June 17, 2011

Enterasys IPS Features

With the recent 7.4.2 release of the Enterasys IPS (aka Dragon), I thought it would be useful to describe some background material on certain features and provide some guidance on where the IPS is heading. Over the past several months, the IPS has concentrated on several foundational things including:

  • 10Gbps packet inspection – With ever increasing speeds that modern networks regularly achieve, security infrastructure must also continually push the envelope. It is one thing to be able to deploy 3,000 signatures in an inline IPS and offer full packet inspection and transmission on a 1Gpbs network, but quite another to scale this to a 10Gbps network and beyond. Such speeds challenge everything from the software itself (thank goodness for good optimizing compilers like gcc and well-written kernels such as those provided by Linux community) to the CPU, memory bus, and NIC’s themselves in commodity appliance offerings. In the Enterasys IPS we now leverage third party NIC’s provided by Napatech in order to scale IPS speeds to 10Gbps.
  • Ease of use and reporting enhancements – Many enhancements have been made and are currently in development for both ease of use and better reporting in the Enterasys IPS. Some of these features will not be available until the 8.0 release, but in the meantime the reporting interface offers status information, a view into events along with trends over sensible time scales, the ability to see raw packet data, and more. Below is a screenshot of the current reporting interface showing the “Top N” report along with signature matches that found malicious activity in IPv6 traffic:

  • Releasing signatures for the latest threats – The Enterasys IPS Research team has created many recent signatures for everything from malicious efforts to subvert MS Office applications (see the EXCEL:INSUFFICIENT-VALIDATION signature for MS11-045 for example) to client side attacks against popular web browsers (such as the IE:HTML-TIME-CORRUPT signature for MS11-050.
  • Addressing customer requests – One of the biggest areas where the Enterasys IPS has needed to improve is to answer the request of unifying the reporting and management interfaces. Currently these two interfaces are separate – the reporting interface accessible via any web browser but the management interface requiring a Java thick client to be installed. This need will be addressed in the 8.0 release when we offer a completely unified reporting and management experience.
About The Contributor:
Mike RashArchitect Engineer, Dragon

Michael serves as Security Solutions Architect for Extreme Networks. Michael Rash holds a Master's Degree in applied mathematics with a concentration in computer security from the University of Maryland, and is author of the book "Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort" published by No Starch Press.

See My Other Posts