Top Layer Mitigator 5500 nails the IPS basics
Appliance focuses on core IPS, bolstered by firewall capabilitiesFollow @infoworld
Similar to Arbor Peakflow, Mitigator’s final dimension of defense is protection against DDoS and rate-based attacks. Mitigator protection profiles allow customers to set limits for different types of traffic flowing between various segments of the network. By setting limits on connections and bandwidth usage, the propagation of a network worm can be detected and easily stopped. By setting rate limit on different types of traffic, enterprise-critical traffic can be given priority when bandwidth may be taxed.
We would like to see NBAD (network-based anomaly detection) technologies as we’ve seen in the Lancope Stealthwatch or Sourcefire RNA (Real-Time Network Awareness) to further shore up the Mitigator’s line of defense.
Whereas the Arbor Peakflow, through NBAD, maintains profiles on every host on the network, TopLayer allows only for a static policy to be applied to network segments. Also, NBAD profiles such as Arbor’s allow new services or traffic anomalies to be quickly identified, but this functionality is lacking in TopLayer’s offering. Where NBAD sounds an alarm on deviations from the norm, TopLayer alarms on deviations from what is defined as acceptable based on policy. Mitigator still has some fine-tuning to do in this area.
In testing, Top Layer stood up well to 15 attacks from the SANS/FBI Top 20, successfully stopping all but one. Using Core Impact we were able to sneak an RPC-DCOM exploit -- from MS Blaster fame -- past the appliance. Notably, for the attack to get through, we had to lower the firewall, which would usually never happen in a production environment. Exposing the appliance to the Net and live network traffic revealed four internal hosts infected with spyware. It was easy to configure a policy to block the spyware traffic to stop further infection.
Although setup wizards ease the initial configuration of the device, we found ourselves a little challenged by the reporting interface. The reporting is good after you’ve learned the UI, but it needs to be more intuitive. TopLayer also recommended that we use a security event manager to enhance and customize reporting.
Also, if you want to deploy multiple 5500s, you’ll need to purchase a Top Layer SecureCommand Central Management Server. We did not look at the CMS, but Top Layer reports that it’s also a purpose-built appliance.
Top Layer’s no-nonsense approach to intrusion prevention makes for a solid solution that gets it right were it should. As signature-based detection expands on the appliance, the solution will become a viable firewall replacement with solid IPS functionality.