IDP defined filters on the real-time event viewer to pare down the information, and it let us save the filters in a view, which could be used time and again. If you know what you're looking for, you'll be able to locate it easily. Unfortunately, we could not get a view of all the attacks detected, besides a Top 10 list. The predefined reports left a lot to be desired, and there was no scheduling facility to generate reports periodically--a feature offered by IntruShield.
After extensive testing, we found both products' protection measures reasonable. When installed inline, both IntruShield and IDP can drop packets and streams or send resets to the client, server or both. We enabled autoblocking on our live connection for those alerts we determined had a very low probability of false positives. These were generally HTTP-related encoding, directory traversal and command-execution attacks. We did not autoblock for servers where we expected some false positives. Your comfort level, and therefore mileage, may vary.
We gave our Editor's Choice nod to Network Associates' McAfee IntruShield 4000, largely because of its top-notch detection and report facilities, for which you will pay a premium. For sites with less than 500 Mbps of network traffic, NetScreen-IDP is certainly a contender. Its firewall-like rule base will be familiar to most administrators, and its reporting, after some massaging, was adequate.
Scorching performance, robust attack detection and great analysis tools are the hallmarks of IntruShield 4000. Although it took us a few days to grok the management console, once we did, unearthing the appropriate data was a snap. The configuration can be simple, but once we started tuning policies to groups of hosts, we found the paradigm unwieldy. Not being able to specify arbitrary address ranges, addresses that are not within a CIDR block, and apply multiple policies to the same hosts made management a bit more complex. IntruShield performed fine up to the limits of our test equipment--1.2 Gbps, with latency averaging 1 to 2 ms.
IntruShield can be installed inline using a port pair or in one-arm mode taking traffic off of a switch span port or network tap. IntruShield can drop packets and flows while inline, but in one-arm mode, it can block traffic only through TCP resets or ICMP unreachables sent via a response port. Each interface can be configured to capture traffic using a different method, a level of flexibility that is not available with the IDP.
Policies, in IntruShield parlance, are where attack signatures and DoS (denial of service) detection are enabled and disabled. Each attack is defined to detect a discrete event, like Unicode-encoded URLs or binary traffic in a protocol header. Attacks are organized by protocol, so it's a simple matter to drill down into a policy and see what is enabled. Unfortunately, Network Associates doesn't let users see what constitutes a signature. When we asked about this, the company said it didn't want to help people develop evasion techniques. The Exploit Alert Detail dialog on the Alert Viewer reveals text matches for a given alert, but that one match could be a subset of all possible matches.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
