX v188.8.131.5215. NSS Labs said it was unable to measure the effectiveness of a sixth product, Cisco's FirePower 4150, as a data center IPS and cautioned against its deployment without a comprehensive evaluation.
NSS Labs gave all five of the other products its overall recommended rating for both IPv4 and IPv6. They all scored well for security effectiveness -- their ability to block known attacks as well as evasive versions while retaining stability and reliability -- with scores ranging from about 89% to 98%. The Juniper SRX5400E and FortiGate 3000D tied for the best score, 98.73%.
"A lot of people think they need 100% effectiveness. It's wrong to take that position. Protecting against threats is paramount, but the real measure is how well you're able to identify threats you're not protecting against and respond to those as quickly as possible," Brvenik said.
The products also scored well on a TCO per protected Mbps basis, with most costing less than $6. The FortiGate 3000D scored the best in this test, costing just $3 per protected Mbps for IPv4 and $3.52 for IPv6. The TCO scores are based on security effectiveness and NSS Labs' throughput testing.
NSS Labs, which invited DCIPS vendors to submit products for testing at no cost, said the TCO scores incorporate capex over a three-year period, including initial acquisition and deployments costs and annual maintenance. Testing involved four devices deployed at multiple locations plus a central management system.
Overall, the relative party in performance for IPv4 and IPv6 stood out in the group testing, Brvenik noted. "Older generation IPS didn't have the bus speeds to handle IPv6…These technologies have caught up and are ready to handle IPv6 and maintain performance ratings," he said
Today, many infrastructure devices support IPv6 natively, so enterprises focused only on IPv4 are at a risk, he said: "You're not paying attention to the threats that can manifest over IPv6."
NSS Labs' overall goal is to give enterprises a way to gauge the value of their security purchases and help with risk management, Brvenik said. For example, a company may want to choose a product that provides only 89% security effectiveness, but costs less than a product that provides 98%, he said.
"The system we built is intended to enhance enterprises' ability to understand if their security investment makes sense for them," he said.