IPS Comparison Report

Analytical Comparison

Summary Check Point - IPS-1 Cisco - IPS Series, Version 7.0

IBM - Security Network Intrusion Prevention System

Sourcefire - 3D System

TippingPoint - Intrusion Prevention System

Current Perspective Check Point IPS-1,

formerly NFR Security’s Sentivist intrusion prevention system, is threatening to competitors. Although Check Point delivered a brand new IPS engine as part of its new software blade architecture, Check Point will continue to offer the IPS-1 for customers who require a dedicated IPS appliance. Both the IPS-1 and the new IPS software blade can be deployed in the same enterprise and both can be managed under a common management interface. Signature updates are also common across

The Cisco IPS 4200 Series appliances and modules are threatening to competitors, because the product is positioned as a key component of the Cisco Self-Defending Network, offered in the form of appliances and devices as well as service modules for routers and switches. By leveraging its network infrastructure roots, Cisco sees its ability to be integrative, collaborative, and adaptive, albeit through value add-on products such as the Cisco Security Manager, as its primary differentiator from best-of-breed

The IBM Security Network IPS is threatening to competitors, because the multi-Gigabit speed appliance uses multiple detection techniques and is supported by one of the industry’s strongest research and response teams. IBM Security Network IPS, along with the SiteProtector management console and the well-respected security response team, X-Force, is a powerful combination in intrusion prevention appliance technology. ISS, formerly a part of the IBM Global Services

The Sourcefire 3D System is threatening to competitors, because it is known for its solid attack detection and prevention technology, with the widest range of throughput options that go from 5 Mbps to 40 Gbps when combined with the CrossBeam X-Series hardware platform. The company, under CEO John Burris, hasmanaged to achieve growth in the range of 30% per quarter over 11 consecutive quarters, which the company attributed to a healthy market, a good team and the right product at the right time. Its revenues for the first nine months of

The TippingPoint Intrusion Prevention System is threatening to competitors, because the custom-based hardware platform delivers flow/packet analysis at multi-gigabit speeds with good network-based filtering. That platform is now being brought into larger opportunities originated by HP’s Enterprise Services organization, which is bringing much greater visibility to the TippingPoint IPS business as a part of the $2.7 billion 3Com acquisition. TippingPoint, which pioneered the IPS with the launch of UnityOne in early 2002, grew that

each. IPS-1’s detection model uses an open signature format that provides admirable flexibility in signature creation and customization. Most competing systems rely on either Snort-based signatures or closed proprietary signature models. IPS-1’s existing detection engine uses advanced signature detection and protocol anomaly detection. The product focuses on reducing false positives using the passive OS and application fingerprinting capability. The product uses the Dynamic Shielding Architecture (DSA), which alerts the security manager to critical vulnerabilities or changes to the network and automatically deploys signatures, protecting enterprises from automated malware, information theft, new vulnerabilities and violations to policy that can leave networks exposed to security concerns. The product includes layered security protection in the form of IDS/IPS, firewall, dynamic shielding and protection for IM and VoIP, all in one appliance.

IDS/IPS providers. Perhaps more threatening to competitors is the fact that Cisco makes IPS available in multiple form factors, including appliances, switch and router modules, and the Adaptive Security Appliance (ASA) 5500 line, which includes an optional IPS blade. In the latest version of Cisco IPS software, release 7.0, Cisco applied the global threat data gathered in its IronPort anti-spam SensorBase database to its IPS sensors, making them twice as effective at thwarting malware as signature-only IPS. Global threat data, which includes reputation, vulnerability signatures, anomalous behaviors, and known exploits, is collected from over 500 third parties, 1000 threat-collection servers, and 700,000 sensors into SensorBase; then, it is correlated and analyzed for new attacks. Once new attacks are identified, new rules to thwart those attacks are created and quickly deployed to sensors. The incorporation of vulnerability signatures is key, because blocking a single vulnerability

organization since its acquisition by IBM in 2006, is regaining its product momentum under the stewardship of IBM’s Tivoli Software unit, although IGS continues to market services around the IPS technology. ISS, a pioneer in the IDS market, was also early to market with an IPS appliance. While the IBM Security Network IPS line has been considered to be one of the pricier solutions available, IBM refreshed the full line of PC-based appliances to double the performance without raising prices. IBM announced in 2010 that it will no longer sell the legacy ISS RealSecure network sensor after December 31, 2011.

The IBM Security Network IPS appliance provides a range of form factors and multiple high performance versions, including a Network Security Platform that provides 10 Gbps interfaces to existing higher end IPS sensors, and a CrossBeam module supporting 10 Gbps Ethernet networks aimed primarily at carriers and some very large enterprises. Other IBM Security IPS appliances offer solid performance

2010 were $92.6 million. The company appears to have put its earlier troubles behind it, although its significant reliance on the federal government as a customer creates some uncertainties from time to time. Sourcefire forged ahead on multiple fronts in 2010 with a new technology alliance program, which yielded an important partnership with Qualys to correlate threat and vulnerability data to reduce the number of false positives; an expanded channel partner program; an expansion of its application detector library, which includes 200 applications including Gmail, RSS, Quicktime and Flash; and a new SSL appliance OEMed from Netronome that allows the Sourcefire IPS to examine encrypted traffic without taking a performance hit. Sourcefire offers a family of “plug-n-protect” intrusion detection and prevention (IDP) appliances that come bundled with Snort, an operating system, and the company’s data management system. However, its flagship offering comes in the form of

business steadily, despite the yoyo relationship it had with parent company 3Com since that 2005 acquisition. In 2009, 3Com elected to draw TippingPoint closer to its core business and outlined its integration strategy under the secure network fabric framework. As a part of that initiative, TippingPoint announced the replacement to its E-Series IPSs with the new N-Platform, which features a more modular architecture that enables more filter packs and services to be added to the IPS without exacting a performance penalty. That roadmap remains in place under HP’s ownership. TippingPoint’s key distinctions are an ASIC-based hardware platform and a multi-gigabit IPS-only product (although the new N-Platform adds support for an IDS mode), further enhanced by a policy-based flow management system that enables 10 Gbps of bi-directional traffic inspection by the company’s IPSs. TippingPoint’s ThreatLinQ portal, which allows customers to assess the changing global threat landscape and

thwarts multiple exploits to save time and increase protection. Cisco claims that updates are 100 times faster than traditional signature-only approaches. With the addition of intrusion prevention capabilities to the Cisco Internet Operating System (IOS) of routers and switches, customers can easily add advanced firewall and intrusion prevention types of services to their installed router infrastructures. As part of Cisco’s strategy to develop functionality in the appliance, the company has been integrating an increasing amount of security capabilities into IOS. The company is in an enviable position with its strong name recognition among businesses, universities, and government organizations. Some customers will naturally look to Cisco to extend their network franchise and to fulfill their security needs, particularly as intrusion prevention systems have become more widely accepted within the industry as a means of protecting networks from Internet threats.

with 6 Gbps of full inspection throughput. IBM Security Network IPS enables a phased approach to inline deployment. The appliances can operate in prevention mode, passive IDS mode, or passive monitoring mode. IBM ISS provides 2900 signatures with1600 in blocking mode to help protect against threats. Similar to its competitors, IBM ISS has built out its detection capabilities to include functionality such as anti-spyware, VoIP protection and now Web application protection as well as limited data loss prevention for structured data. High throughput capabilities are key in supporting latency-sensitive applications increasingly being used by customers, such as VoIP. IBM ISS includes high and low end IPS products to support a broad array of customers, and in 2010 it has seen strong momentum with its low end appliances.

a network discovery system called Real-time Network Awareness (RNA), which provides information about the network environment in order to better sniff out vulnerabilities. Sourcefire’s IPS product includes the Sourcefire Defense Center, which allows for easy centralized management of distributed sensors and prioritized security events, as well as consolidated reporting and remediation. The company also offers Sourcefire RUA, which links user identity to security and compliance events, and Adaptive IPS functionality, which leverages endpoint intelligence through Sourcefire RNA, Nessus and Nmap.

learn from their peers how to adjust security policies accordingly, has seen good traction since its launch in 2008. The company’s internal security research team, DVLabs, is made up of expert researchers with expertise in areas such as fuzzing, reverse engineering, phishing, VoIP, and SCADA, among others. DVLabs is complemented by an external research team of 1,447 security researchers, which is called the Zero Day Initiative. TippingPoint is known for being extremely reliable, with solid security technology at ever-increasing speeds. Advanced centralized management capabilities are available for the IPS and 10Gbps Core Controller products by leveraging TippingPoint’s Security Management System (SMS), which was enhanced to add more customized reporting and integration with TippingPoint’s NAC product. Alternatively, customers can leverage Local Security Manager (embedded Web UI) or the CLI for very small deployments.

Strengths Check Point - IPS-1 Cisco - IPS Series, IBM - Security Sourcefire - 3D TippingPoint -

and Weaknesses

Version 7.0 Network Intrusion Prevention System

System Intrusion Prevention System

Strengths • IPS-1 includes Dynamic Shielding Architecture, which includes correlation and prioritization of network vulnerabilities, vulnerability shielding and protection from new network changes. This proactive technology helps organizations protect their networks before signatures are issued. • IPS-1 has the backing of leading firewall vendor Check Point as its technology is integrated into Check Point’s broader security suite. • Check Point offers common management of the IPS-1 through integration with the SmartCenter Console, which provides robust policy management across Check Point’s offerings, including the new security software blades in its R70 release. • IPS-1 is positioned as a best-of-breed product that supports an open-source signature language. This allows greater flexibility in signature customization and creation.

• Cisco IPS products offer very straightforward installation. A fundamental advantage of the Cisco product line is its compatibility with routers and switches, so a Cisco IPS module can plug into Cisco switch backplanes to monitor switched environments. • Cisco now provides enterprises with Gigabit speed analysis. The company includes a 4 Gbps version of its IPS product, and the 4200 Series includes 10 Gbps interfaces.

• Cisco continues to expand its detection capabilities, most recently adding Global Correlation to its IPS sensors to use reputation and vulnerability signatures to thwart blended attacks more effectively. Instrumentation added with the Global Correlation update indicates the IPSs are twice as effective at blocking malware from the Internet as existing signature-based methods. • Cisco is widely recognized as a strong technology company. Customers feel confident in investing in a company with

• IBM Security Network IPS comes in a broad range of performance options, ranging from 200 Mbps up to just under 40 Gbps of throughput via multiple IPS modules in the CrossBeam implementation. The technology is considered one of the most straightforward products to install. • IBM ISS provides solid detection by using signature-based and protocol anomaly detection. The foundation of the Network IPS, the Protocol Analysis Module, uses nearly a dozen technologies to block such attacks as Trojans, worms, SQL injection, rootkits, protocol tunneling, distributed denial of service, cross-site scripting, botnet and backdoors. • IBM ISS’ flagship centralized management system, SiteProtector, simplifies an administrator’s work. The console provides sophisticated analysis and data correlation, as well as a consolidated reporting infrastructure, streamlined workflow for handling security

• Sourcefire’s IPS offering includes a real-time network discovery system through Real-time Network Awareness (RNA), and the company has integrated the product with NBA, NAC and VA. • Sourcefire has added endpoint intelligence, aggregated by RNA, for increased network protection.

• Sourcefire IDP includes a built-in data management system in its Defense Center to respond to alerts in real time. • Sourcefire is one of the earliest IPS vendors to offer a VMware-based virtual IPS appliance, aimed at smaller remote offices, following IBM/ISS.

• TippingPoint is a market leader in throughput and low latency. TippingPoint IPS is built on custom-designed hardware with analysis capabilities of up to 10 Gbps speed. • TippingPoint’s Threat Suppression Engine enforces network security policy using functions such as block, notify, allow, and quarantine, and it supports bandwidth management capabilities, including rate shaping. • TippingPoint is now backed by HP’s Enterprise Services organization, which is bringing the IPS technology into larger deals and increasing its previously limited exposure. HP has also pledged to increase TippingPoint’s R&D budget for fiscal 2011. • TippingPoint’s security research is well regarded in the industry, as evidenced by the breadth of filter coverage (Web applications, OSs, network OSs, protocols, endpoint and server applications, etc.) and the speed at which it is

• The Situational Visibility feature in the IPS-1 management console allows users to graphically monitor attacks against mission critical systems and drill down to get details on the attack, including effects of the attack and remediation recommendations.

massive worldwide support and broad technology partnerships. Furthermore, Cisco’s IPS products are priced lower than those of competitors when discounted in a package with Cisco firewalls.

events and support for the new Web application security module for the network IPS. • IBM Security Network IPS now includes new content analysis functions that deliver a measure of data loss prevention,allowing customers to block personally identifiable information such as credit card or social security numbers from leaving the enterprise via email, IM and email attachments that include compound documents that have been compressed. • The fairly new Web application firewall module for the Network IPS has seen good traction among customers looking to defend Web servers or Web farms. In addition to the X-Force SQL injection engine and recommended policies, it offers a streamlined graphical interface. Additional integration with Rational Appscan Web application vulnerability detection allows novices to easily implement recommended blocking algorithms.

proactively deployed to protect customer’s critical assets from the latest threats.

Weaknesses • Check Point faces competitors who have increased the performance capabilities of their

• The Cisco IPS provides minimal reporting capabilities of its own, and the new global

• IBM Security Network IPS is expensive. While considered superior detection technology

• Although Sourcefire appears to have put its distractions behind it, including the

• Parent 3Com was slow to embrace its TippingPoint unit and to make it an integral part of its

IPS products with 10 Gbps support. Check Point was due to release such support in 2007, but it has yet to do so. The company has been silent on that missing performanceoption, despite increasing demand for that performance option. • Check Point offers several overlapping IPSs in different form factors between its NFR-based IPS-1 dedicated appliance, the IPS software blade based on the R70 software release (which uses a different IPS engine than the IPS-1) and the IPS functionality in the new line of appliances based on the Nokia acquisition. Those different choices can be confusing to customers, they make it harder for channel partners to do business with Check Point, and they are more costly for Check Point to maintain. • Check Point has limited recognition as an IPS supplier with a fairly small market share.

correlation function is no exception to that. From an IPS standpoint, reporting is supported on CSM. Depending on the product, reports are supported through several canned formats, with the ability to create custom reports as well. • Cisco was slower to respond to growing market requirements for 10 Gbps support than most of its competitors, which released 10 Gbps interfaces for their IPS sensors well ahead of Cisco. • In 2010, Cisco announced the end of life for Cisco Security – Monitoring Analysis and Response System (CS-MARS), which was the primary alert management system for the IPSs. Cisco is migrating event monitoring and management to the separate Cisco Security Manager offering, which was previously used to push policies out to the IPSs. • Although still a market leader in the IPS space, Cisco lost 2% market share over 2010, due to softness in spending and less success in winning larger deals.

because of its strong signature engine, the product is too expensive for most small enterprises and some larger enterprises. • There are limits to the modifications that can be made to the IBM Security NIPS’ standard rules. Customers can create their own signatures using the OpenSignature feature which uses a Snort-based syntax. (This feature is not used, however, by the standard rules engine.) • IBM has lost some mind share in the NIPS market due to its strong focus on selling the technology as part of much larger deals that consistently involve professional services, and to its emphasis on growing its NIPS business by selling into IBM’s installed base. • IBM does not yet offer full, native 10 Gbps support on its high end IPS appliances at a time when the market is beginning to demand such support. Although IBM has taken stopgap measures until it can deliver such support in the first quarter of next year, the lack of such support is inhibiting stronger growth at the high

unwanted takeover attempt by Barracuda Networks, the company remains a standalone IPS and open source AV vendor in a market characterized by consolidation, and for AV, commoditization. More enterprises are looking to reduce the number of security vendors they deal with, and that trend does not favor companies with thin product portfolios. • Bigger rivals such as Cisco Systems and McAfee have added reputation data to their IPS systems in order to boost catch rates. Sourcefire has only just begun to offer limited IP address reputation feeds for its 3D System portfolio. • Sourcefire’s 3D System requires a significant amount of tuning to achieve the high effectiveness rates it can achieve, as evidenced by NSS Labs real world testing. While tuning is important for all IPSs, Sourcefire’s 3D System requires a higher degree of expertise and effort.

business. Just when it put a cohesive strategy in place to better leverage the TippingPoint technology in its core H3C switches and integrate management of both product lines, HP acquired 3Com. That threw into question the future of the secure network fabric strategy, and HP has yet to outline its own integration roadmap. • The good accuracy reputation of the TippingPoint IPS received a black eye at the hands of independent and well-respected testing organization NSS Labs in 2009, when multiple tests against so-called real world threats showed its effectiveness rates were quite poor. TippingPoint has since rejected the NSS Labs tests and cast doubt as to their validity and ability to be replicated, instead embracing rival testing organization ICSA Labs. However, rivals no doubt are making the most of the NSS results in their marketing and sales efforts. • TippingPoint sells the Security Management System (SMS), its centralized management console with advanced

end of the market. management features, as a separate product. However, basic management is included with each appliance in the form of a Web UI or CLI.

Point and Counterpoint

Check Point - IPS-1 Cisco - IPS Series, Version 7.0




Point1 • Check Point does not provide the broader security infrastructure of competitors’ offerings.

• Cisco is not a pure-play security company, and its IPS solution is merely a checkbox item for Cisco customers looking for IPS solutions.

• The ability to customize IBM Security Network IPS’ standard rules is very limited.

• Sourcefire’s focus on putting its house in order and growing the company organically has left it profitable but with a small product portfolio. With enterprises looking to reduce the number of different security vendors they do business with, Sourcefire may not end up on short lists for larger deals that include complementary threat management offerings.

• Similar to TippingPoint, non ASIC-based vendors of intrusion detection and intrusion prevention systems are now releasing products with performance in the Gigabit speed.

Counterpoint1 • IPS-1 delivers multiple layers of security, including IDS, IPS, FW, dynamic shielding, vulnerability information, network change information, and IM, VoIP and peer-to-peer security, among others within a single appliance, all managed centrally from a single pane of glass and all for the single sensor price. Prior to its acquisition by Check Point, NFR Security had been incorporating other third-party network node and vulnerability

• Actually, Cisco is more than a security company. Cisco has a fundamental understanding of network traffic, such as network latency and network usage, as well as an exclusive capability to look at packets that are otherwise inaccessible to an IDS or IPS system, such as GRE and other types of routing encapsulatedpackets. Secondly, network reliability and network availability are two of the principal cornerstones of the company’s reputation. Cisco

• The need for customization is limited. IBM Security Network IPS includes 225 built-in rules to combat hybrid threats. However, there are ways that customers can write custom rules, including using ISS’ OpenSignature module.

• Sourcefire continues to grow its revenues at a healthy clip, and problems faced by rivals such as IBM/ISS and TippingPoint have helped to fuel that growth. Sourcefire has seen 11 consecutive quarters of 30% growth rates, and the company continues to invest significantly in its product line and has continued to add new performance options and improved usability to appeal to a broader array of customers. At the same time,

• Performance should be measured by actual throughput, latency, and the number of filters that are enabled. Typically, with non-ASIC-based systems, security coverage needs to be compromised for better performance and vice versa. In late 2010, ICSA Labs tested the TippingPoint 2500N, which achieved a maximum throughput of 1700 Mbps with a maximum average latency of 239 microseconds.

intelligence sources to provide broader integration function and benefit. Furthermore, IPS-1’suser interface is often referred to as SIM-like in its robust functionality, flexibility and powerful information presentation and analysis functions. IPS-1 also integrates with all the major frameworks such as HP OpenView, IBM Tivoli and others.

brings a level of trust that point product security vendors can never hope to match.

Sourcefire announced its plans to add an internally developed next generation firewall in 2011, leveraging its expanded application awareness, which can identify over 200 applications.

Point2 • IPS-1 is difficult to implement.

• Cisco cannot react to new attacks as quickly as its security competitors.

• Customers hesitant to switch from intrusion detection to intrusion prevention systems are usually concerned with false positives turning away good traffic.

• Sourcefire’s method of opening its signatures is an invitation to hackers.

• It makes more sense for customers to buy IPS from their network equipment provider, which more often than not is Cisco.

Counterpoint2 • IPS-1 was the first to utilize an appliance to deliver network security functionality; today, it is recognized as “setting the new standard” for IPS user interfaces. NFR Security previously achieved this point by deliberately focusing on simplifying the entire IDS/IPS experience, maintaining its aggressive focus and investment on delivering true “low-touch, low-maintenance” network security products. The bootable appliances can be installed remotely, without local user intervention. Evidence of Check

• Cisco has a strong rapid response team capable of deploying policy updates to its devices within hours of an incident, as well as recurring bi-weekly policy updates for its devices. The PSIRT focuses on looking at vulnerabilities and exploits in the wild, assessing the impact of the vulnerabilities on the Cisco infrastructure, and providing information and updates to Cisco customers. The addition of Global Correlation updates to the ISP 4200 Series greatly speeds response to new threats. Applying reputation and vulnerability signatures through

• Accurate detection is very important for intrusion detection systems and especially for intrusion prevention systems. ISS has spent years working to improve its detection methods, and it has seen IPS adoption rates rise to about 60 percent. Furthermore, the IPS allows customers to work in varying degrees of inline mode, according to the customer’s comfort level.

• In the near-term, open source systems and proprietary systems typically have about the same number of vulnerabilities and bugs in them, but over the long haul, open source systems tend to be more secure because of the community feedback. That is assuming a critical mass of users is utilizing a particular open source product. Snort has definitely reached that critical mass, with 4 million downloads.

• Customers need to make a buy decision based on the solution’s performance, breadth of security coverage, and time to coverage. When these criteria are factored in, Cisco typically lags well behind in these areas compared to vendors in the in-line IPS segment, therefore exposing the vulnerabilities of the customer’s critical business assets.

Point’s progress on improving installation came recently from readers of Information Security magazine, which gave the IPS-1 its 2010 gold medal for best IPS in part because of its ease of installation.

updated rules is many times faster than matching attack signatures.

Point3 • Customers can count on more integration support from competing vendors that have a wider range of response teams or more systems integrator relationships.

• Reporting features are weak in Cisco’s IPS product suite, including reporting on reputation filter blocking.

• Intrusion prevention systems will eventually replace the need for intrusion detection systems.

• Sourcefire is not as fast to react to industry attacks as some competitors are, such as ISS.

• Customers hesitant to switch from intrusion detection to intrusion prevention systems are usually concerned with false positives turning away good traffic.

Counterpoint3 • IPS-1 is the most flexible IDP product on the market. Specifically, with respect to an open signature language, open signatures, multiple deployment modes, and the ability to calibrate prevention (Confidence Indexing) according to the value of the asset being protected, no other product, including Snort, can offer these functions integration-wise. IPS-1 integrates with frameworks as mentioned above, multiple SIM products, Nessus, Symantec UEC, firewalls and routers, among others.

• Purely from an IPS standpoint, comprehensive reporting is supported on CSM. Depending on the product, reports are supported through several canned formats, with the ability to create custom reports as well. Reports can be scheduled and presented in a variety of output formats.

• While intrusion prevention is fast becoming a generally accepted approach to network security, IBM provides the flexibility to block or passively monitor threats. If customers are not comfortable deploying an intrusion prevention system, they are able to deploy in monitoring mode. IBM’s multifaceted protection consists of prevention mode, passive IDS mode and passive monitoring mode.

• Sourcefire is often first to market with its analysis of attacks on industry vulnerabilities, and Snort has had far fewer security vulnerabilities discovered in it than most other IDSs. When things are discovered in Snort, they get fixed in hours or days. At the same time, as a part of IBM, ISS has not been as quick to respond as it has in the past.

• TippingPoint’s technology is built on a custom ASIC-based, extremely fast processing, low-latency device that enables TippingPoint to perform functions that IDS vendors simply cannot do. TippingPoint’s philosophy from day one has been to ensure customers have the hardware platform necessary to write the filters that guard against false positives. Additionally, TippingPoint manages a global network of Lighthouse installations. These Lighthouse deployments allow TippingPoint to test newly developed filters in the wild before they are integrated into the Digital Vaccine update, thereby reducing the

potential of blocking legitimate flows. The new ThreatLinQ portal gives customers direct access to the latest security intelligence and policy response gathered in the Lighthouse network.

Point4 • Check Point is confusing customers with overlapping IPS products in different form factors, which use different underlying technology and which compete with each other.

• Cisco competitors are releasing IPS products with multi-gigabit throughput.

• The ISS NIPS offering has lost mind share and visibility in the market as a result ofIBM’s emphasis on wrapping expensive professional services around the product and on growing the NIPS business by selling into its installed base of large customers.

• It appears that IDS technology is no longer necessary and customers have completely embraced IPS products.

• TippingPoint’s effectiveness at blocking real world threats has been called into question by independent testing organization NSS Labs, and rivals in those same tests were shown to be twice as effective as the TippingPoint IPSs.

Counterpoint4 • Not all customers are alike, and different customers prefer different form factors. Customers who cut their teeth on a dedicated appliance form factor prefer to stick with that, while others find the performance and cost benefits of the IPS blade more compelling. Some customers have a team dedicated to managing IPS, and that team may not want to give up control of what they’re responsible for by having the IPS installed on a firewall owned by another team. In either case, they can manage both using a single management interface.

• Cisco provides a 4 Gbps version of the 4200, and by the end of 2008, it finally released 10 Gbps interfaces for its high-end IPS sensors. Furthermore, the company holds itself to a high standard regarding its stated level of performance, so if you put Cisco IPS in traffic and turn on all the signatures, users get the stated performance. Some competitors are more liberal with their definition; if there is not much traffic, the product performs at the stated speed, but once users actually put a full traffic load through the network, product performance goes down.

• The quality of the product has not suffered as a result of that focus, and IBM in moving product management to Tivoli will renew its effort to win pure product deals in addition to services plus product deals.

• Sourcefire advocates that both IDS and IPS technologies are necessary to protect today’s network and that each technology serves a different purpose. First-generation IPS products are often good at protecting networks against a very small set of attacks and leaving them vulnerable to all others. Sourcefire’s 3D System allows companies to have both IDS and IPS technologies, all managed centrally by the Sourcefire Defense Center with consolidated report and policy-based automated responses, including inline blocking.

• NSS Labs tests results have been completely inconsistent, and their testing is impossible to reproduce. Their tests do not necessarily reflect real-world threats. ICSA Labs, which is ANSI-certified, provides more relevant, real-world testing.

Point5 • Customers still

grapple with utilizing best-of-breed solutions versus going with an end-to-end supplier such as Cisco.

Counterpoint5 • Cisco recognizes that most network environments are heterogeneous, with a mix of many vendors. Cisco wrote an API language (called SDEE), and several partners/competitors have written to that API so Cisco security events can be received by those third parties and displayed on their systems. Customers may opt for best-of-breed products, but the company underscores the value of Cisco products working in collaboration as to yet another reason to think about Cisco from an end-to-end perspective.

Buying Criteria and Metrics Comparison

Architecture Check Point - IPS-1

Cisco - IPS Series, Version 7.0




Architecture• IPS-1 is scalable. The product meets the small footprint requirements of small, initial deployments, and the architecture expands to support an unlimited number of sensors. The product may be

• The Cisco IPS products integrate easily into a networking environment. The products include standalone Linux-based appliances and blades for Cisco’s Catalyst 6500 switches and Integrated Services routers.

• The IBM Security Network IPS Series operates in three modes: prevention mode (inline, blocking), passive IDS mode (offline, no blocking), and passive monitoring mode (inline, no blocking). This provides

• All Sourcefire appliances are “plug-n-protect,”designed to be installed and running in 15 minutes or less, although Sourcefire strongly recommends that customers tune their IPSs. They are self-contained appliances that

• TippingPoint is an intrusion prevention appliance built on a hardware-based platform that includes network processor technology and a set of custom ASICs. This parallel processing hardware is touted as the reason TippingPoint can perform thousands of checks on each packet flow simultaneously with outstanding throughput

managed by business unit or geographic region, and it can be managed centrally from a single console or support distributed management. • IPS-1 supports both IDS and IPS capabilities. The device supports four distinct modes of operation: traditional IDS, in-line bridging (which provides no traffic blocking and acts as a learning mode), and two types of operation with full blown blocking, one of which fails open if the device fails and one of whichfails closed. The product also includes firewall capabilities and protection for IM and VoIP. • IPS-1 is straightforward to configure and manage. Key management features include Confident Indexing, which supports the ability to calibrate prevention according to the value of the asset being protected. • IPS-1 supports a variety of

The Catalyst blade (IDSM2) is described as a PC-style appliance that integrates into the 6500 Series chassis in the same way a module with fast Ethernet ports is integrated. At the same time, the IPS Advanced Integration Module and IPS Network Module (for the 1841, 2800, and 3800 Series ISRs) fit into an internal slot in the ISRs and include a coprocessor that offloads IPS tasks from the ISR. • All of Cisco’s 4200 Series appliances and the switch and router line cards support both IDS and IPS services. Cisco’s IPS solution provides the capability of using the IPS device in a variety of modes, including IDS mode, IPS mode, or a hybrid mode that runs both on a single device. • Cisco IPS simplifies integration into switched environments. The IPS module can monitor

customers with a smooth path to intrusion prevention. • IBM Security Network IPS supports asymmetric routing environments by grouping two interfaces together and treating those two different paths as one logical flow. The NIPS appliance runs on a customer’s copper interface or copper/fiber mix for core network deployments. Several of the models use SFP GBIC interfaces, which allow customers to change media types by simply swapping out the interface modules. • Installation is very straightforward, requiring no network reconfiguration during deployment; however, the appliance is not a plug-and-play device, and it requires some networking expertise during set-up. • IBM ISS has included virtual patch protection with this

include the hardware and all necessary software, including the data management system and hardened operating system. • Sourcefire now offers a virtual appliance option of its 3D System that runs on VMware ESX and Citrix Xen hosts, and it has introduced cloud-based IPS services to protect applications running on Amazon EC2 hosted Web services. • A Sourcefire sensor can be deployed as an individual system or in groups using centralized management. Sourcefire sensors offer flexible deployment and can be deployed inline in IPS mode or out-of-band in traditional IDS mode. • The Sourcefire eStreamer interface provides for easy integration to other products such as SIM/SEM products or

and “switch-like” latency. • Using custom ASIC, TippingPoint is able to inspect packets at Layers 2-7. This level of inspection insures that packets can flow through the IPS with a latency of less than 90 microseconds. • The Threat Suppression Engine supports bandwidth management capabilities, including traffic classification and rate shaping, a sophisticated throttling capability that controls traffic. This feature alerts administrators to unusually high flows of traffic and gives mission-critical applications a higher priority on the network.

• TippingPoint runs on copper interface or copper/fiber (and all fiber) mixed interface, providing infrastructure protection to routers, switches, and firewalls.

• TippingPoint now provides three different architectures across its line of IPSs, with each addressing a different set of requirements: the low end S10, S110, and S330 line, aimed at remote offices and offers lower costs; the new N-Platform, which replaces the discontinued TippingPoint E-Series (not to be confused with the rebranded HP ProCurve LAN switches now called the E Series) and adds 10 GbE and IP V 6 support; and the

environments, including RedHat Linux, Solaris and Windows. • IPS-1 is highly interoperable. It is certified with popular network management standards including HP OpenView and OPSEC as well as third-party security event management solutions, such as ArcSight.

traffic on multiple VLANs simultaneously (both ISL and 802.1q-encoded) using the VLAN ACL capture feature or SPAN function (rather than using external IPS sensors connected to a switch SPAN port). • Cisco IPS provides broad coverage for a variety of environments. The product supports numerous operating systems, including Windows, Solaris, and Linux.

product, which aims to protect systems against attack during the interim period between the discovery of a vulnerability and the manual application of a security patch. This is key as the time between disclosure and applying a vendor-supplied patch is extended. • IBM’s new NIPS firmware release revamped the user interface to streamline operation and performance. Specifically, IBM made it much easier to go from detection simulation mode to blocking mode by right-clicking to create a new blocking policy based on actual threats discovered.

network management consoles such as IBM Tivoli, HP OpenView or CA Unicenter. • Sourcefire replaced the Snort internal pattern matching engine with Intel’s Quick Assist pattern matching technology, which improves throughput and lowers latency for the 3D System. • Sourcefire provides coverage for key operating system environments. The management console is Web-based, and the appliances are supported by Linux systems. RNA’s GUI runs on Linux, Windows and Mac OS X.

S1200N IPS module for the HP A7500 Series switch (formerly 3Com’s 7500 chassis switch). TippingPoint also supports virtual server environments with its new vController, which routes VM-to-VM or VM-to-physical server traffic to a separate IPS appliance for inspection.

Detection and Response

Check Point - IPS-1





Detection and Response• IPS-1’s hybrid detection engine uses multiple detection and prevention methods to guard against known attacks, stealth attacks, anomalous

• Cisco IPS uses signature-based detection and protocol decoding to provide denial of service (DoS) protection and guard against known and

• IBM’s detection techniques include signature-based detection and protocol anomaly detection to protect against

• Sourcefire uses the popular Snort rules-based engine, which can be configured to detect both signature-based events for known exploits

• TippingPoint’s filtering mechanisms include signature-based, protocol anomaly, and vulnerability and traffic anomaly to identify and block known and unknown attacks in order to protect the network. TippingPoint

behavior, first strikes, DoS floods and polymorphic attacks. The Sensors use vulnerability signatures, exploit signatures, anomaly detection, protocol analysis, OS and application fingerprinting, correlation and worm mitigation.

• IPS-1 provides an open-signature format through the N-Code language so network administrators can tune or add to existing signatures. This provides a lot of flexibility in creating a detection system. • IPS-1 includes proactive protection technology called Dynamic Shielding Architecture, which includes correlation and prioritization of network vulnerabilities, vulnerability shielding and protection from new network changes. • IPS-1, through its Situational Visibility feature, allows users to

unknown cyber attacks. This detection method has been enhanced to include NBA technology, as well as a risk and threat rating function that lets users fine-tune the IPS to be more policy-based. The Cisco IPS appliance and module features a strong signature engine, based on Cisco’s Threat Analysis Micro-Engine (TAME) technology, whereby customers can customize sensor signatures in order to minimize false positives. Cisco develops all its own signatures.

• Cisco added new Global Correlation functions on top of the existing signature base to improve the efficacy and lower the rate of false positives in its IPS 4200 Series. Threat data, including reputation and vulnerability signatures, is collected globally through Cisco’s Security Intelligence Operations and processed in Cisco’s Threat Operations

zero-day vulnerability of unknown attacks, zero-day exploits of known vulnerabilities, and known exploit attacks. The product is integrated with network behavior anomaly detection functionality provided by Arbor Networks, although it is no longer offered by IBM. Such integration helps customers protect against unknown threats. This functionality has become almost a standard feature among the leading IPS solutions because it helps customers protect their internal networks through an added layer of threat protection. • IBM’s inline blocking mode automatically blocks viruses, unauthorized access, network attacks, malicious code, hacker exploits and hybrid threats. It includes anti-spyware capabilities, providing prevention at

and anomalous behavior for unknown threats, to guard against threats such as worms, viruses and spyware. The Sourcefire sensors can perform stateful protocol analysis to detect anomalies, including port scans, IP stack fingerprinting and DoS attacks. Sourcefire’s strategy for real-time protection is its integration of IPS, NBA, NAC and vulnerability assessment. • Sourcefire RNA passively monitors a company’s network and identifies all systems, including hardware, operating systems, and applications for strong correlation capabilities. RNA also aggregates endpoint intelligence through Sourcefire’s Adaptive IPS technology for added network protection. RNA includes the Policy and Response Module, which allows companies to enforce policies

has just under 5,000 filters, and by default, the company ships about 1,000 filters enabled in blocking mode. This differs from the approach of other vendors, which turn on customers’ blocking filters gradually. • TippingPoint IPS is supported by the company’s signature engine, called the Threat Suppression Engine, which detects and prevents viruses, Trojans, known and unknown attacks (zero-day attacks), worms, SYN floods, and DDoS attacks, among others. TippingPoint includes anti-phishing capabilities with its prevention capabilities as well as VoIP and SCADA support. • TippingPoint’s IPS has evolved over time to protect not only networks and client/server operating systems, but also client/server Web and enterprise applications. Protection for XSS, PHP, SQL injection, and spyware are ever-expanding components of TippingPoint’s Digital Vaccine service that can also address data leakage and support for custom Web applications. • TippingPoint IPS is managed centrally by the Local Security Manager (LSM), a Web GUI management application that is included with each appliance, providing administration,

pinpoint serious attacks against mission critical systems and drill down to get details on the attack, such as the source, type and effect of the attack as well as recommended remediation and packet capture. • IPS-1 has a strong real-time reporting mechanism that is diagnostic in nature. It gives users a view of the enterprise’s security policy, providing historical management trends to offer a broad view of security events over an extended period. However, the product does not support automated and scheduled reporting capabilities.

Center; once new attacks are identified, new lightweight rules are automatically generated and deployed to sensors at user-configured time intervals. Once-ambiguous attacks such as SQL injection can now be better clarified to reduce the risk of blocking legitimate SQL traffic. • Cisco’s detection capabilities include application inspection, so policy can be enforced based on content detection at the application layer; RFC compliance checking for HTTP methods; filtering of traffic based on select MIME types (such as JPEG extensions); and detection and prevention of covert channel tunneling through Port 80 to determine policy violations (this helps preserve network bandwidth by disallowing applications such as inappropriate file sharing tools).

the network level. A new Web application security module for the IPS provides Web application firewall protection to block attacks such as SQL injection, cross-site scripting (XSS) and shell command injections. • IBM ISS uses a broad set of specific signatures within its analysis engine. A large signature set can, however, result in increased signature tuning requirements from customers. IBM ISS has increased its detection accuracy and decreased its reliance on signatures in past years, which helps reduce the need for system tuning. Additionally, the product comes with over 1,600 out-of-the-box recommended blocking actions to guard against threats. • IBM uses the SiteProtector Management Console to centralize management of

regarding applications and services running on the network.

• Sourcefire RUA allows customers to link user identity to security and compliance events. • Sourcefire provides the ability to disable or edit existing rules under the rules-based engine, which can reduce false positives. Some competing vendors are not willing to open up their signatures for review, making it difficult for customers to troubleshoot alerts. • Sourcefire has built a data management system into the Sourcefire Defense Center, making it a solid platform for managing, reporting and analyzing the information generated by IDS, IPS and RNA sensors. A scaled-down, less-costly version of Defense Center, coupled with ease of use enhancements, makes the Sourcefire IDP more appealing

configuration, and reporting capabilities for one device. Customers have the option of purchasing the TippingPoint Security Management System (SMS) for more advanced and scalable functions. The SMS centralized management platform provides trending reports, correlation, and real-time graphs on traffic statistics, filtered attacks, network hosts and services, and IPS inventory. It also includes a profile editor feature, which provides a very flexible means for creating and deploying policies across all the devices in the system. SMS, which is bought by about 80% of TippingPoint customers, is being integrated with 3Com/H3C’s Intelligent Management Center. • TippingPoint made an important move in its NAC strategy, repurposing its IPS technology to provide blocking and quarantine functionality in a NAC solution. TippingPoint provides a broader set of enforcement capabilities, including pre-admission host posture checks and quarantine as well as post-admission threat protection built on IPS.

• TippingPoint includes an advanced denial of service capability that not only detects, but also blocks a variety of DoS and DDoS attacks, including SYN floods, connection floods, packets floods, and

• In 2010, Cisco discontinued its add-on SIM product, called CS-MARS, citing reduced demand, most likely due to its limited multivendor input. Cisco migrated event monitoring and management to its Cisco Security Manager, which centrally manages configuration and security policies for Cisco IPSs, VPNs, and firewalls. To date, CSM does not support a manager-of-manager capability. Although Cisco intends to add that capability at a later date, the ability to scale CSM deployments is limited until that happens. • In the most recent round of NSS Labs testing of IPS appliance effectiveness against real world threats, Cisco’s IPS 4260 Sensor scored well when tuned, and Cisco improved its effectiveness when using default settings. In addition, Cisco improved the IPS’s ability to thwart malware using

multiple sensors. The console provides automatic product updates and installations, the ability to see real-time reporting trends, and the ability to correlate vulnerabilities with intrusion attempts. Improved policy management capabilities let administrators control policy at the device, port, VLAN and IP address levels. An integrated, automated ticketing feature allows ticketing on vulnerabilities and incidents within SiteProtector or with standalone systems such as Remedy Action Request System.

• The integration of Rational AppScan with SiteProtector allows recommended custom policies to be automatically generated from vulnerabilities discovered by AppScan as it scans new Web application code for defects.

to medium-sized enterprises that want to deploy three or fewer sensors. • Sourcefire IPSs perform well in third-party testing, receiving top scores for blocking real-world threats from independent testing organization NSS Labs.

attacks originating from spoofed and non-spoofed sources.

evasion techniques.

Throughput (Performance)

Check Point - IPS-1





Throughput (Performance) • The product

includes sensor products starting at performance levels of 50 Mbps, and supports Gigabit speeds of up to 4 Gbps when operating in IDS mode. As an IPS device, IPS-1 is rated up to 2 Gbps. • IPS-1 sensors include multiple interfaces to monitor high-availability networks. If a primary server fails, the sensor is redirected automatically. • The product is scalable to meet the growing demands of the enterprise. The product gives customers deploying hundreds of sensors the ability to manage all these sensors using a single interface. However, the system gets pricier with very large deployments. • The IPS-1 2070 with 50

• Cisco IPS provides enterprise protection with Gigabit speed analysis. The Cisco IPS-4270 performs at 4 Gbps for media rich application environments. The IPS-4260 performs at 1 Gbps (IDS) and 800 Mbps (IPS), or at multi-Gigabit speeds (up to 8 Gbps) with load balancing. EtherChannel Load Balancing functionality allows the solution to scale up in performance. There are eight EtherChannels supported on a switch, which allows a total of eight devices to be linked to the EtherChannels. This is a networking feature that when applied to a security application provides load balancing, using switch features to span traffic across multiple blades or multiple appliances.

• The IBM Security Network IPS is very scalable, offering varying levels of performance, reaching multi-Gigabit levels. Performance is of particular importance to intrusion prevention appliances, because the device sits inline and must run in real-time to keep up with traffic. • The IBM intrusion prevention system technology is extremely flexible and scalable. The technology operates across a number of platforms, including the desktop, server, virtual server and network, and protection products include scanning and wireless solutions. • To allow the GX 5208 and GX6116 Series sensors to operate on 10

• Sourcefire provides a broad range of performance options, including multi-Gigabit performance levels that lead the industry. Sourcefire 3D appliances now reach speeds of up to 20 Gbps for analysis performance in a two-sensor cluster of its 3D 9900 high-end appliance, meeting the needs of most enterprise networks, including those with latency-sensitive applications such as VoIP. • Sourcefire supports a failover design. Multiple sensors can be used in a load-balanced configuration to ensure high availability. • Sourcefire IPSs include the ability to throttle traffic to thwart denial of service attacks and to rate-limit unproductive traffic such as

• TippingPoint is very scalable, offering varying levels of performance. Performance is of particular importance to appliances of intrusion prevention, because the device sits inline and must run in real-time to keep up with traffic. TippingPoint IPS is a series of appliances with throughput ranges from sub-20 Mbps to 10 Gbps when the IPS is deployed in conjunction with the TippingPoint Core Controller. • The TippingPoint Core Controller is an appliance that enables 10 Gbps of bi-directional traffic inspection by the TippingPoint IPS to provide infrastructure protection for mission-critical OSs and bandwidth-intensive applications. Driving the need for this high level of performance and scalability is data center consolidation and an increased use in latency-sensitive applications such as video and voice (VoIP). The product targets large enterprises and service providers. • The TippingPoint series offers two different model lines, including the low-end TippingPoint S10, S110, and S330 models for sub-20Mbps

Mbps of IPS throughput starts at about $7,000, and maintenance and support costs vary depending on the class of support chosen by the customer. The 4070 with 200 Mbps of IPS throughput lists for $16,000, the 5070is priced at $28,000 for 500 Mbps performance, and the performance range tops out at 2 Gbps of IPS throughput in the IPS-1 Power Sensor 2000, which lists for $115,000.

• The IPS product includes support for advanced traffic normalization algorithms such as fragmentation reassembly. • The Cisco IPS is competitively priced. The 4200 Series appliance starts at $11,995 for a 250 Mbps speed appliance and goes up to $89,995 for the 4270 4 Gbps speed appliance. The Catalyst 6500 IDS module is priced at $29,995 and performs at 500 Mbps. Although the ASA 5500 line is considered a UTM appliance, customers at the low end typically buy the 5510 for combined IPS and firewall functions, delivering 150 Mbps performance for $5,995. This does not include the first year’s support. Support is delivered through the purchase of a “Cisco Services" contract. The price of this service contract is not included in the price of the various platforms.

Gbps network segments, IBM added the $35,000 Network Security Platform, which acts as a 10 Gbps aggregator for those devices. It does not require a separate bypass unit for active/active smart bypass functionality. • The IBM Security Network IPS GX4004 through GX6116 Series ranges in price from $10,995 to $179,995. IBM does not include the first year’s maintenance and support in its pricing. The product line ranges from the GX4004 product with up to 200 Mbps throughput, to the GX6116 supporting up to 6 Gbps throughput, targeting large enterprises and carriers. For very large enterprises and carriers, IBM added the new IBM Security Network IPS for CrossBeam, which can deliver just under 40 Gbps of throughput using multiple modules in the CrossBeam

Skype. • Sourcefire offers nine IDP appliances, ranging from the entry-level 3D500 (a 5 Mbps T1-grade IDP) and 3D1000 (a 45 Mbps T3 device), to the midrange 3D2500 (a 500 Mbps sensor) and 3D3500, (a 1 Gbps sensor), to the high-performance 3D9900 (a 10 Gbps sensor). The company more recently added the ability to cluster two 3D900 sensors to handle up to 20 Gbps of network traffic, which is load balanced across the two sensors without requiring a separate controller. • The Sourcefire 3D appliances range in price from $3,995 to $259,995, not including first-year support.

to 300 Mbps performance, as well as the new, more modular N-Platform with four models that can more readily support multiple filter packs and additional planned security services. TippingPoint also offers an IPS blade for the HP A7500 Series switch, and it supports virtual server environments through the vController. The SMS Enterprise-Level Management System manages a mixture of those models, and the appliances can be deployed in a variety of locations on the network, including internal or external firewall connections, at the company’s core network infrastructure or data centers, or at remote branch offices. • TippingPoint’s base cost per 100 Mbps throughput is about $6,000, varying by platform. Pricing does not include the first year’s maintenance and support. Pricing ranges from $3,995 to $169,995.

chassis.

Vendor Support Check Point - IPS-1





Vendor Support• The SmartDefense subscription service provides vulnerability intelligence updates and advisories to customers. This service is included with the product for one year. • Check Point SmartDefense Research and Response Centers are located in multiple regions circling the globe and provide 24/7 research and coverage. The centers carry out research on network, protocol and application vulnerabilities, and actively monitor to identify vulnerabilities and potential exploits before they are introduced into the wild. • To match customer priorities when it comes to specificattack surfaces, Check Point has emphasized signature

• Cisco provides worldwide support for its IPS products through response teams based in all of the major international markets, including North America, South America, Europe/Middle East/Africa, and Asia-Pacific. • Cisco provides 24/7 response capabilities through a rapid response team, which writes its own signatures and countermeasures to combat threats, as well as an internal team, called the Product Security Incident Response Team (PSIRT), which focuses on any disclosed vulnerabilities that impact Cisco devices. Signature updates are provided as needed on a 24/7 basis. • Global Correlation updates are bundled in with Cisco’s services

• IBM ISS provides worldwide support for its intrusion prevention appliance products through response teams based in numerous countries throughout North America, South America, Europe/Middle East/Africa and Asia-Pacific. • IBM ISS delivers 24/7 response capabilities through the IBM ISS X-Force response team. The research team is dedicated to searching for malicious behavior before widespread attacks occur. IBM also tracks Internet threats through its Global Threat Operations Center (GTOC).

• IBM ISS’ response team provides monthly signature updates and regular algorithm

• Sourcefire has access to tech support through the open source community at large. • Sourcefire provides 24/7 support and the backing of its internal Vulnerability Research Team which includes some 20 to 25 researchers and is growing. • Signature updates are provided by Sourcefire’s team once a week, and as necessary when new attacks appear. • Sourcefire streamlined the updating of Snort rules by automating the process of downloading and applying new security enhancement updates, allowing users to focus on other priorities. • Sourcefire’s growth indicates that it is leveraging the channel more effectively, with

• In addition to the internal DVLabs research team, TippingPoint receives data feeds or “raw intelligence feeds” from organizations such as CERT, vendor advisories, and Bugtraq. The company also has a relationship with the SANS Institute (which provides certification training for security personnel). SANS delivers a newsletter called @Risk Weekly Report, authored by TippingPoint, which goes to over 250,000 IT professionals. • TippingPoint offers 24/7/365 response capabilities through its rapid response team. • TippingPoint’s rapid response service is called Digital Vaccine. TippingPoint provides updates twice a week (or more frequently in case of emergencies) to provide protection for the latest vulnerabilities, exploits, viruses, and rogue applications. • TippingPoint customers have wide service and integration support through a strong channel program. TippingPoint sells the appliance indirectly about 90% of the time.

• TippingPoint’s new ThreatLinQ portal

development for vulnerabilities specific to Microsoft applications as well as Adobe applications, where it leads competitors on the number of signatures it has created for exploits and vulnerabilities specific to those application areas. • IPS-1 customers have strong service and integration support through Check Point’s strong channel program. • Check Point has greatly expanded the size of its SmartDefense Research and Response team, which is focused fairly closely on IPS signature development. Check Point continues to invest in additional tools and assets to deliver accurate, responsive and broad coverage.

for its IPSs, rather than priced separately. With the increased efficacy that Global Correlation brought to Cisco’s IPSs, Cisco added a new, money-back guarantee in 2010 that it will provide 100% coverage for all Cisco, Microsoft, and common enterprise application (e.g., Apache, Adobe, Oracle, etc.) vulnerabilities announced within 24 hours, and 90% of Cisco and Microsoft vulnerabilities will be covered within 90 minutes of their announcement.

• While half of Cisco customers deal directly withthe vendor, more than half of Cisco IPS sales are fulfilled through channel partners.

updates in response to suspicious activities. • IBM ISS offers some channel presence, bringing customers additional support through these third-partyintegrators. About 70 percent of IBM Security Network IPS sales worldwide are through resellers, although in the U.S. it’s closer to 50 percent.

a near doubling of its business that was initiated by channel partners from 2009 to 2010. Sourcefire in 2010 added 20 new channel partners in EMEA. Notable resellers include Dell; SRS, which serves the federal government; and Symantec, which uses the Sourcefire IPS as a part of its managed security services business. • Sourcefire sensors and RNA run on Intel-based hardware as well as Crossbeam Systems’ X-Series hardware and Bivio Networks’ high-end appliances.

exploits its global Lighthouse network of installations to allow customers to assess the latest threats and compare notes on how peers set policies in response to the changing threat landscape. The latest version of ThreatLinQ gives participants access to real time attack data to help them tune their IPS filter settings and create custom profiles that can be ported to the SMS. About 2000 customers contribute data to ThreatLinQ.

Performance And Sizing

Check Point - IPS-1





Intrusion Prevention Yes Yes Yes Yes Yes

Intrusion Detection Yes Yes Yes Yes Yes

In-line Test Mode Yes Yes Yes Yes Yes

Simultaneous IDS/IPS Mode

No Yes Yes Yes Yes

Max. In-line IPS Throughput

2 Gbps Multi-gigabit with Load Balancing

Up to 15 Gbps 20 Gbps 20 Gbps (with Core Controller)

Max. IDS Monitoring Throughput

4 Gbps Multi-gigabit with Load Balancing

Up to 15 Gbps 20 Gbps 20 Gbps (with Core Controller)

Max. Virtualized IDS/IPS Polices

Four fully virtualized sensors (state & policy with 2000 virtual pairs)

4,096 Approximately 100 virtual segments

Max. Interface Capability/Capacity

16 ports of GE 16 2x10GbE, 10x1GbE SFP, 10x10/100/1000BaseTX, (3x10GbE w/Core Controller)

Monitoring Ports (IDS Mode)

8 Up to eight physical ports, with up to 255 VLANS per port

Up to 16 12 10/100/1000BaseT, 1GbE SFP, 10GbE XFP

In-line Pairs (IPS Mode) 4 Up to four physical pairs, with up to 2040 logical pairs

Up to 8 6 11 segments with a mix of 1GbE and 10GbE

TCP Reset Ports Yes, 4 or 8 Depending on Mode

Yes Yes Yes All ports

Management Network Ports

Yes, 1 Yes, dedicated network ports

Up to 2 Yes 1

High Availability Yes Yes Yes Yes Yes, Active/Active, Active/Passive, Zero-Power HA, Layer 2 Fallback, and Active/Passive Management

Fail-open Yes Yes Yes Yes Yes

Fail-closed Yes Yes Yes Yes Yes

Removable Hard Drive Yes Yes No for GX4, Yes for GX5 and GX6 Series

No Yes, removable flash on all N-Series products

Solid-State Memory Only (no hard drives)

Yes No Yes

Interface Grouping Yes Yes No Yes 2

Redundant Power Supply Yes Yes Yes Yes on some models

Yes

Utilizes hard drive for operation

No Yes In some models

10 Gigabit Ethernet support

Yes Yes Integrated 2x10GbE on 2500N and 5100N, 3x10GbE w/Core Controller

10/100/10000 Support Yes Yes Ranges from two to five

segments depending on the model

Detection Check Point - IPS-1





Vulnerability Attack Detection

Yes Signatures are primarily vulnerability-focused. Vulnerability signatures are enhanced with Global Correlation, the first reputation-based service for IPS solutions.

Yes Yes Yes

Protocol Anomaly Detection

Yes Yes Yes Yes Yes

Attack Detection on non standard ports and Application tunnelled traffic

Yes Yes

DoS Attack Detection Yes Yes Yes Yes Yes

DoS Attack Prevention Yes Yes Yes

Stateful Signature Detection

Yes Yes Yes Yes Yes

No. Network & Application Protocols

> 100 Unlimited through universal engines

197 Unlimited 500+

User-defined Signatures Yes Customers can create their own original signatures as well as modify existing Cisco-provided signatures.

Yes Yes Yes

Clone and Modify All Vendor-Provided Signatures

Customers can create their own original signatures as well as modify existing Cisco-provided signatures.

No No; ability to add custom filters for proprietary or homegrown Web applications

Detailed Visibility into All Parameters and Fields for All Signatures

Yes No No

IPS and IDS for SSL No No Yes

encrypted traffic

Evasion Detection/Res. IDS Attack

Yes Yes Yes Yes Yes

Fragmentation Attack Detection

Yes Yes Yes Yes Yes

Asymmetric Routing Support

Yes in IPS mode, not in IDS mode

Yes Yes Yes Yes

Web Application Firewall Capability

Limited Yes Yes

Apply Policy on a Directional Basis

Yes Yes Yes

VLAN Aware Detection Yes Yes Yes Yes Yes

IPS and IDS for IPv6 Traffic

Yes, the same sensor can inspect both IPv4 and IPv6 traffic

Yes Yes

IPS and IDS for Tunnelled traffic (IPv4 in IPv4, IPv6 in IPv6, IPv4 in IPv6, IPv6 in IPv4)

Yes Yes Yes

Double VLAN Aware Detection

Yes Yes Yes

MPLS Aware Detection Yes Yes Yes

Behavioral Traffic/Flow-based Det.

Data not provided

Yes No Yes Yes (roadmap)

Scan and Reconnaissance Detection

Data not provided

Yes Yes Yes Yes

SYN flood attack prevention with proxy

Yes No Yes

Phishing Attacks No, Cisco has a dedicated e-mail security product.

No Yes

P2P Traffic Detection Yes Yes Yes

P2P Obfuscation Detection Yes Yes Yes

Full connect TCP connection DoS detection

Yes Yes Yes

Profile driven self-learning based DoS detection

Yes No Yes

DNS DoS detection Yes Yes Yes

ARP spoofing detection Yes No Yes

IP Spoofing detection Yes Yes Yes

Botnet detection Yes Yes Yes

Generic Buffer overflow detection based on detecting embedded shellcode

Yes Yes Yes

Expose all fields of all Yes Yes Yes

protocols in User Defined signatures to enable customers to write high fide

Detection Engines/Technologies Capable of Update Without Update of Sensor Software

Yes Yes Yes

Backdoor Detection Data not provided

Yes Yes Yes Yes

Other Features Check Point - IPS-1





Traffic Management to rate limit traffic

Yes No Yes

Marking of packets using Diff Serv and 802.1p

No No No, since it is a bump-in-the-wire solution

Stateful Access Control Lists (ACL's)

Yes No Yes

Analysis Check Point - IPS-1





Third-party Event Integration

Yes Yes Yes Yes Yes

Built-in Real Time Event Corr.

Data not provided

Yes Yes Yes Yes

User-tunable Event Correlation

Yes Yes Yes Yes Yes

Cross-sensor Event Analysis

Data not provided

Through Cisco Security Manager

Yes Yes Yes

Full Packet Capture Yes Yes Yes Yes Yes, configurable

Event Filtering Yes Yes Yes Yes Yes

Additional Reference Data Provided

Yes Yes Yes Yes Yes

Event Annotation/Auditing Yes Yes Yes Yes Yes

Event Description Updates Yes Yes Yes Yes Yes

On demand vulnerability assessment capability

No No Yes

Response Capabilities Check Point - IPS-1





Inline Attack Blocking Yes Yes Yes

TCP Session Reset (Passive Mode)

Yes Yes Yes Yes Yes

Prior to attack packet logging

Yes Yes Yes

Packet Logging Yes Yes Yes

Forensic Packet Logging Yes Yes Yes, with integrated trace capability; also integrated with Niksun

Alert Filters Yes Yes Yes

E-mail Notification Yes Yes Yes Yes Yes

SNMP Interaction Yes Yes Yes Yes Yes

SNMP Notification Yes Yes Yes Yes Yes

Session Record No Yes Yes Yes Yes

Console Response Yes Yes Yes Yes Yes

Export Flows Data not provided

Yes Yes Yes Yes

Custom Response Yes Yes Yes Yes Yes

Firewall Interaction Yes Yes Yes Yes Yes

Router Interaction Yes Yes Yes Yes Yes

Session and Flow Rate Limiting

Yes No Yes

Quarantine Source and Remediation

Yes, quarantine. No, remediation.

Yes Yes

Rate Limiting (port # or Protocol Detection Based)

Yes No Yes

QoS marking and inspection

Yes No No, since it is a bump-in-the-wire solution

Management Check Point - IPS-1





Secure Remote Management

Yes Yes Yes Yes Yes

Multi-sensor Management Yes Yes Yes Yes Yes

Automatic Signature Update

No Yes Yes Yes Yes

Automatic Detection Engine Updates (not signatures)

Yes Yes Yes, hitless OS updates

Auto Apply Sig. Updates to Policies

Yes Yes Yes Yes Yes

Auto Enable Signature Blocking

Yes Yes Yes Yes Yes

Pre-defined Protection Policies

Yes Yes Yes Yes Yes

Clone/Copy Protection Policies

No Yes Yes Yes Yes

On-Off Toggle for Blocking Yes Yes Yes Yes Yes

Data Storage Yes Yes Yes Yes Yes

Secure Data Storage Yes Yes Yes Yes Yes

External No Yes Yes, third-party adapter

Yes Yes

Built-in Data Storage Yes Yes Yes Yes Yes

Hierarchical Management (Manager of Managers)

No Yes Yes

Default IPS Blocking Policy

Yes Yes Yes

Disaster recovery (MDR) Yes Yes Yes, management system can be redundant in different locations

Graphical, drill-down management

Yes Yes Yes

User Defined Signatures Yes Yes Yes

Troubleshooting tools Yes Yes Yes

Ease of use - eg: Wizard based sensor setup, valnerability analysis

Yes Yes Yes

Reporting Check Point - IPS-1





Scalable Info Presentation Yes Yes Yes, via SiteProtector

Yes Yes

Web-based Reporting No Yes Yes Yes Yes

SQL Export Yes Export in XML format

Yes, via SiteProtector

Yes Yes

Automated and Schedulable Reporting

Yes Yes Yes, via SiteProtector

Yes Yes

Customizable Reports Yes Yes Yes

Audit Reports Yes Yes Yes

Integration/Correlation Check Point - IPS-1





Analysis of Firewall Alerts No Yes Yes, via SiteProtector

No Yes, with partners

Analysis of HIPS Alerts Yes Yes Yes, with partners

Analysis of HIDS Alerts Yes Yes Yes, via SiteProtector


Correlation with Vulnerabilty Assessment Alerts

Yes Yes Yes, with partners

Anal. Vulnerability Assmt. Alerts


Yes Yes, with partners

Analysis Third-party Net. IDS Alert

No Yes Yes, via SiteProtector


Data Export Enterprise Mgmt Product


Yes Yes

Security Content Check Point - IPS-1





Dedicated Sec. Research & Response

Yes Cisco Security Intelligence Operations has 500 researchers, analysts, and technicians researching, discovering, reporting on threats daily. Cisco Sensorbase analyzes 500GB of data daily from 700,000+ sensors (including firewall, IPS, email and web security appliances) worldwide

~100 worldwide Yes Yes

Regular Security Updates Yes Cisco provides both traditional signature update as well as reputation updates from Cisco Global Correlation. Analyzing over 500GB of data from 700,000+ sensors worldwide daily, Cisco Sensorbase provides reputation updates to Cisco IPS sensors globally every 5 minutes, 100 times faster than signature-based

Average 20/year Yes Yes, at least twice a week

IPS.

365x24x7 Outbreak Updates

Yes Yes Yes, automatically

Yes Yes

Regular Threat Report Yes Yes Yes, daily Yes Yes

Console Based Real Time Vendor Notifications

Yes Yes Yes, real-time DV announcements

Services Available Check Point - IPS-1





Full Time Managed Services

No Yes 6 Yes through partners

Yes, through partners

SLAs with Managed Service

No In addition to managed services guarantees for IPS, Cisco provides a 24-hour coverage guarantee for Cisco, Microsoft, and critical enterprise application vulnerabilities, as well as a “90% in 90 minutes” guarantee for Cisco and Microsoft vulnerabilities.

5 Yes through partners


Strategic Planning Services

No Yes Yes Yes Yes

Deployment Services Yes Yes Yes Yes Yes

Incident Response Services

No Yes Yes Yes through partners


Custom Filter Development Based on VA Input

Yes Yes Yes

WW Threat Analysis Tool (threats in the wild)

Yes Yes Yes

Education Services Yes Yes Yes Yes Yes

Security Assessment Services

No Yes Yes Yes through partners

Yes

On Site Spare Option Yes Yes Yes

Support Options Check Point - IPS-1





Telephone and Web Support

Yes Yes. 24x7, Certified SCP Support

Yes Yes

Product Notifications Yes Yes. Yes, Online, E-mail, In-Product Notification

Yes Yes

Software Upgrade Insurance

Yes Software upgrades are included in standard support offerings

Yes Yes Yes

Year Appliance Hardware Warranty

Yes 90 day warranty; hardware support and replacement are included in standard support offerings.

Yes Yes Yes

Advanced Alerting Service Yes Yes. Yes Yes Yes

Access Sec. Experts/Acct Managers

Yes Yes. Yes Yes Yes

Pricing Check Point - IPS-1





Appliance MSRP Start at $7,000 (Sensor 50)

Price ranges from $11,995 up to $89,995

$9,995-$188,995

$3,995 - $229,995

$3,995-$169,995

First Year Maintenance/Support

Depends on class of support chosen by customer. IPS-1 fllows the std CP support classes.

24% of list for one-year contract

Varies 15-22% 18-21%

Renewal of Maintenance Support

Depends on class of support chosen by customer. IPS-1 fllows the std CP support classes.

24% of list price Varies 15-22% 15-17%

Base Cost per 100 Mbps Throughput

Depends on model. Sensor 200 is $16,000 and delivers 200Mbps IPS data rates, thus equals $8,000 per 100Mbps.

$2,250 Varies Varies significantly

~ $6,000 varying by platform

Flex Licensing-No Forklift Upgrades

Data not provided

Data not available

Yes Yes Yes

Licensing Model Data not provided

Price for Device -Throughput

Subscription IPS - "Per Appliance;" RNA

Hardware: throughput+port count

All materials Copyright 1997-2011 Current Analysis, Inc. Reproduction prohibited without express written consent. Current Analysis logos are

trademarks of Current Analysis, Inc. The information and opinions contained herein have been based on information obtained from sources believed to

be reliable, but such accuracy cannot be guaranteed. All views and analysis expressed are the opinions of Current Analysis and all opinions expressed

are subject to change without notice. Current Analysis does not make any financial or legal recommendations associated with any of its services,

information, or analysis and reserves the right to change its opinions, analysis, and recommendations at any time based on new information or revised

analysis.

Current Analysis, Inc.

21335 Signal Hill Plaza, Second Floor, Sterling, VA 20164

Tel: 877-787-8947

Fax: +1 (703) 404-9300

Current Analysis, Inc.

2 rue Troyon, 92316 Sevres Cedex, Paris, France

Tel: +33 (1) 41 14 83 17

http://www.currentanalysis.com

- "Per Host;" RUA - "Per User"

Date post:	14-Oct-2014
Category:	Documents
Upload:	lee-noriega
View:	4,583 times
Download:	4 times

IPS Comparison Report

Documents