 |
|
Is
the product supplied as software only or as a hardware appliance? If supplied as
an appliance, please provide the hardware specification (CPU, memory, network
cards, etc)
DefensePro is a hardware IPS appliance delivering inline security
switching, stateful bi-directional scanning and accelerated deep packet
inspection at 3-Gigabit for intrusion prevention and DoS protection. The
industry’s first 4-tier security switching architecture — featuring switching
ASICS with a 44 GB wire-speed non-blocking backplane, dual network processors,
RISC processor and a hardware ASIC StringMatch Engine for accelerated inspection
- makes the Security Switch a benchmark in Application Security performance
across high-speed/high capacity environments.
DefensePro hardware architecture consist of 4-tier processing:
� 44 GB Security Connectivity and Maximum Port Density. Designed for wire-speed connectivity across all network elements, the Radware Security Switch provides the highest port density in the industry enabling high capacity scanning across multiple network segments with a single device for increased protection against attacks originating from both inside and outside the network.
� Network Processors for 3-Gigabit Security Traffic Forwarding. Radware Security Switch network processor is powered by two state of the art network processors, delivering 3-Gigabit traffic forwarding. Boosting security traffic processing by up to 500%, the network processors identify and prevent illicit protocol usage and abnormal traffic patterns preventing Denial of Service and any known / unknown SYN floods at an unmatched rate of 1 million SYNs /sec.
� StringMatch Engine- Dedicated Security Hardware Accelerator. Ensuring 3- Gigabit performance, regardless of the number and complexity of attacks, Radware StringMatch Engine is the industry’s first ASIC based security hardware accelerator for wire speed string and content searching for immediate blocking of viruses, intrusions, worms and Trojans.
� CPU-1GHZ Security Session Management - The Master RISC Processor manages and prioritizes all security sessions, identifying all current attacks and controlling active operations across the StringMatch Engine and the network processors to isolate, block and prevent attacks while overseeing all security updates and networking requirements
Does sensor work in-line only, or can it support passive monitoring of switch
SPAN port too? If passive monitoring is supported, what is the maximum number of
ports that can be monitored by a single sensor?
DefensePro can inspect network traffic either in-line or out-of-path.
For out-of-path installation the device can monitor up to 11 network segments
when connected to switch SPAN ports.
Also when installed in-line the device can be set with “Report only” action mode for passive monitoring of attacks and floods.
What is the maximum number of in-line connections (port pairs) that can be
monitored by a single sensor?
A single device can monitor up to 11 segments.
What type (copper/fibre) and speed of network connection are supported by the
sensor (include default configuration plus any options)?
The device supports 7 GBICs (copper or fiber) and 16 FE ports
(copper)
What High Availability (HA) features are built in to the product by default?
HA features include dual power supply
What High Availability (HA) features are available as extra cost options?
An external bypass switch for each pair of ports are available
(optionally copper or fiber)
What is the maximum speed/network load (Mbps) claimed with zero packet loss and
without blocking legitimate traffic?
2.6 Gbps
At
the maximum load, what is the maximum TCP connection rate through the device
(connections per second) claimed?
Tested to approximately 18,000 connections per second
What is the average latency claimed through the device (and at what load)?
The average latency is in the range of 200micro seconds, when the
device is loaded at 70% of its maximum capacity.
Management architecture (2-tier/3-tier management? Brief description)
Device management is based on 2-tier and 3-tier architecture, to
include:
� CLI - for direct device configuration and management
� WBM - accesses via HTTP or HTTPS
� Configware Insite, an SNMP based management system for configuration and advanced reporting and forensics analysis. CWIS can operate in 2-tier architecture or 3-tier using Client-Server mode. The client server mode allows System Administrators to manage remote Radware devices while reducing the amount of SNMP traffic flowing through the WAN.
What are the minimum/recommended sensor OS and hardware requirements? Is a
dedicated machine required/recommended?
N/A
What are the minimum/recommended console OS and hardware requirements? Is a
dedicated machine required/recommended?
N/A
What are the minimum/recommended management server OS and hardware requirements
(if applicable)? Is a dedicated machine required/recommended?
The HW (PC) requirements for CWIS management station are:
� Intel Pentium II 350Mhz or faster
�
512 MB RAM or more recommended
Note - Incase of a large MySQL
DB with over 400,000 entries, 1 GB of RAM is required.
�
40MB free disk space for
installation of Configware Insite with no MySQL DB.
120 MB disk space for
installation of Configware Insite with the MySQL DB.
� CD-ROM
� Network Interface Card (NIC)
� 800x600 (minimum recommended) screen resolution
List required open ports on sensor and their use
Scanning ports have no open ports, as the traffic flows transparently
at L1 mode. The management port may have port 80 / 443 open, port 161 for SNMP,
etc. The ports are opened specifically by the System Administrator per
management application in use.
List required open ports on management server (if applicable) and their use
UDP port 161 for SNMP management.
List required open ports on GUI/management console and their use
N/A
Communication protocol between sensor and management server
SNMP V1, 2C or 3 for configuration and reporting.
Communication protocol between management server and GUI/console
N/A
Encryption between sensor and management server
Based on standard SNMP V3 encryption.
Encryption between management server and GUI/console
Standard SSL encryption via HTTPS
Once deployed and configured, can sensors be managed from a central console?
Yes, CWIS management station supports configuration and reporting
management for multiple devices in the network.
Capacity of the system? How many endpoints can be monitored? Ratio of endpoints
to management servers/consoles, etc.
A single CWIS management station can monitor up to 50 devices.
How many management consoles can be actively logged in to the management server
at the same time?
Up to 10 concurrent management end points.
What anti-flooding methods are employed (sensor to management server, and
management server to console)?
N/A
Maximum insertion rate into alerts database
N/A
Maximum size of database
1,000,000 events
Maximum number of alerts stored
N/A
What happens to alerts in main alert database once capacity limits exceeded
(deleted/archived/etc)
Events are saved in a cyclic manner, meaning that a new event with be
stored in the place of the oldest event when the DB reaches its max capacity.
What is maximum recommended size of alerts database to maintain acceptable query
performance?
1,000,000 events.
When alerts are removed from main alert database, are they still available for
reporting directly (i.e. can reporting tools merge current and archived alerts)
No.
Which database product is used for alert storage? Is schema open?
MySQL.
What happens when communications between sensor and management server/console
are interrupted? Local logging on sensor? Maximum capacity? What happens when
local sensor logs are full? Is the local repository secure?
When the communications between the IPS and CWIS are interrupted, it
is always possible to access the device directly and view the report logs via
WBM or CLI.
Secure logon for policy management?
Yes, username and password are required, RADIUS authentication is
supported and communications channels are encrypted via HTTPS, SSH or SNMPv3.
Granular access (i.e. read only/read-write/etc) granted on a per-user basis?
What levels of granularity are supported (i.e. is it possible to restrict user
access to specific parts of the management console, to specific appliances,
etc.)?
No
Is
it possible to define multiple policies for the sole purpose of distributing to
multiple sensors with different functions?
No
How are policies distributed to sensors?
Policy is edited directly on the sensor
Can policies be deployed on a per-port, per-sensor or per-group basis, or
globally only?
Policies are deployed per device. When setting device policies it is
possible to select physical port assignment, VLAN tag and/or IP address range.
How are policy changes handled? Will the central console detect which sensors
are using a changed policy and redeploy automatically, or does the administrator
have to do this manually?
N/A
Can policy deployment be scheduled?
N/A
Does the sensor remain able to detect alerts at all times during
policy/signature updates? If so, explain how this is achieved. If not, for how
long is it inactive, and does the sensor block all or pass all traffic whilst
inactive?
While updating policies or uploading a new signature file the device
forwards the traffic without detecting attacks on the traffic. The update
interval takes about 200 mili-seconds.
Can the administrator define custom attack signatures?
Yes, an easy to use GUI is available for user to set their own attack
signatures settings.
Regex supported when creating custom signatures?
N/A
How are new vendor attack signatures obtained and deployed?
N/A
Frequency of signature updates?
Once a week Radware publishes a new signature file including updates
of the following week. In case of emergencies Radware publishes within the same
day a new signature file update.
What infrastructure does the vendor have behind the signature update process
(i.e. dedicated team of engineers? How many? Does it have a name?)
Radware deploys a SOC (Security Operation Center) in Israel HQ and in
the US. The SOC is based upon a team of dedicated computer engineers whose
expertise is hacking techniques and attack detection and analysis.
Can one signature update file be downloaded to the local network and used to
update all sensors from a central location, or is it necessary to initiate a
live connection to the Internet download server for each sensor/management
server?
Signature file updates can be downloaded manually from Radware web
site and then uploaded to the IPS device. This process is supported via CWIS
management station for automatic file updates to multiple devices in your
network. CWIS download, when available, the new signatures file from Radware web
site and then uploads to all devices.
Can signature updates be scheduled and fully automated? Is automated download
AND deployment to sensors supported, or just download (or neither)?
Yes. A scheduler application is provided as part of CWIS management
station for fully automated file download from Radware web site and upload to
all devices in the network without user intervention.
What network protocols are analysed?
IP, TCP, UDP, ICMP
What application-level protocols are analysed?
The device supports all TCP and UDP application protocols, and can
look for attacks signatures or perform traffic shaping per application level
protocol including P2P.
Can the product perform protocol decodes?
Yes.
Can the product perform protocol anomaly detection?
Yes
Can sensor support both normal and asymmetric network configurations?
Asymmetric network installation is provide when stateful features (Stateful
Inspection and SYN Protection) are not in use.
Is
the detection engine “stateful”? If so, please explain how this works.
The detection engine operates in conjunction with stateful inspection
feature. The user may select to disable the stateful inspection feature in cases
of performance acceleration or when the device is installed in asymmetric
network configuration.
If
stateful - how many open connections can be tracked? Is this value configurable?
Up to 1 million simultaneous session. This value is configurable,
while the default is set to 800,000.
If
stateful - for how long are partially opened connections tracked? Is this
configurable?
Configurable, defaults are set per protocol.
If
stateful - for how long are fully opened connections tracked if not used? Is
this configurable?
Configurable, defaults are set per protocol.
What is the default action when system resources run low or state tables are
filled - block or permit all new connections? Is this default action
configurable?
Block new connections - not configurable
What is the default action when power fails or the system is powered down -
block or permit all traffic? Is this default action configurable?
Block traffic - not configurable
What is the default action when the sensor is unavailable for any length of time
(i.e. during policy download or software update - block or permit all traffic?
Is this default action configurable?
Blcok traffic - not configurable
Will the detection engine block/alert on ALL suspicious activity, or only when
an attack is made against a vulnerable server? If so, please explain in detail
how this works. Can this behaviour be modified (i.e. to alert on ALL attacks if
required)?
The device deploys a detection engine that looks for attacks
signatures, protocol misuse or floods within the network traffic. As the device
is designed for installations at corporate as well as carrier/ISP environments,
it detects attacks regardless the actual targeted server and removes the
malicious packets from the link traffic. This way it achieves not only attacks
filtering but also removing excessive traffic that can flood the target
networks.
Are server responses monitored and alerted/blocked? Does this have an impact on
performance?
No client-server signatures are available
Ability to monitor user-defined connections (i.e. report on an FTP connection to
a specific server?)
No
Detect/block network-level packet based attacks?
Yes, via DoS Shield module
Detect/block all types of port scans (full connect, SYN stealth, FIN stealth,
UDP)?
Yes, via the Anti-scanning protection module
Detect/block SYN floods? Manual or automatic thresholds? Configurable? How is
SYN flood protection implemented?
Yes, via SYN Flood Protection Module.
SYN Flood Protection is a service intended to protect the hosts located behind the device and the device itself from SYN floods by performing delayed binding. Once a SYN Flood attack is identified, the device activates a protection mechanism known as SYN Cookies.
Using SYN cookies means that the device creates a special initial TCP sequence number. The sequence number is created in such a manner that it encodes a time stamp and relevant SYN packet data in the SYN-ACK packet sent to the client. When a client responds with an ACK packet, the device uses the SYN Cookie to verify legitimate client responses. SYN Cookies can be used for any TCP port or application, where "usual" delayed bind is typically used for HTTP sessions.
The benefit of SYN cookies over "usual" delayed bind is that when SYN Cookies are used, no memory resources on the device (for example Client Table entries) are allocated for sessions before the 3-way handshake is complete. This assures that device memory resources are not overloaded due to the SYN Attack.
The thresholds are preconfigured and can be modified by the user.
Perform packet/stream reassembly?
Yes. Both IP and TCP reassembly are supported.
Perform deobfuscation?
Yes, via the stateful inspection module and protocol anomalies module
Is
all traffic scrubbed/normalised/reordered as it passes through the sensor?
Yes, HTTP traffic normalization is supported
How is fragmented traffic handled by the sensor?
By assembling IP fragments into a complete packet and assembling TCP
packets to form complete data portions.
List all prevention features available (alert only, drop packets, block TCP
session)
Prevention options include: report only, packet drop, Reset source,
reset destination, reset source and destination.
List any other security features available (bandwidth shaping, rate limiting,
etc.)
The device supports:
� Rate limiting via DoS Shield module
� Traffic shaping and attack isolation via the BWM module. The BWM and ACL (Access Control) module provides traffic control, performing bandwidth shaping and isolating attacks, including:
o Access Control (ACL):
� Access Control of traffic per application ports and networks allows a predefined set of applications only and denies all other types of traffic.
o Bandwidth Management (BWM)
� Attack isolation and protection against unknown flooding attacks.
� Guaranteed bandwidth for critical applications.
� Traffic shaping, including bandwidth per traffic flow, which allows limiting bandwidth per client or session within a global BWM policy.
Packet capture capabilities? Only the trigger packet, or before and after? How
are packet captures stored/viewed?
Packet captures are available as part of the attack event report.
DefensePro provides the packets that triggered the event and stores them in the
CWIS database.
Do
you track and display context data as part of each alert (i.e. for an FTP
overflow, do you show which user name/password combination was used to login to
the FTP server, etc?). If so, how much context data is available?
No. DefensePro is a switch based IPS appliance, and has no ability to
track and store complete sessions locally till an attack is detected and then
provide a full track report.
Option to record entire sessions for “forensic” investigation? Where is this
data stored? How is it secured from tampering?
No. DefensePro is a switch based IPS appliance, and has no ability to
track and store complete sessions locally till an attack is detected and then
provide a full track report.
Reporting from sensor to console - range of alert response options (detail
these, i.e. log, alert, e-mail, pager, packet capture, etc)
When a When an attack is detected, the device creates a security
event that includes the information relevant to this specific attack. Once an
event has been created, the device reports it using several optional channels:
� Security Logs, which are saved in a flash.
� SNMP traps can be sent to Configware Insite and a management station.
� Syslog messages can be sent to a Syslog station.
� E-mail messages can be sent to specific users.
� Security Terminal Echo.
Can alert response options be set only at a global policy level, only at
individual signature level, or to groups of signatures (or a mixture of all
three)?
Alert response options can be set both per attack and per policy.
Can alerts be reported to the central console in real time without the use of
third party software? How easy is it to filter and extract individual events?
Alerts are reported within a reporting interval (default = 5 second)
to CWIS management station, which provides semi-real time alerting. It is also
possible to view alerts in the Console connected via RS-232 cable in real time.
The user is equipped with an advanced tool to generate attack logs view and filter the views per IP addresses, attack type, attack name, attack severity, etc.
Can alerts from all sensors be viewed at a single console at the same time (i.e.
without having to connect to separate sensors from the console)?
Yes. CWIS reporting and forensics tool was designed to collect events
from multiple device in the network and then present a unified network security
report.
Can the central console correlate alerts from multiple sensors (i.e. not just
display alerts from multiple sensors, but attempt to infer a connection between
different alerts on different sensors)? Is this offered as standard or
extra-cost option?
No.
Can alerts be correlated manually by the administrator - grouped together in the
database as a single event for further investigation?
No
Can alerts/events be annotated and tracked for investigation by multiple
administrators/investigators?
Yes. The client-server mode of CWIS (3-tier) provides each user with
their own views of the attack logs and reports.
Does the software offer advice on preventative action to ensure the attack does
not happen again?
No.
What industry standards are supported -
Intrusion Detection Exchange Format working group (IDWG), Intrusion Alert
Protocol (IAP), Intrusion Detection Message Exchange Format (IDMEF), IDXP - and
in what way?
N/A
Which third party event correlation
systems are supported and in what way?
N/A
Integration with other scanning/IDS/prevention products?
Integration is easily achieved when using the Syslog reporting
channel. DefensePro has been tested with several reporting products such as
Checkpoint management console to send successfully the events and present the
information correctly.
Log file maintenance - automatic rotation, archiving, reporting from archived
logs, etc.
Log file is maintained as part of the DB maintenance procedures - DB
archiving (copy and restore).
Management reporting - range of reports/custom reports/how easy is it to filter
and extract detail? Different reports for technicians and management/end users?
Two types of reports are available:
� Attack reports - the user can create a report and apply view filters per any event field. A predefined set of report is included as to facilitate user-reports creation:
o Top attack report
o Top sources report
o Top destinations report
o Attacks by category report
o Attacks by Risk report
o Number of attacks by time
o Attacks bandwidth
� Executive reports - these reports are scheduled to sent to e-mail addresses, and include the following reports on a daily/weekly/monthly scheme:
o Top attack report
o Top sources report
o Top destinations report
o Attacks by category report
o Attacks by Risk report
Are trend/comparison reports available?
N/A
Does reporting allow customised filtering down to the level of reporting all
activity on a specific network resource/object by a specific user/machine on a
specific date?
Yes. The user can create multiple view filters per each field in the
event data and apply one or more filters per report.
Report management - can they be scheduled for automatic production? Can they be
e-mailed to administrators or published straight to a Web site?
Yes, The executive reports are e-mailed to a predefined list of users
and sent periodically - daily, weekly or monthly. The user can set the exact day
of week and time of day per each report and each e-mail target.
List the output formats supported for reports (HTML, text, PDF, etc)
The report output format is HTML. Next CWIS version (2Q2005) will
provide also DPF format.
What are the limitations and restrictions on enterprise-wide alerting and
reporting? Can reports consolidate output from every 1) server, 2) detector
N/A
Ability to define custom reports?
Yes. A tool is provided for the user to define their own filters per
any field in the event logs.
Provide brief description of any management software included in the base
price of the product.
Web-Based Management plus CLI
Provide brief description of any additional management products available as
extra cost options.
CWIS with the Security license is Radware SNMP based management
station supporting both 2-tier and 3-tier architecture for Security
Configuration management and security reporting and forensics analysis.
Configware Insite enables centralized device configuration and events collection, providing complete visibility of security activities in your network.
� Customized Protection - Security services can be customized to meet the specific requirements of every network segment ensuring the most comprehensive and accurate protection
� Advanced Forensics - Using the Attacks Logs and Attack Report, user can look for overall historic network activities and drill down up to the attack packet level
� 1st Time Wizard - Configware Insite provides users with an easy to use tool for quick device installation in less than 15 minutes. All you need is to select your network model type installation, and the wizard will automatically configure DefensePro for optimal protection of your network resources
� Executive Report - Configware Insite provides users with an easy to use tool to generate top-level reports for last day, last week and last month attack activities.
Documentation provided (Hard copies available? Extra cost?)
User manual and product Tutorial are provided as part of the product
at no extra cost.
How is the product licensed? How is the license enforced?
The product includes two licenses:
� Standard license - including IPS, BWM, Protocol anomalies and anti-scanning modules
� DoS License - including DoS Shield and SYN Protection modules in addition to the modules available in the standard license.
End user pricing information for product provided for test (include all
sensor, management server and console costs for both hardware AND software).
Include options/configurations other than those tested - ALL PRICES AS LIST
PRICE ONLY!
DefensePro-3000 price is $48,000.
Ongoing cost of maintenance/updates
Security Updates Service is $2,500 per device.
Annual hardware/software maintenance (including the above signature update service) is 16% of unit price ($7680 as tested)
Click
here to
return to vendor questionnaire index
Click here to return to
the Radware Review
Click here to return to the IPS Index Section
Send mail to webmaster
with questions or
|