Read NSS%20Labs%20Network%20IPS%20Group%20Test%20Executive%20Summary.pdf text version

Q4 2009 Network Intrusion Prevention System Test Executive Summary

Today, networks and data are more vulnerable than ever before. An essential part of layered security, network intrusion prevention systems (IPS) must be fast, accurate, and easy to deploy and maintain. During Q4 2009 NSS Labs performed the industry's most rigorous test of leading IPS solutions, including 1,159 validated exploits­the most ever performed in a test. As part of NSS Labs' independent testing information services, this report was produced for our enterprise subscribers. Leading vendors were invited to participate fully at no cost, and NSS Labs received no vendor funding. All devices were configured and tuned by the respective vendor's technical experts; the time required was recorded for purposes of estimating the ongoing tuning and total cost of ownership (TCO) calculations. Effectiveness and performance results were obtained with the vendor-tuned policies and then again using the default policies to provide readers with a high-low range of possible results.

Key Findings

· Protection varied widely. The difference between the least and most effective products was 72.2%. The least effective product achieved only a 17.3% block rate, while the most effective product achieved an 89.5% block rate. · Tuning is required. Organizations that do not tune could be missing numerous "catchable" attacks. The average difference in protection between tuned and default settings was 18%. · Evasion tripped up most IPS products. Only Sourcefire, IBM, and McAfee successfully resisted all evasion and obfuscation techniques. · Vendor performance claims are overstated between 12%-50%. · The lower priced product is rarely the better value; sub-par protection is a poor investment at any price. Organizations should evaluate products based upon their value (protection, performance, and labor costs) within the context of a three-year TCO.

Product Guidance

NSS Labs' recommendations are based solely on empirical test data, validated over multiple iterations.

Products recommend

IBM Proventia® Network IPS GX6116 IBM Proventia Network IPS GX4004 McAfee® M-8000 Sensor McAfee M-1250 Sensor Source re 3D® 4500 CiscoTM IPS 4260 Sensor Stonesoft StoneGateTM IPS-6105 Stonesoft StoneGate IPS-1060 Stonesoft StoneGate IPS-1030 TippingPoint® 2500N IPS TippingPoint 660N IPS TippingPoint TP-10 IPS Juniper Networks® IDP800 Juniper Networks IDP600C Juniper Networks IDP250



ips product ratings

A product's effectiveness is handicapped if it fails to detect obfuscated exploits (evasion), and our product guidance is adjusted to reflect this. This is why the Cisco 4260 did not achieve "Recommended" status despite a respectable block rate.

Product Line IBM McAfee Source re Cisco Juniper Networks Stonesoft TippingPoint

IP Packet Fragmentation TCP Stream Segmentation RPC Fragmentation URL Obfuscation FTP Evasion


resistance to evasion*

* Although the Sourcefire 3D 4500 failed to detect an RPC Fragmentation evasion attempt in our Q4 2009 test, a fix to the product resolving this issue was subsequently validated by us on February 10, 2010. Additionally, on May 19, 2010, TippingPoint called to our attention a bug in the fragroute evasion tool used in the initial test. This bug corrupted one of the 60 evasion techniques in the test. All products were re-tested with a version of fragroute that did not cause this issue. Those products that initially passed the test, continued to pass. When re-tested, TipppingPoint successfully resisted IP Packet Fragmentation attacks, as shown above.

Block Rate

Sourcefire Tuned Default 89.5% 65.3%

IBM 80.7% 43.5%

Cisco 78.4% 34.9%

McAfee 72.9% 66.9%

Stonesoft 62.9% 56.3%

TippingPoint 47.4% 42.6%

Juniper 17.3% 17.1%

About NSS Labs

Block Rate - Default vs. Tuned Policies

NSS Labs, Inc. is the world's leading independent, information security research and testing organization. Its expert analyses provide information technology professionals with the unbiased data they need to select the right product for their organizations. Pioneering intrusion detection and prevention system testing with the publication of the first such test criteria in 1999, NSS Labs also evaluates firewall, unified threat management, anti-malware, encryption, web application firewall, and other technologies on a regular basis. The firm's realworld test methodology is the only one to assess security products against live Internet threats. As such, NSS Labs tests are considered the most aggressive in the industry and its recommendations and certifications highly coveted by vendors. Founded in 1999, the company has offices in Carlsbad, California and Austin, Texas. For more information, visit

© 2010 NSS Labs. All rights reserved. All brand, product, and service names are the trademarks, registered trademarks, or service marks of their respective owners. Printed in the U.S.A. 0710

2121 Palomar Airport Road, #300, Carlsbad, CA 92011 USA


(866) 427-1692


(760) 412-4627



2 pages

Find more like this

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate