Top Layer Mitigator 5500 nails the IPS basics

Appliance focuses on core IPS, bolstered by firewall capabilities

We’ve seen the gambit of intrusion detection and prevention devices on the market, but Top Layer Networks’ Mitigator IPS 5500 is a little different. For one thing, its management interface is downright dull.

Don’t get us wrong: In this context, dull is good. We’d rather have this easy-to-navigate, straightforward Java interface with configuration wizards than some poorly designed, flashy UI.

Also, the Mitigator looks more like a networking switch than a security device. The front panel is covered in media modules that support both copper and fiber, which definitely eases complex deployments or quick changes in infrastructure.

Although it falls short on reporting and could benefit from some more security enhancements such as vulnerability assessment data integration, the Mitigator is a solid IPS, combined with a stateful firewall.

As you would expect with a networking device, initial setup is accomplished via a console connection. Within five minutes we had configured the console portion of the device and were able to connect into the Java-based management UI served by a HTTPS engine. The configuration interface was easy to use, built around purposeful wizards that made it easy to get the appliance up and running.

We particularly liked that the Mitigator is a purpose-built appliance. Other IPSes are built on top of open source OSes or modules that have to be patched regularly. Often, the vendor doesn’t include these patches with automated updates. Top Layer, offering 24/7 support along with its Top Response updating engine, makes these updates available as needed.

Also, because the appliance has its own proprietary OS, it doesn’t need OS updates like rivals such as Lancope’s Stealthwatch do. This helps to ensure that the underlying OS does not require additional protection from attacks targeting widely published vulnerabilities. Expandable modules for fiber also add value to this device.

Top Layer has designed the Mitigator 5500 to sit outside of, or to replace, your existing firewall; a stateful firewall comes incorporated in the appliance. This firewall performs both layer 2 and layer 3 filtering, plus it’s capable of fragment-abuse protection: The appliance caches the data stream until it has enough to accomplish data reassembly. Top Layer uses this technique as its first line of defense.

The unit’s second layer of protection is malicious-content filtering, accomplished via several different methods. The first is by applying acceptable application use policies. User policies allow easy filtering of potentially dangerous or unapproved apps such as peer-to-peer file sharing, IRC communications, and instant messaging. Additionally, these filters look for RFC compliance and possible buffer overflow attempts.

When reviewing these additional aspects of network traffic, the Mitigator watches for attack, vulnerability, and spyware signatures within the network traffic. Although Top Layer has signatures to cover dozens of known attacks and spyware, the signature database is not as detailed or as comprehensive as we saw with McAfee’s IntruShield. The Mitigator’s deep packet inspection can also scan ZIP, MS Office documents, or other data types for malicious code and common attack signatures.

Similar to Arbor Peakflow, Mitigator’s final dimension of defense is protection against DDoS and rate-based attacks. Mitigator protection profiles allow customers to set limits for different types of traffic flowing between various segments of the network. By setting limits on connections and bandwidth usage, the propagation of a network worm can be detected and easily stopped. By setting rate limit on different types of traffic, enterprise-critical traffic can be given priority when bandwidth may be taxed.

We would like to see NBAD (network-based anomaly detection) technologies as we’ve seen in the Lancope Stealthwatch or Sourcefire RNA (Real-Time Network Awareness) to further shore up the Mitigator’s line of defense.

Whereas the Arbor Peakflow, through NBAD, maintains profiles on every host on the network, TopLayer allows only for a static policy to be applied to network segments. Also, NBAD profiles such as Arbor’s allow new services or traffic anomalies to be quickly identified, but this functionality is lacking in TopLayer’s offering. Where NBAD sounds an alarm on deviations from the norm, TopLayer alarms on deviations from what is defined as acceptable based on policy. Mitigator still has some fine-tuning to do in this area.

In testing, Top Layer stood up well to 15 attacks from the SANS/FBI Top 20, successfully stopping all but one. Using Core Impact we were able to sneak an RPC-DCOM exploit -- from MS Blaster fame -- past the appliance. Notably, for the attack to get through, we had to lower the firewall, which would usually never happen in a production environment. Exposing the appliance to the Net and live network traffic revealed four internal hosts infected with spyware. It was easy to configure a policy to block the spyware traffic to stop further infection.

Although setup wizards ease the initial configuration of the device, we found ourselves a little challenged by the reporting interface. The reporting is good after you’ve learned the UI, but it needs to be more intuitive. TopLayer also recommended that we use a security event manager to enhance and customize reporting.

Also, if you want to deploy multiple 5500s, you’ll need to purchase a Top Layer SecureCommand Central Management Server. We did not look at the CMS, but Top Layer reports that it’s also a purpose-built appliance.

Top Layer’s no-nonsense approach to intrusion prevention makes for a solid solution that gets it right were it should. As signature-based detection expands on the appliance, the solution will become a viable firewall replacement with solid IPS functionality.

InfoWorld Scorecard
Setup (10.0%)
Threat detection (30.0%)
Management (20.0%)
Value (10.0%)
Scalability (15.0%)
Reporting (15.0%)
Overall Score (100%)
Top Layer Attack Mitigator IPS 5500 8.0 7.0 8.0 7.0 9.0 6.0 7.5

Copyright © 2006 IDG Communications, Inc.

How to choose a low-code development platform