 |
|
|
Radware offers a range of DefensePro appliances from 200Mbps to 3Gbps throughput. The DefensePro-3000 is based on a layer 7 switching architecture, providing a high port density appliance, with protection for up to 11 segments in a single box, enabling multi-Gigabit protection across multiple network segments with a single device. The DefensePro appliance performs bi-directional, stateful, deep packet inspection and hardware-accelerated signature matching to block intrusions. Dynamic traffic shaping ensures the continuity of mission critical applications by controlling end-to-end bandwidth to guarantee service levels. It also controls the bandwidth usage of various applications such as P2P, e-mail, Web, DNS, ERP, CRM and more. Overall, the performance of DefensePro is very good. Although recognition rates and resistance to false positives could be improved, throughput and latency are excellent under almost all network loads and across all packet sizes. We also found DefensePro to be very stable, surviving our extended reliability tests without missing a beat, and without blocking any legitimate traffic or succumbing to common evasion techniques. The device can be managed via a command-line interface (CLI), a basic Web-based management (WBM) utility, or via the more extensive Configware Insite (CWIS). All configuration and log capabilities are supported by all management options. When using CWIS, management, alert handling and reporting are relatively restricted, with no central policy deployment and limited alert handling capabilities. A new version is under development with more extensive reporting capabilities. There are four main components to the Radware DefensePro system:
The DefensePro appliances can be managed via CLI, WBM or CWIS (or a mixture of the three), using standard and secure communication channels: Telnet or SSH, HTTP or HTTPS and SNMP V1, 2C and 3. All configuration and log capabilities are supported by all management options. The DefensePro appliance is offered in three different models:
The device submitted for testing was the DefensePro-3000. Based on a layer 7 switch, this is a 1U appliance which sports 7 fibre Gigabit ports and 16 copper Fast Ethernet ports on the front panel. Management can be via any of the detection ports, or via the dedicated serial console port. There is no redundancy built in to the device (other than dual power supplies), and nor is there any High Availability solution on offer at present. Radware does, however, offer optional copper and fibre bypass devices to allow traffic to pass unimpeded should the DefensePro appliance fail.
Inside the appliance is 512MB of RAM, together with the four main components of the DefensePro hardware architecture:
44 Gbps Switching Fabric DefensePro’s non-blocking 44 Gigabit backplane is based on a multi-layered distributed switching architecture using ASICs that ensure wire speed switching for the seven Gigabit ports and 16 Fast Ethernet ports. Network Processors The two network processors work in parallel and are capable of processing multiple packets simultaneously to provide accelerated layer 4-7 security switching. Between them they handle all tasks related to packet processing - including traffic forwarding and blocking, traffic shaping, and delayed binding for protection against SYN flooding - all at multi-Gigabit speeds. Prevention of Denial of Service attacks and SYN floods can be performed at a rate of up to 1 million SYNs per second. Detection and protection against layer 4 exploits is completed by the network processors and helps boost the performance when protecting against these type of exploits. If deeper packet inspection is required (i.e. layer 7 scanning), then packets are forwarded to the StringMatch Engine - a dedicated hardware card designed specifically to provide accelerated signature and pattern matching - for signature identification. Based on the StringMatch pattern matching result, which determines whether the packet is legitimate or part of a malicious attack, the network processor either forwards the packet or drops it and resets the session. In addition to cleaning all suspect traffic, the network processors enable end-to-end traffic shaping, managing bandwidth allocation to ensure continuous service levels for all secure traffic, guaranteeing the continuity and QoS of mission critical applications even under attack. Radware StringMatch Engine The Radware StringMatch Engine is a dedicated hardware card designed specifically to provide accelerated deep packet inspection and signature matching. The StringMatch Engine consists of up to 8 ASICs, enabling 256,000 parallel string searches, and a high end Power PC RISC processor for scheduling and running the parallel search algorithms. Theoretically, the StringMatch engine provides 9 Gigabits of free-range searches and 16 Gigabits of fixed offset searches for unmatched performance.
CPU DefensePro sports a 1GHz RISC processor Motorola PPC 7457 to manage and prioritise all security sessions. The CPU identifies all current attacks and controls active operations across the StringMatch Engine and the Network processors to isolate, block and prevent attacks, while overseeing all security updates and networking requirements. Web-Based Management Interface Each DefensePro appliance can be managed directly via a Web-Based Management (WBM) interface running on the built-in Web server. This provides access to all the main management, configuration, and alert handling functions via a browser-based GUI which can be used to connect to, and manage, a single device at a time. A text-based CLI is provided for direct management via the serial console or Telnet/SSH connections. All configuration operations can be performed via the CLI, including attacks filter creation, policy configurations, etc. Reports are also available for CLI users, including top attack reports and detailed event logs. Configware Insite is a Java-based site-wide SNMP software management tool that is designed to enable unified administration, visibility and control of IP application performance and security across the enterprise.
Based on an easy-to-use site map interface, Configware Insite allows the administrator to draw his network on-screen, configure Radware Intelligent Application Switching devices, and set-up SynApps ‘Application Aware’ Services, to address end-to-end IP application service requirements. Devices are simply placed, connected and configured in a visual environment to create site-wide topologies, establish device redundancies and set-up device networking parameters. Configware Insite’s statistics module provides real-time and historical views of actual application performance levels for monitoring site wide operations and simple pinpointing of vulnerabilities and failures. This affords complete visibility and control over the performance of Web and application servers, security tools, cache servers, and Internet links. Configware Insite enables the configuration of SynApps application aware services, extending control over application requirements across layers 4-7 including:
Within this context, DefensePro appliances can be added to the Configware Insite site map, following which they can be configured and managed along with all other Radware devices on the network. Security alerts are handled in the same way as other device alerts on the Configware Insite screen. Configware Insite can operate in two-tier architecture or three-tier using client-server mode. The client-server mode allows system administrators to manage remote Radware devices while reducing the amount of SNMP traffic flowing through the WAN. The aim of this section is to verify that the sensor is capable of detecting and blocking exploits when subjected to increasing loads of background traffic up to the maximum bandwidth supported as claimed by the vendor. For each type of background traffic, we also determine the maximum load the IPS can sustain before it begins to drop packets/miss alerts. It is worth noting that devices which demonstrate 100 per cent blocking but less than 100 per cent detection in these tests will be prone to blocking legitimate traffic under similar loads. The DefensePro is rated by Radware at 3Gbps, and was tested to 1Gbps in this test. It turned in a good performance in almost all the tests, indicating that it can easily handle 1Gbps (and more) of normal network traffic. DefensePro detected and, more importantly, blocked all attacks even when subjected to extreme loads, and under all other load conditions it performed well. At the more extreme loads (approaching 1Gbps at the higher connection rates), the device did exhibit slightly higher HTTP response times, and the occasional failed TCP connection. We also noted an inability to process the full 20,000 connections per second at 1Gbps, or the full 10,000 delayed connections per second at 1Gbps (see Test Results section for full details). Despite this, we would rate DefensePro as a true 1Gbps device. DefensePro’s basic latency figures were excellent across the board under all traffic loads (probably due to the fact the device is based on a switching architecture), ranging from 117�s with 250Mbps of 256 byte packets, to 201�s with 1Gbps of 1000 byte packets. Behaviour throughout the tests with no background traffic was consistent and predictable, with minimal increases as additional network load was applied from 250Mbps to 1Gbps. There were also minor increases when placing the device under a half load of 500Mbps of HTTP traffic, rising from 117�s to 160�s with 256 byte packets, 140�s to 183�s with 550 byte packets, and from 179�s to 219�s with 1000 byte packets. 100Mbps of SYN flood traffic was barely registered by the device, resulting in negligible (less than 10�s) increases in latency compared with the base figures. HTTP response times were very good overall and, once again, the addition of a 100Mbps SYN flood attack had a negligible effect on the performance. Overall, latency figures were considered to be excellent for a device of this type under all load conditions and packet sizes. Clearly this device can be placed anywhere on the corporate network - from the perimeter to a heavily-loaded high-speed backbone - without significantly impacting overall network performance in any way. DefensePro performed consistently and completely reliably throughout our tests. Under eight hours of extended attack (comprising millions of exploits mixed with genuine traffic) it continued to block 100 per cent of attack traffic, whilst passing 100 per cent of legitimate traffic. Exposing the sensor interface to ISIC-generated traffic had no adverse effect, and the device continued to detect and block all other exploits throughout and following the ISIC attack. Please refer to the Testing Methodology section for full details of the methodology used and performance results. We installed one sensor with the latest updates, and enabled all signatures except for Protocol Anomalies and the Archive group (i.e. retired signatures). Signature recognition was improved to 88 per cent following the application of a signature update after 24 hours, increased from a barely adequate 71 per cent out of the box. Blocking performance was one per cent higher throughout, due to one exploit being consistently blocked without an alert being raised. We consider this level of performance to be only just acceptable. Performance in our “false negative” tests was poor out of the box, and although it improved following the signature update, there were still five misses out of the 14 test cases. This could indicate that many signatures are written for specific exploits rather than for the underlying vulnerability - perhaps an over-reliance on basic pattern matching rather than protocol decode. A major concern in deploying an IPS is the blocking of legitimate traffic. All the tests passed successfully upon signature file update, although DefensePro turned in a less than perfect performance out of the box, failing in 5 out of 17 test cases. Resistance to known evasion techniques was very good, with the DefensePro achieving a clean sweep across the board in most of our evasion tests. Fragroute and Whisker both failed to deceive the device into ignoring valid attacks, and many of the attempts were decoded accurately. Of the miscellaneous evasion techniques, changing ports on Trojan programs and using RPC fragmentation both proved troublesome. Out of the box, Radware claims that DefensePro can handle approximately 1,100,000 open connections with IP and TCP reassembly disabled (the default is 800,000). We did not attempt to verify this in our tests since we believe such anti-evasion features should always be enabled. We were able to verify up to 500,000 connections without tuning, but it was not possible to increase this to 1 million, since the device did not have enough memory to support this level of open connections with IP and TCP reassembly enabled. We also felt that the session ageing time was too low, causing state to be lost too early. Stateless “exploits” are not alerted upon (this is correct behaviour in order to be resistant to Stick and Snot tools) and mid-flows are blocked by default (a mid-flow violation alert is raised). It is, however, possible to configure the device to allow mid-flows, and there is a configurable “grace period” where they are not enforced following a power-cycle to prevent blocking of legitimate traffic should the device come on-line in mid session. Please refer to the Testing Methodology section for full details of the methodology used and performance results. This part of the test procedure consists of a subjective evaluation of the features and capabilities of the product, and covers installation, configuration, policy editing, alert handling, and reporting and analysis. Initial configuration of networking parameters is carried out via the serial console, following which the management software is installed. In addition to the text-based command-line interface (CLI), DefensePro can be managed via the built-in Web Based Management (WBM) interface, which provides immediate and very comprehensive graphical two-tier management for a single device over a standard HTTP/HTTPS connection. However, Configware Insite provides more extensive multi-device management and reporting capabilities via SNMP. Rather than focusing on a single device, Configware Insite presents the entire network configuration in a graphical format (the network diagram can be created on-screen), with settings and configuration options organised in a logically related manner. Once the software has been installed, the DefensePro First Time Wizard enables the administrator to configure a blank DefensePro device from scratch with relevant protection polices that match his required network design and deployment scenario. As the Wizard progresses, the administrator is prompted to enter the port configuration and the security policy to use initially, selected from a list including corporate gateway, DMZ, DMZ mail, DMZ Web, corporate LAN, carrier/POP, or university LAN. Each of these policies provides a basic configuration of signatures/filters which Radware feels is suitable for the intended deployment scenario.
Finally, the administrator specifies the network and VLAN configuration, and the reporting target (remote or local database where alerts are stored for analysis). The device is then ready to connect to the network and is enabled using a policy suitable for the deployment scenario specified in the Wizard. In Static Forwarding mode DefensePro functions as a completely transparent network device. Scanning ports have a one-to-one forwarding ratio, where the traffic that comes from the receiving port is always sent out from its corresponding transmitting port. The ports are paired, meaning one port receives traffic while another transmits traffic. For each pair of ports the administrator selects the physical inbound port and the physical outbound port, plus the operation mode of the pair. There are two available operation modes: Switch and Process. When a port pair is set to operate in the Switch mode, the traffic is switched straight through the device without any inspection. When the ports are set to operate in the Process mode, the traffic passes through the inspection engine where it is inspected for attacks, bandwidth control, and so on. The processing of the traffic is performed by means of the various Bandwidth Management and Security filters. Both the inbound and outbound traffic to the organisation are processed, allowing the application of security policies and traffic shaping rules on traffic in both directions. Scanning/detection ports are “invisible” to the network and thus can not have IP addresses . Any of the other physical ports on the device can be configured as a management port and will have an IP address allocated. Traffic received on the management port is not forwarded to any other ports, but is handled by the device itself. A detailed User Guide is provided in electronic format only. This document is very comprehensive, and appears to be accurate and well written. The User Guide provides far more than basic instructions on using the GUI. It also offers plenty of background information covering the functions of the various options and parameters in depth, as well as good advice on deployment. Although DefensePro includes both a CLI and a direct basic Web-Based Management system as part of the product, this paper will concentrate purely on the more advanced Configware Insite product, which is also included out of the box.
On first entering Configware Insite the administrator is presented with a graphical display of the site, which can be populated with icons of switches, routers, and other network elements as well as DefensePro units. These can be linked together to highlight physical or logical network links, and any of the DefensePro devices can be managed from here providing the administrator is authorised to do so. However, it is still necessary to connect to individual devices in order to manage them or view alerts and reports - no consolidated view of all devices is available, and nor is it possible to define a single policy and push to all devices simultaneously or in groups. Site layouts can be saved for later recall. Any number of users can be defined, and these can be allocated to Configware Insite as a whole (to allow use of the management interface) and to individual DefensePro appliances within the site. Thus separate administrators can be assigned different IPS devices to manage. Two levels of granularity only are available for user accounts: administrator and operator. New DefensePro devices can be added quickly and easily in the site map by defining the IP address and port parameters (which ports are used for detection, management, etc.). The administrator defines which communications services are running on the management port (Telnet, HTTP, HTTPS or SSH), and can also configure basic device monitoring (checking availability of devices) with alerts appearing on the site map. The Signature File Update feature provides constant updates of the Signature database (this is an extra-cost maintenance option). During the update process Configware Insite connects to the Radware Web site to acquire the file for the specified device. An updated Signature file can be found on the Radware website every Monday, though the site can be updated on any other day if an emergency update is required. Updating of the Signatures file can be performed via an automatic download and update process, or can be performed manually on demand. Protection policies are defined in the Connect & Protect table. This has a number of rows, giving it the appearance of a typical firewall rules table, and a set of global configuration parameters that apply across all policies. The following general security settings can be applied in the Security Parameters window:
Every row in the Connect & Protect Table represents a policy. A security policy contains security profiles that are activated within predefined ranges of ports/VLANs, or within a predefined network. The first task, therefore, is to define the scope of each policy in terms of IP address range, VLAN tag, inbound or outbound traffic, and so on. Although this may seem trivial, it does actually give rise to a very powerful feature of the DefensePro system, since it is possible to define many different policies and have each one apply to only a subset of the protected network (right down to individual hosts, if required). For example, it would be possible to define a global policy which applies every protection feature, and then turn off DDOS protection and anti-scanning protection for a subset of hosts.
Once the scope has been defined, the rest of the policy row is divided into columns representing the various security subsystems:
Clicking within any of the security modules allows protection profiles to be added to that module to process traffic in a specific way. One or more profiles can be created for each security module and the profiles can then be associated with a policy. The administrator is able to choose from an extensive range of signatures to add to a profile, and signatures are grouped together to make this process easier - for example, providing the ability to create a “Web” profile, and then select three or four groups of signatures dealing purely with Web exploits. Where the pre-defined groups are not acceptable, the administrator can duplicate them and edit the duplicates to add or remove signatures as required. Unfortunately, there is no search facility, making it difficult to identify and locate individual signatures or groups of signatures when creating custom groups. Once a group has been added to a profile, it is no longer possible to enable or disable individual signatures within it. Instead, it is possible only to enable or disable entire groups within the profile. This is a shame, since it makes it very difficult to fine tune profiles without having to completely recreate the groups of signatures which comprise them. It would be preferable for each group and each signature within a group to have a check box against it in order to be able to enable or disable as required within a profile.
Individual signatures have a range of editable parameters:
These can be set on a per-signature basis, but unfortunately there is no way to apply bulk edits - say amending all IIS signatures to High severity. Conversely, the ability to drop a bad session (i.e. drop malicious packet and then mark the remaining session as bad) is only available as a global setting, and cannot be set on a per-signature basis. This should be made available as an additional Action Mode alongside the Drop Packet option. Custom signatures can be created from scratch if required, and assigned to custom groups before being added to a profile. Signature definition is not for the faint-hearted, but Radware has produced a good interface here which makes it as straightforward as it is possible to be.
Once Profiles have been created for each of the security modules required, the overall Action parameter can be specified for the Policy:
As mentioned before, multiple Policies can be defined within the same Connect & Protect table, each with different signature Profiles and actions, and each applying to different hosts or ranges of IP addresses. This is an extremely powerful and flexible system that provides very fine-grained control over a corporate security policy. It is a shame that in larger deployments it is not possible to define a single policy and then apply to multiple devices. This would seem to be a basic requirement in an enterprise IPS management platform. When an attack is detected, the device creates a security event that includes the information relevant to this specific attack. Once an event has been created, the device reports it using several optional channels:
The Attack Log screen is divided into three panes. The alerts appear in the upper right pane, and selecting any alert displays detailed information about the exploit in the lower right pane. The pane running down the left hand side of the screen contains a number of pre-defined filters allowing the administrator to quickly and easily restrict the display to alerts classified as High, Medium or Low Severity, Anomalies, Anti-Scanning, DOS or Intrusions. This pane also allows the definition of simple custom filters which can be stored and applied by checking the boxes next to them. A nice touch here is that multiple custom filters can be applied by checking more than one box, thus it is possible to build more complex filters in this way (although complex combinations of filters cannot be saved for re-use later). Each alert entry shows the following information:
When configured, it is also possible to view the raw packet data from the single packet which triggered the alert. Alerts are transmitted from the IPS device to the management station - such as Configware Insite (as well as other third party products, if required) - via SNMP traps. Trap notification is set up through the device’s Target Address table where the administrator specifies SNMP parameters and selects which type of notification the target server will receive. In the Community Table, the administrator can designate that specific users have access to the traps. Security events are also logged to an all-purpose cyclic Log File. The device’s Log File can be obtained at any time, but is of limited size. When the number of entries is beyond the permitted limit, the oldest entries are overwritten. Notifications are raised when the file is 80 per cent utilised, and 100 per cent utilised. The Attack Reports Desktop allows the administrator to access all the reporting options. Attack reports provide attack performance and impact on the network in a graphical layout. Historical reports show attack activity over time, and it is possible to view the top ten attacks on the system and how they change over a specified period. Attack reports are created using information selected from security event logs. Radware provides a set of predefined reports to examine the type of attacks affecting the protected network, and their volume, bandwidth or severity. It is also possible to select individual bars or pie-sections on the graphical reports and drill down (one level only) to view the data behind them. The following predefined Attack Reports are available:
Along with predefined reports that provide pre-configured types of network analysis, it is possible to set filtering parameters to create custom reports for viewing attack activity. It is possible to create graphs for high-level views or more detailed drill-down views of network attacks, though, once again, it is not possible to save complex filter combinations as complete custom reports.
Executive Security reports can be generated and exported in HTML format. These reports allow the generation of reports that are composed of more than one graph. The Executive Report can include one or more of the following reports, all displayed as pie charts:
Apart from the usual reports and graphs, Configware Insite provides a useful Security Dashboard feature providing a real time attack view displaying the most recent attack activity in the network. The Security Dashboard also provides extracts of key Attack Reports and the immediate status of specific attacks. These reports graph the most intensive (top) attacks by packet volume, and the Dashboard can be refreshed automatically at user-defined intervals.
The Dashboard has two panels. To the left is the Top Security Attacks Radar, which displays the most intensive attacks currently in the system, whilst to the right are four graphs which graph the top attacks in the network and their severity. These four graphs provide a more comprehensive picture of real-time attacks to the system by mapping the following:
Performance The aim of this section is to verify that the sensor is capable of detecting and blocking exploits when subjected to increasing loads of background traffic up to the maximum bandwidth supported as claimed by the vendor. For each type of background traffic, we also determine the maximum load the IPS can sustain before it begins to drop packets/miss alerts. It is worth noting that devices which demonstrate 100 per cent blocking but less than 100 per cent detection in these tests will be prone to blocking legitimate traffic under similar loads. The DefensePro is rated by Radware at 3Gbps, and was tested to 1Gbps in this test. It turned in a good performance in almost all the tests, indicating that it can easily handle 1Gbps (and more) of normal network traffic. DefensePro detected and, more importantly, blocked all attacks even when subjected to extreme loads, and under all other load conditions it performed well. At the more extreme loads (approaching 1Gbps at the higher connection rates), the device did exhibit slightly higher HTTP response times, and the occasional failed TCP connection. We also noted an inability to process the full 20,000 connections per second at 1Gbps, or the full 10,000 delayed connections per second at 1Gbps (see Test Results section for full details). Despite this, we would rate DefensePro as a true 1Gbps device. DefensePro’s basic latency figures were excellent across the board under all traffic loads, ranging from 117�s with 250Mbps of 256 byte packets, to 201�s with 1Gbps of 1000 byte packets. Behaviour throughout the tests with no background traffic was consistent and predictable, with minimal increases as additional network load was applied from 250Mbps to 1Gbps. There were also minor increases when placing the device under a half load of 500Mbps of HTTP traffic, rising from 117�s to 160�s with 256 byte packets, 140�s to 183�s with 550 byte packets, and from 179�s to 219�s with 1000 byte packets. 100Mbps of SYN flood traffic was barely registered by the device, resulting in negligible (less than 10�s) increases in latency compared with the base figures. HTTP response times were very good overall and, once again, the addition of a 100Mbps SYN flood attack had a negligible effect on the performance. Overall, latency figures were considered to be excellent for a device of this type under all load conditions and packet sizes. Clearly this device can be placed anywhere on the corporate network - from the perimeter to a heavily-loaded high-speed backbone - without significantly impacting overall network performance in any way. DefensePro performed consistently and completely reliably throughout our tests. Under eight hours of extended attack (comprising millions of exploits mixed with genuine traffic) it continued to block 100 per cent of attack traffic, whilst passing 100 per cent of legitimate traffic. Exposing the sensor interface to ISIC-generated traffic had no adverse effect, and the device continued to detect and block all other exploits throughout and following the ISIC attack. Security Effectiveness We installed one sensor with the latest updates, and enabled all signatures except for Protocol Anomalies and the Archive group (i.e. retired signatures). Signature recognition was improved to 88 per cent following the application of a signature update after 24 hours, increased from a barely adequate 71 per cent out of the box. Blocking performance was one per cent higher throughout, due to one exploit being consistently blocked without an alert being raised. We consider this level of performance to be only just acceptable. Performance in our “false negative” tests was poor out of the box, and although it improved following the signature update, there were still five misses out of the 14 test cases. This could indicate that many signatures are written for specific exploits rather than for the underlying vulnerability - perhaps an over-reliance on basic pattern matching rather than protocol decode. A major concern in deploying an IPS is the blocking of legitimate traffic. All the tests passed successfully upon signature file update, although DefensePro turned in a less than perfect performance out of the box, failing in 5 out of 17 test cases. Resistance to known evasion techniques was very good, with the DefensePro achieving a clean sweep across the board in most of our evasion tests. Fragroute and Whisker both failed to deceive the device into ignoring valid attacks, and many of the attempts were decoded accurately. Of the miscellaneous evasion techniques, changing ports on Trojan programs and using RPC fragmentation both proved troublesome. Out of the box, Radware claims that DefensePro can handle approximately 1,100,000 open connections with IP and TCP reassembly disabled (the default is 800,000). We did not attempt to verify this in our tests since we believe such anti-evasion features should always be enabled. We were able to verify up to 500,000 connections without tuning, but it was not possible to increase this to 1 million, since the device did not have enough memory to support this level of open connections with IP and TCP reassembly enabled. We also felt that the session ageing time was too low, causing state to be lost too early. Stateless “exploits” are not alerted upon (this is correct behaviour in order to be resistant to Stick and Snot tools) and mid-flows are blocked by default (a mid-flow violation alert is raised). It is, however, possible to configure the device to allow mid-flows, and there is a configurable “grace period” where they are not enforced following a power-cycle to prevent blocking of legitimate traffic should the device come on-line in mid session. Usability With multiple methods of managing the device DefensePro offers the administrator a choice of how to approach his management tasks. The system offers a full-featured, text-based command-line interface, a two-tier system using a browser-based interface, and a three-tier system using a Java-based interface. We found the dashboard with “radar” display to be both attractive and useful, given that it also supports limited drill-down capabilities. DefensePro is straightforward to install and configure and manage on a daily basis. Policy creation is very flexible and powerful, though not always as intuitive as we might like. We would like to see some additional refinement of the policy editor, notably a search function for individual signatures and groups of signatures, and the ability to enable and disable individual signatures as well as groups once they have been added to a profile. The biggest issue, however, is the inability to manage multiple devices simultaneously. Although all devices can be managed from a central console, it is necessary to connect to each individual device in order to deploy policies. It should be possible to create a single policy for subsequent distribution to multiple DefensePro devices - this is a serous omission for an enterprise-class IPS system. Alert handling is adequate, but is missing the ability to select individual elements of the alerts and drill down or up to further analyse the attacks. For example, highlighting the source IP address on one alert, it would be useful to be able to right click, and generate a view of all attacks from that same source IP address. Radware is rolling out a new CWIS version that will support such drill-down capabilities. It would also be useful to be able to go straight into the appropriate signature within a policy from an alert to disable the signature or fine tune its configuration parameters. Reporting is adequate, with high-level graphical views offering the ability to drill down to the detail beneath, although we would prefer to be able to drill down more than one level. Company
name: Radware Click
here
to return to the Radware questionnaire |
Send mail to webmaster
with questions or
|