NetScreen blurs lines between firewalls, intrusion prevention

IDS (intrusion detection system) products have been undergoing a renaissance of late. By incorporating application-layer packet-filtering capabilities, they are evolving to provide more than just notification of potential security threats.

The acronyms related to intrusion detection and prevention are gaining significant ground in IT mindshare; discussions of IDS vs. IDP (intrusion detection and prevention), and the benefits and detriments of HIP (host-based intrusion prevention) can be heard the world over. Products such as the NetScreen IDP-100 continue to blur the lines marking the difference between the firewall and the intrusion prevention device.

Rather than simply monitoring traffic, the IDP-100 sits between the firewall and the internal network, permitting or blocking packets passed through the device based on known signatures. This is the clear difference between IDS and IDP. NetScreen IDP-100 fared well in our testing, proving that overall, it lives up to its billing.

On the Inside

NetScreen leverages Linux and Dell hardware in the IDP-100, which is essentially a Dell 1650 with a PIII 1GHz processor, 1GB RAM, and a single 18.2GB SCSI drive. The IDP-100 runs a customized version of Red Hat Linux 7.2, with the ability to handle logging functions locally or on a separate Linux or Solaris 8/9 system. The solution can be run with a single interface, which limits the unit to pure IDS functionality; it functions as intended when run in-line, thereby providing the P in IDP.

The IDP-100 is a fail-closed architecture, so NetScreen offers a $995 Bypass Unit to enable fail-open functionality. While it’s fortunate that the Bypass Unit is available, such a critical feature should really be included in the package. NetScreen also offers a $2,995 RAID-1 option, which seems a bit pricey.

The IDP-100 is limited to 100Mb throughput, with three 10/100 interfaces on the system. A standard deployment uses two interfaces as forwarding interfaces, with the third as a management interface. All the interfaces are capable of any function, however. NetScreen offers both a little and big brother to the IDP-100 in the IDP-10 and IDP-500. The IDP-10 has a 20Mb maximum throughput limit, and the IDP-500 functions at gigabit speeds.

The IDP-100's Java-based management console is available for Linux or Windows and is identical on both platforms. The console communicates with the sensor and logging server to display log data and configure the policies applied to the sensor. The management interface is laid out well, mimicking Microsoft's Management Console. It isn't until you dig into the full range of capabilities, however, that the IDP-100 really shines.

I threw several thousand attacks at systems behind the IDP-100 and watched the management console's dashboard display relevant information on the type and scope of the attacks. Digging into the log files, I was presented with volumes of data, but they were arranged in an orderly, logical layout. Marking events as false-positives, a very important capability of IDP/IDS solutions, was simple.

During my first glance at the management GUI, I perused the built-in signature database in the management console. The range of applications represented is quite large, and I found many common application signatures, from AIM to Kazaa, and an impressively wide variety of attack signatures. Signature updates are applied by simply selecting a menu item in the management console.