Top Layer Mitigator 5500 nails the IPS basics
Appliance focuses on core IPS, bolstered by firewall capabilitiesFollow @infoworld
We’ve seen the gambit of intrusion detection and prevention devices on the market, but Top Layer Networks’ Mitigator IPS 5500 is a little different. For one thing, its management interface is downright dull.
Don’t get us wrong: In this context, dull is good. We’d rather have this easy-to-navigate, straightforward Java interface with configuration wizards than some poorly designed, flashy UI.
Also, the Mitigator looks more like a networking switch than a security device. The front panel is covered in media modules that support both copper and fiber, which definitely eases complex deployments or quick changes in infrastructure.
Although it falls short on reporting and could benefit from some more security enhancements such as vulnerability assessment data integration, the Mitigator is a solid IPS, combined with a stateful firewall.
As you would expect with a networking device, initial setup is accomplished via a console connection. Within five minutes we had configured the console portion of the device and were able to connect into the Java-based management UI served by a HTTPS engine. The configuration interface was easy to use, built around purposeful wizards that made it easy to get the appliance up and running.
We particularly liked that the Mitigator is a purpose-built appliance. Other IPSes are built on top of open source OSes or modules that have to be patched regularly. Often, the vendor doesn’t include these patches with automated updates. Top Layer, offering 24/7 support along with its Top Response updating engine, makes these updates available as needed.
Also, because the appliance has its own proprietary OS, it doesn’t need OS updates like rivals such as Lancope’s Stealthwatch do. This helps to ensure that the underlying OS does not require additional protection from attacks targeting widely published vulnerabilities. Expandable modules for fiber also add value to this device.
Top Layer has designed the Mitigator 5500 to sit outside of, or to replace, your existing firewall; a stateful firewall comes incorporated in the appliance. This firewall performs both layer 2 and layer 3 filtering, plus it’s capable of fragment-abuse protection: The appliance caches the data stream until it has enough to accomplish data reassembly. Top Layer uses this technique as its first line of defense.
The unit’s second layer of protection is malicious-content filtering, accomplished via several different methods. The first is by applying acceptable application use policies. User policies allow easy filtering of potentially dangerous or unapproved apps such as peer-to-peer file sharing, IRC communications, and instant messaging. Additionally, these filters look for RFC compliance and possible buffer overflow attempts.
When reviewing these additional aspects of network traffic, the Mitigator watches for attack, vulnerability, and spyware signatures within the network traffic. Although Top Layer has signatures to cover dozens of known attacks and spyware, the signature database is not as detailed or as comprehensive as we saw with McAfee’s IntruShield. The Mitigator’s deep packet inspection can also scan ZIP, MS Office documents, or other data types for malicious code and common attack signatures.