TippingPoint leans into network threats
TippingPoint 400 IPS brings power, speed, and strong fundamentals but doesn't bat a thousand
Follow @infoworldIDS/IPS products have come a long way in a short time, as vendors have been fast to incorporate new detection techniques and bolster defenses to an ever-widening range of threats. TippingPoint is one vendor that has blazed the trail to multipronged protection.
Considering the company’s strong legacy (it brought the first IPS to market in 2002) and its market leadership (it developed the open source IPS testing tool Tomahawk and created the VoIP Security Alliance), we were expecting the TippingPoint IPS to be the Bentley of network intrusion prevention. We weren’t too far off.
The TippingPoint IPS line consists of eight products, ranging from the TippingPoint 50, which handles throughput of as much as 50Mbps, to the top-of-the-line Tipping-Point 5000, which handles as much as 5Gbps. We tested the TippingPoint 400 -- and the TippingPoint SMS (Security Management System) appliance -- on a live network at the Naval Postgraduate School in Monterey, Calif. There the IPS was exposed to thousands of “events” originating from the Internet and from several thousand hosts inside the network. As we've done in previous IDS/IPS tests, we also exposed the device to more than a dozen exploits of the SANS Top 20 vulnerabilities using Core Security’s Core Impact penetration testing tool.
Gang of Four
The TippingPoint 400 uses a fusion of four techniques for intrusion detection and prevention: signatures, protocol analysis, traffic-anomaly detection, and vulnerability-based filtering. Signature and protocol anomaly protection -- like open source Snort but without as complete a signature base -- guard against known viruses, Trojans, and worms. Vulnerability filtering, which TippingPoint calls the virtual patch, and traffic-anomaly protection defend against DoS, DDoS, and unknown or zero-day attacks.
During months of testing, the 400 successfully detected hundreds of worms, viruses, and other threats, and allowed us to flexibly mitigate anomalous or rogue network traffic by imposing rate limits, blocking, or alerting on preconfigured thresholds. We also used the appliance’s traffic-throttling features to allow IM and peer-to-peer traffic to run only when bandwidth was not being utilized by critical services.
Performing a total inspection of network layers 2 through 7, TippingPoint seems to have all of the functionality necessary for defending the enterprise network. Despite the amazing breadth, we found at least two places where it lacked depth, allowing us to slip exploits of two well-known vulnerabilities past the device and onto our network.
During manual testing with Core Impact, the TippingPoint 400 missed our exploits of the several-year-old IIS ASN.1 Bit String SPNEGO vulnerability (CVE-2003-0818) and the MS RPC DCOM vulnerability (CVE CAN-2003-0352) that Blaster made famous. In the first miss, it turned out that TippingPoint didn’t have a signature to detect the IIS exploit. In the second, although the IPS had logged the DCOM event as blocked, we were still able to get a root-level command shell on the target machine, thanks to Core Impact’s fragmenting this attack (the Blaster worm uses an unfragmented attack). Because the TippingPoint box allows traffic to flow through unbuffered until it has enough information to flag the traffic as malicious, we were able to push enough of our exploit code through the device to gain a foothold -- a command prompt -- before the rest of the attack was blocked.
| Test Center Scorecard | |||||||
|---|---|---|---|---|---|---|---|
 |  |  |  |  |  |  | |
| 30% | 20% | 15% | 15% | 10% | 10% | ||
| TippingPoint UnityOne IPS | 8 | 8 | 9 | 9 | 9 | 7 |
8.3
Very Good
|
