You are on page 1of 30

Analytical Comparison

Summary Check Point - IPS-1 Cisco - IPS Series, Version 7.0 IBM - Security Network Intrusion Prevention System The IBM Security Network IPS is threatening to competitors, because the multiGigabit speed appliance uses multiple detection techniques and is supported by one of the industrys strongest research and response teams. IBM Security Network IPS, along with the SiteProtector management console and the well-respected security response team, X-Force, is a powerful combination in intrusion prevention appliance technology. ISS, formerly a part of the IBM Global Services Sourcefire - 3D System TippingPoint Intrusion Prevention System The TippingPoint Intrusion Prevention System is threatening to competitors, because the custombased hardware platform delivers flow/packet analysis at multi-gigabit speeds with good network-based filtering. That platform is now being brought into larger opportunities originated by HPs Enterprise Services organization, which is bringing much greater visibility to the TippingPoint IPS business as a part of the $2.7 billion 3Com acquisition. TippingPoint, which pioneered the IPS with the launch of UnityOne in early 2002, grew that

Current Perspective

Check Point IPS-1, formerly NFR Securitys Sentivist intrusion prevention system, is threatening to competitors. Although Check Point delivered a brand new IPS engine as part of its new software blade architecture, Check Point will continue to offer the IPS-1 for customers who require a dedicated IPS appliance. Both the IPS-1 and the new IPS software blade can be deployed in the same enterprise and both can be managed under a common management interface. Signature updates are also common across

The Cisco IPS 4200 Series appliances and modules are threatening to competitors, because the product is positioned as a key component of the Cisco SelfDefending Network, offered in the form of appliances and devices as well as service modules for routers and switches. By leveraging its network infrastructure roots, Cisco sees its ability to be integrative, collaborative, and adaptive, albeit through value addon products such as the Cisco Security Manager, as its primary differentiator from best-of-breed

The Sourcefire 3D System is threatening to competitors, because it is known for its solid attack detection and prevention technology, with the widest range of throughput options that go from 5 Mbps to 40 Gbps when combined with the CrossBeam X-Series hardware platform. The company, under CEO John Burris, has managed to achieve growth in the range of 30% per quarter over 11 consecutive quarters, which the company attributed to a healthy market, a good team and the right product at the right time. Its revenues for the first nine months of

IDS/IPS providers. Perhaps more threatening to IPS-1s detection model uses an open competitors is the fact that Cisco signature format makes IPS available that provides admirable flexibility in multiple form in signature creation factors, including appliances, switch and customization. and router modules, Most competing and the Adaptive systems rely on Security Appliance either Snort-based signatures or closed (ASA) 5500 line, which includes an proprietary optional IPS blade. signature models. IPS-1s existing In the latest version detection engine of Cisco IPS uses advanced software, release signature detection 7.0, Cisco applied and protocol the global threat anomaly detection. The product focuses data gathered in its IronPort anti-spam on reducing false SensorBase positives using the database to its IPS passive OS and sensors, making application them twice as fingerprinting effective at capability. The thwarting malware product uses the as signature-only Dynamic Shielding Architecture (DSA), IPS. Global threat data, which includes which alerts the security manager to reputation, vulnerability critical signatures, vulnerabilities or anomalous changes to the behaviors, and network and known exploits, is automatically deploys signatures, collected from over 500 third parties, protecting 1000 threatenterprises from automated malware, collection servers, information theft, and 700,000 sensors new vulnerabilities into SensorBase; and violations to then, it is correlated policy that can leave and analyzed for networks exposed to new attacks. Once security concerns. new attacks are The product includes identified, new rules layered security to thwart those protection in the attacks are created form of IDS/IPS, and quickly deployed firewall, dynamic to sensors. The shielding and incorporation of protection for IM vulnerability and VoIP, all in one signatures is key, appliance. because blocking a single vulnerability each.

2010 were $92.6 million. The company appears to have put its earlier troubles behind it, although its significant reliance on the federal government as a customer creates some uncertainties from time to time. Sourcefire forged ahead on multiple fronts in 2010 with a new technology alliance program, which yielded an important partnership with Qualys to correlate threat and vulnerability data to reduce the number of false positives; an expanded channel partner program; an expansion of its application detector library, which includes 200 applications including Gmail, RSS, Quicktime and Flash; and a new SSL appliance The IBM Security OEMed from Network IPS appliance provides a Netronome that range of form allows the Sourcefire factors and multiple IPS to examine high performance encrypted traffic versions, including a without taking a Network Security performance hit. Platform that provides 10 Gbps Sourcefire offers a interfaces to existing family of plug-nprotect intrusion higher end IPS detection and sensors, and a CrossBeam module prevention (IDP) supporting 10 Gbps appliances that come bundled with Ethernet networks Snort, an operating aimed primarily at system, and the carriers and some companys data very large management enterprises. Other IBM Security IPS system. However, its appliances offer flagship offering solid performance comes in the form of organization since its acquisition by IBM in 2006, is regaining its product momentum under the stewardship of IBMs Tivoli Software unit, although IGS continues to market services around the IPS technology. ISS, a pioneer in the IDS market, was also early to market with an IPS appliance. While the IBM Security Network IPS line has been considered to be one of the pricier solutions available, IBM refreshed the full line of PC-based appliances to double the performance without raising prices. IBM announced in 2010 that it will no longer sell the legacy ISS RealSecure network sensor after December 31, 2011.

business steadily, despite the yoyo relationship it had with parent company 3Com since that 2005 acquisition. In 2009, 3Com elected to draw TippingPoint closer to its core business and outlined its integration strategy under the secure network fabric framework. As a part of that initiative, TippingPoint announced the replacement to its ESeries IPSs with the new N-Platform, which features a more modular architecture that enables more filter packs and services to be added to the IPS without exacting a performance penalty. That roadmap remains in place under HPs ownership. TippingPoints key distinctions are an ASIC-based hardware platform and a multi-gigabit IPS-only product (although the new N-Platform adds support for an IDS mode), further enhanced by a policy-based flow management system that enables 10 Gbps of bidirectional traffic inspection by the companys IPSs. TippingPoints ThreatLinQ portal, which allows customers to assess the changing global threat landscape and

thwarts multiple exploits to save time and increase protection. Cisco claims that updates are 100 times faster than traditional signature-only approaches. With the addition of intrusion prevention capabilities to the Cisco Internet Operating System (IOS) of routers and switches, customers can easily add advanced firewall and intrusion prevention types of services to their installed router infrastructures. As part of Ciscos strategy to develop functionality in the appliance, the company has been integrating an increasing amount of security capabilities into IOS. The company is in an enviable position with its strong name recognition among businesses, universities, and government organizations. Some customers will naturally look to Cisco to extend their network franchise and to fulfill their security needs, particularly as intrusion prevention systems have become more widely accepted within the industry as a means of protecting networks from Internet threats. Strengths Check Point - IPS-1 Cisco - IPS Series,

with 6 Gbps of full inspection throughput. IBM Security Network IPS enables a phased approach to inline deployment. The appliances can operate in prevention mode, passive IDS mode, or passive monitoring mode. IBM ISS provides 2900 signatures with 1600 in blocking mode to help protect against threats. Similar to its competitors, IBM ISS has built out its detection capabilities to include functionality such as anti-spyware, VoIP protection and now Web application protection as well as limited data loss prevention for structured data. High throughput capabilities are key in supporting latency-sensitive applications increasingly being used by customers, such as VoIP. IBM ISS includes high and low end IPS products to support a broad array of customers, and in 2010 it has seen strong momentum with its low end appliances.

a network discovery system called Realtime Network Awareness (RNA), which provides information about the network environment in order to better sniff out vulnerabilities. Sourcefires IPS product includes the Sourcefire Defense Center, which allows for easy centralized management of distributed sensors and prioritized security events, as well as consolidated reporting and remediation. The company also offers Sourcefire RUA, which links user identity to security and compliance events, and Adaptive IPS functionality, which leverages endpoint intelligence through Sourcefire RNA, Nessus and Nmap.

learn from their peers how to adjust security policies accordingly, has seen good traction since its launch in 2008. The companys internal security research team, DVLabs, is made up of expert researchers with expertise in areas such as fuzzing, reverse engineering, phishing, VoIP, and SCADA, among others. DVLabs is complemented by an external research team of 1,447 security researchers, which is called the Zero Day Initiative. TippingPoint is known for being extremely reliable, with solid security technology at everincreasing speeds. Advanced centralized management capabilities are available for the IPS and 10Gbps Core Controller products by leveraging TippingPoints Security Management System (SMS), which was enhanced to add more customized reporting and integration with TippingPoints NAC product. Alternatively, customers can leverage Local Security Manager (embedded Web UI) or the CLI for very small deployments. TippingPoint -

IBM - Security

Sourcefire - 3D

and Weaknesses Strengths IPS-1 includes Dynamic Shielding Architecture, which includes correlation and prioritization of network vulnerabilities, vulnerability shielding and protection from new network changes. This proactive technology helps organizations protect their networks before signatures are issued.

Version 7.0 Cisco IPS products offer very straightforward installation. A fundamental advantage of the Cisco product line is its compatibility with routers and switches, so a Cisco IPS module can plug into Cisco switch backplanes to monitor switched environments.

Network Intrusion Prevention System

System Sourcefires IPS offering includes a real-time network discovery system through Real-time Network Awareness (RNA), and the company has integrated the product with NBA, NAC and VA. Sourcefire has added endpoint intelligence, aggregated by RNA, for increased network protection. Sourcefire IDP includes a built-in data management system in its Defense Center to respond to alerts in real time. Sourcefire is one of the earliest IPS vendors to offer a VMware-based virtual IPS appliance, aimed at smaller remote offices, following IBM/ISS.

Intrusion Prevention System TippingPoint is a market leader in throughput and low latency. TippingPoint IPS is built on custom-designed hardware with analysis capabilities of up to 10 Gbps speed. TippingPoints Threat Suppression Engine enforces network security policy using functions such as block, notify, allow, and quarantine, and it supports bandwidth management capabilities, including rate shaping. TippingPoint is now backed by HPs Enterprise Services organization, which is bringing the IPS technology into larger deals and increasing its previously limited exposure. HP has also pledged to increase TippingPoints R&D budget for fiscal 2011. TippingPoints security research is well regarded in the industry, as evidenced by the breadth of filter coverage (Web applications, OSs, network OSs, protocols, endpoint and server applications, etc.) and the speed at which it is

IBM Security Network IPS comes in a broad range of performance options, ranging from 200 Mbps up to just under 40 Gbps of throughput via multiple IPS modules in the CrossBeam implementation. The technology is considered one of the most straightforward Cisco now provides products to install. enterprises with IBM ISS provides Gigabit speed IPS-1 has the solid detection by analysis. The backing of leading company includes a using signaturefirewall vendor 4 Gbps version of its based and protocol Check Point as its IPS product, and the anomaly detection. technology is 4200 Series includes The foundation of integrated into 10 Gbps interfaces. the Network IPS, the Check Points Protocol Analysis broader security Cisco continues to Module, uses nearly suite. expand its detection a dozen technologies capabilities, most to block such Check Point offers recently adding attacks as Trojans, common Global Correlation to worms, SQL management of the its IPS sensors to injection, rootkits, IPS-1 through use reputation and protocol tunneling, integration with the vulnerability distributed denial of SmartCenter signatures to thwart service, cross-site Console, which blended attacks scripting, botnet and provides robust more effectively. backdoors. policy management Instrumentation across Check Points added with the IBM ISS flagship offerings, including Global Correlation centralized the new security update indicates the management software blades in IPSs are twice as system, its R70 release. effective at blocking SiteProtector, malware from the simplifies an IPS-1 is positioned Internet as existing administrators as a best-of-breed signature-based work. The console product that methods. provides supports an opensophisticated source signature Cisco is widely analysis and data language. This recognized as a correlation, as well allows greater strong technology as a consolidated flexibility in company. reporting signature Customers feel infrastructure, customization and confident in streamlined creation. investing in a workflow for company with handling security

The Situational Visibility feature in the IPS-1 management console allows users to graphically monitor attacks against mission critical systems and drill down to get details on the attack, including effects of the attack and remediation recommendations.

massive worldwide support and broad technology partnerships. Furthermore, Ciscos IPS products are priced lower than those of competitors when discounted in a package with Cisco firewalls.

events and support for the new Web application security module for the network IPS. IBM Security Network IPS now includes new content analysis functions that deliver a measure of data loss prevention, allowing customers to block personally identifiable information such as credit card or social security numbers from leaving the enterprise via email, IM and email attachments that include compound documents that have been compressed. The fairly new Web application firewall module for the Network IPS has seen good traction among customers looking to defend Web servers or Web farms. In addition to the X-Force SQL injection engine and recommended policies, it offers a streamlined graphical interface. Additional integration with Rational Appscan Web application vulnerability detection allows novices to easily implement recommended blocking algorithms.

proactively deployed to protect customers critical assets from the latest threats.


Check Point faces competitors who have increased the performance capabilities of their

The Cisco IPS provides minimal reporting capabilities of its own, and the new global

IBM Security Network IPS is expensive. While considered superior detection technology

Although Sourcefire appears to have put its distractions behind it, including the

Parent 3Com was slow to embrace its TippingPoint unit and to make it an integral part of its

IPS products with 10 Gbps support. Check Point was due to release such support in 2007, but it has yet to do so. The company has been silent on that missing performance option, despite increasing demand for that performance option. Check Point offers several overlapping IPSs in different form factors between its NFRbased IPS-1 dedicated appliance, the IPS software blade based on the R70 software release (which uses a different IPS engine than the IPS-1) and the IPS functionality in the new line of appliances based on the Nokia acquisition. Those different choices can be confusing to customers, they make it harder for channel partners to do business with Check Point, and they are more costly for Check Point to maintain. Check Point has limited recognition as an IPS supplier with a fairly small market share.

correlation function is no exception to that. From an IPS standpoint, reporting is supported on CSM. Depending on the product, reports are supported through several canned formats, with the ability to create custom reports as well. Cisco was slower to respond to growing market requirements for 10 Gbps support than most of its competitors, which released 10 Gbps interfaces for their IPS sensors well ahead of Cisco. In 2010, Cisco announced the end of life for Cisco Security Monitoring Analysis and Response System (CS-MARS), which was the primary alert management system for the IPSs. Cisco is migrating event monitoring and management to the separate Cisco Security Manager offering, which was previously used to push policies out to the IPSs. Although still a market leader in the IPS space, Cisco lost 2% market share over 2010, due to softness in spending and less success in winning larger deals.

because of its strong signature engine, the product is too expensive for most small enterprises and some larger enterprises.

There are limits to the modifications that can be made to the IBM Security NIPS standard rules. Customers can create their own signatures using the OpenSignature feature which uses a Snort-based syntax. (This feature is not used, however, by the standard rules engine.) Bigger rivals such as Cisco Systems IBM has lost some and McAfee have mind share in the added reputation NIPS market due to data to their IPS its strong focus on systems in order to selling the boost catch rates. technology as part Sourcefire has only of much larger deals just begun to offer that consistently limited IP address involve professional reputation feeds for services, and to its its 3D System emphasis on portfolio. growing its NIPS business by selling Sourcefires 3D into IBMs installed System requires a base. significant amount of tuning to achieve IBM does not yet the high offer full, native 10 effectiveness rates it Gbps support on its can achieve, as high end IPS evidenced by NSS appliances at a time Labs real world when the market is testing. While tuning beginning to is important for all demand such IPSs, Sourcefires support. Although 3D System requires IBM has taken a higher degree of stopgap measures expertise and effort. until it can deliver such support in the first quarter of next year, the lack of such support is inhibiting stronger growth at the high

unwanted takeover attempt by Barracuda Networks, the company remains a standalone IPS and open source AV vendor in a market characterized by consolidation, and for AV, commoditization. More enterprises are looking to reduce the number of security vendors they deal with, and that trend does not favor companies with thin product portfolios.

business. Just when it put a cohesive strategy in place to better leverage the TippingPoint technology in its core H3C switches and integrate management of both product lines, HP acquired 3Com. That threw into question the future of the secure network fabric strategy, and HP has yet to outline its own integration roadmap. The good accuracy reputation of the TippingPoint IPS received a black eye at the hands of independent and well-respected testing organization NSS Labs in 2009, when multiple tests against so-called real world threats showed its effectiveness rates were quite poor. TippingPoint has since rejected the NSS Labs tests and cast doubt as to their validity and ability to be replicated, instead embracing rival testing organization ICSA Labs. However, rivals no doubt are making the most of the NSS results in their marketing and sales efforts. TippingPoint sells the Security Management System (SMS), its centralized management console with advanced

end of the market.

management features, as a separate product. However, basic management is included with each appliance in the form of a Web UI or CLI. Sourcefire - 3D System Sourcefires focus on putting its house in order and growing the company organically has left it profitable but with a small product portfolio. With enterprises looking to reduce the number of different security vendors they do business with, Sourcefire may not end up on short lists for larger deals that include complementary threat management offerings. Sourcefire continues to grow its revenues at a healthy clip, and problems faced by rivals such as IBM/ISS and TippingPoint have helped to fuel that growth. Sourcefire has seen 11 consecutive quarters of 30% growth rates, and the company continues to invest significantly in its product line and has continued to add new performance options and improved usability to appeal to a broader array of customers. At the same time, TippingPoint Intrusion Prevention System Similar to TippingPoint, non ASIC-based vendors of intrusion detection and intrusion prevention systems are now releasing products with performance in the Gigabit speed.

Point and Check Point - IPS-1 Counterpoint Point1 Check Point does not provide the broader security infrastructure of competitors offerings.

Cisco - IPS Series, Version 7.0 Cisco is not a pure-play security company, and its IPS solution is merely a checkbox item for Cisco customers looking for IPS solutions.

IBM - Security Network Intrusion Prevention System The ability to customize IBM Security Network IPS standard rules is very limited.

Counterpoint1 IPS-1 delivers multiple layers of security, including IDS, IPS, FW, dynamic shielding, vulnerability information, network change information, and IM, VoIP and peer-to-peer security, among others within a single appliance, all managed centrally from a single pane of glass and all for the single sensor price. Prior to its acquisition by Check Point, NFR Security had been incorporating other third-party network node and vulnerability

Actually, Cisco is more than a security company. Cisco has a fundamental understanding of network traffic, such as network latency and network usage, as well as an exclusive capability to look at packets that are otherwise inaccessible to an IDS or IPS system, such as GRE and other types of routing encapsulated packets. Secondly, network reliability and network availability are two of the principal cornerstones of the companys reputation. Cisco

The need for customization is limited. IBM Security Network IPS includes 225 built-in rules to combat hybrid threats. However, there are ways that customers can write custom rules, including using ISS OpenSignature module.

Performance should be measured by actual throughput, latency, and the number of filters that are enabled. Typically, with non-ASICbased systems, security coverage needs to be compromised for better performance and vice versa. In late 2010, ICSA Labs tested the TippingPoint 2500N, which achieved a maximum throughput of 1700 Mbps with a maximum average latency of 239 microseconds.

intelligence sources to provide broader integration function and benefit. Furthermore, IPS-1s user interface is often referred to as SIM-like in its robust functionality, flexibility and powerful information presentation and analysis functions. IPS-1 also integrates with all the major frameworks such as HP OpenView, IBM Tivoli and others. Point2

brings a level of trust that point product security vendors can never hope to match.

Sourcefire announced its plans to add an internally developed next generation firewall in 2011, leveraging its expanded application awareness, which can identify over 200 applications.

IPS-1 is difficult to Cisco cannot react implement. to new attacks as quickly as its security competitors.

Customers hesitant to switch from intrusion detection to intrusion prevention systems are usually concerned with false positives turning away good traffic. Accurate detection is very important for intrusion detection systems and especially for intrusion prevention systems. ISS has spent years working to improve its detection methods, and it has seen IPS adoption rates rise to about 60 percent. Furthermore, the IPS allows customers to work in varying degrees of inline mode, according to the customers comfort level.

Sourcefires method of opening its signatures is an invitation to hackers.

It makes more sense for customers to buy IPS from their network equipment provider, which more often than not is Cisco.

Counterpoint2 IPS-1 was the first to utilize an appliance to deliver network security functionality; today, it is recognized as setting the new standard for IPS user interfaces. NFR Security previously achieved this point by deliberately focusing on simplifying the entire IDS/IPS experience, maintaining its aggressive focus and investment on delivering true lowtouch, lowmaintenance network security products. The bootable appliances can be installed remotely, without local user intervention. Evidence of Check

Cisco has a strong rapid response team capable of deploying policy updates to its devices within hours of an incident, as well as recurring biweekly policy updates for its devices. The PSIRT focuses on looking at vulnerabilities and exploits in the wild, assessing the impact of the vulnerabilities on the Cisco infrastructure, and providing information and updates to Cisco customers. The addition of Global Correlation updates to the ISP 4200 Series greatly speeds response to new threats. Applying reputation and vulnerability signatures through

In the near-term, open source systems and proprietary systems typically have about the same number of vulnerabilities and bugs in them, but over the long haul, open source systems tend to be more secure because of the community feedback. That is assuming a critical mass of users is utilizing a particular open source product. Snort has definitely reached that critical mass, with 4 million downloads.

Customers need to make a buy decision based on the solutions performance, breadth of security coverage, and time to coverage. When these criteria are factored in, Cisco typically lags well behind in these areas compared to vendors in the inline IPS segment, therefore exposing the vulnerabilities of the customers critical business assets.

Points progress on improving installation came recently from readers of Information Security magazine, which gave the IPS-1 its 2010 gold medal for best IPS in part because of its ease of installation. Point3 Customers can count on more integration support from competing vendors that have a wider range of response teams or more systems integrator relationships.

updated rules is many times faster than matching attack signatures.

Reporting features are weak in Ciscos IPS product suite, including reporting on reputation filter blocking.

Intrusion prevention systems will eventually replace the need for intrusion detection systems.

Sourcefire is not as fast to react to industry attacks as some competitors are, such as ISS.

Customers hesitant to switch from intrusion detection to intrusion prevention systems are usually concerned with false positives turning away good traffic. TippingPoints technology is built on a custom ASICbased, extremely fast processing, lowlatency device that enables TippingPoint to perform functions that IDS vendors simply cannot do. TippingPoints philosophy from day one has been to ensure customers have the hardware platform necessary to write the filters that guard against false positives. Additionally, TippingPoint manages a global network of Lighthouse installations. These Lighthouse deployments allow TippingPoint to test newly developed filters in the wild before they are integrated into the Digital Vaccine update, thereby reducing the

Counterpoint3 IPS-1 is the most flexible IDP product on the market. Specifically, with respect to an open signature language, open signatures, multiple deployment modes, and the ability to calibrate prevention (Confidence Indexing) according to the value of the asset being protected, no other product, including Snort, can offer these functions integration-wise. IPS-1 integrates with frameworks as mentioned above, multiple SIM products, Nessus, Symantec UEC, firewalls and routers, among others.

Purely from an IPS standpoint, comprehensive reporting is supported on CSM. Depending on the product, reports are supported through several canned formats, with the ability to create custom reports as well. Reports can be scheduled and presented in a variety of output formats.

While intrusion prevention is fast becoming a generally accepted approach to network security, IBM provides the flexibility to block or passively monitor threats. If customers are not comfortable deploying an intrusion prevention system, they are able to deploy in monitoring mode. IBMs multifaceted protection consists of prevention mode, passive IDS mode and passive monitoring mode.

Sourcefire is often first to market with its analysis of attacks on industry vulnerabilities, and Snort has had far fewer security vulnerabilities discovered in it than most other IDSs. When things are discovered in Snort, they get fixed in hours or days. At the same time, as a part of IBM, ISS has not been as quick to respond as it has in the past.

potential of blocking legitimate flows. The new ThreatLinQ portal gives customers direct access to the latest security intelligence and policy response gathered in the Lighthouse network. Point4 Check Point is confusing customers with overlapping IPS products in different form factors, which use different underlying technology and which compete with each other. Cisco competitors are releasing IPS products with multigigabit throughput. The ISS NIPS offering has lost mind share and visibility in the market as a result of IBMs emphasis on wrapping expensive professional services around the product and on growing the NIPS business by selling into its installed base of large customers. The quality of the product has not suffered as a result of that focus, and IBM in moving product management to Tivoli will renew its effort to win pure product deals in addition to services plus product deals. It appears that IDS technology is no longer necessary and customers have completely embraced IPS products. TippingPoints effectiveness at blocking real world threats has been called into question by independent testing organization NSS Labs, and rivals in those same tests were shown to be twice as effective as the TippingPoint IPSs. NSS Labs tests results have been completely inconsistent, and their testing is impossible to reproduce. Their tests do not necessarily reflect real-world threats. ICSA Labs, which is ANSI-certified, provides more relevant, real-world testing.

Counterpoint4 Not all customers are alike, and different customers prefer different form factors. Customers who cut their teeth on a dedicated appliance form factor prefer to stick with that, while others find the performance and cost benefits of the IPS blade more compelling. Some customers have a team dedicated to managing IPS, and that team may not want to give up control of what theyre responsible for by having the IPS installed on a firewall owned by another team. In either case, they can manage both using a single management interface. Point5

Cisco provides a 4 Gbps version of the 4200, and by the end of 2008, it finally released 10 Gbps interfaces for its high-end IPS sensors. Furthermore, the company holds itself to a high standard regarding its stated level of performance, so if you put Cisco IPS in traffic and turn on all the signatures, users get the stated performance. Some competitors are more liberal with their definition; if there is not much traffic, the product performs at the stated speed, but once users actually put a full traffic load through the network, product performance goes down. Customers still

Sourcefire advocates that both IDS and IPS technologies are necessary to protect todays network and that each technology serves a different purpose. Firstgeneration IPS products are often good at protecting networks against a very small set of attacks and leaving them vulnerable to all others. Sourcefires 3D System allows companies to have both IDS and IPS technologies, all managed centrally by the Sourcefire Defense Center with consolidated report and policy-based automated responses, including inline blocking.

grapple with utilizing best-of-breed solutions versus going with an endto-end supplier such as Cisco. Counterpoint5 Cisco recognizes that most network environments are heterogeneous, with a mix of many vendors. Cisco wrote an API language (called SDEE), and several partners/competitors have written to that API so Cisco security events can be received by those third parties and displayed on their systems. Customers may opt for best-ofbreed products, but the company underscores the value of Cisco products working in collaboration as to yet another reason to think about Cisco from an end-to-end perspective.

Buying Criteria and Metrics Comparison

Architecture Check Point IPS-1 Cisco - IPS Series, Version 7.0 IBM - Security Network Intrusion Prevention System The IBM Security Network IPS Series operates in three modes: prevention mode (inline, blocking), passive IDS mode (offline, no blocking), and passive monitoring mode (inline, no blocking). This provides Sourcefire - 3D System TippingPoint - Intrusion Prevention System

Architecture IPS-1 is scalable. The product meets the small footprint requirements of small, initial deployments, and the architecture expands to support an unlimited number of sensors. The product may be The Cisco IPS products integrate easily into a networking environment. The products include standalone Linux-based appliances and blades for Ciscos Catalyst 6500 switches and Integrated Services routers. All Sourcefire appliances are plug-n-protect, designed to be installed and running in 15 minutes or less, although Sourcefire strongly recommends that customers tune their IPSs. They are selfcontained appliances that TippingPoint is an intrusion prevention appliance built on a hardware-based platform that includes network processor technology and a set of custom ASICs. This parallel processing hardware is touted as the reason TippingPoint can perform thousands of checks on each packet flow simultaneously with outstanding throughput

The Catalyst blade (IDSM2) is described as a PC-style appliance that integrates into the 6500 Series chassis in the same way a module with fast Ethernet ports is IPS-1 supports integrated. At the same time, both IDS and IPS capabilities. the IPS Advanced The device Integration supports four distinct modes of Module and IPS Network Module operation: (for the 1841, traditional IDS, 2800, and 3800 in-line bridging (which provides Series ISRs) fit into an internal no traffic slot in the ISRs blocking and and include a acts as a learning mode), coprocessor that and two types of offloads IPS tasks from the operation with ISR. full blown blocking, one of which fails open All of Ciscos if the device fails 4200 Series and one of which appliances and fails closed. The the switch and router line cards product also includes firewall support both IDS capabilities and and IPS protection for IM services. Ciscos and VoIP. IPS solution provides the IPS-1 is capability of straightforward using the IPS to configure and device in a manage. Key variety of management modes, including features include IDS mode, IPS Confident mode, or a Indexing, which hybrid mode supports the that runs both ability to on a single calibrate device. prevention according to the Cisco IPS value of the simplifies asset being integration into protected. switched environments. IPS-1 supports The IPS module a variety of can monitor managed by business unit or geographic region, and it can be managed centrally from a single console or support distributed management.

customers with a smooth path to intrusion prevention.

and switch-like include the hardware and all latency. necessary Using custom ASIC, software, TippingPoint is able to including the inspect packets at data IBM Security Layers 2-7. This level of management Network IPS inspection insures that system and supports packets can flow hardened asymmetric through the IPS with a operating routing latency of less than 90 environments by system. microseconds. grouping two Sourcefire now interfaces The Threat offers a virtual together and appliance option Suppression Engine treating those of its 3D System supports bandwidth two different management that runs on paths as one logical flow. The VMware ESX and capabilities, including Citrix Xen hosts, traffic classification and NIPS appliance rate shaping, a and it has runs on a sophisticated throttling introduced customers copper interface cloud-based IPS capability that controls traffic. This feature services to or copper/fiber alerts administrators to protect mix for core unusually high flows of applications network traffic and gives running on deployments. mission-critical Amazon EC2 Several of the applications a higher models use SFP hosted Web priority on the network. GBIC interfaces, services. which allow A Sourcefire customers to TippingPoint runs on sensor can be change media copper interface or types by simply deployed as an copper/fiber (and all individual swapping out fiber) mixed interface, system or in the interface providing infrastructure groups using modules. protection to routers, centralized switches, and firewalls. Installation is management. Sourcefire very TippingPoint now straightforward, sensors offer provides three different flexible requiring no architectures across its deployment and line of IPSs, with each network can be deployed addressing a different reconfiguration inline in IPS during set of requirements: the mode or out-of- low end S10, S110, and deployment; band in however, the S330 line, aimed at appliance is not traditional IDS remote offices and a plug-and-play mode. offers lower costs; the device, and it new N-Platform, which The Sourcefire replaces the requires some eStreamer networking discontinued expertise during interface TippingPoint E-Series provides for set-up. (not to be confused with easy integration the rebranded HP to other IBM ISS has ProCurve LAN switches included virtual products such as now called the E Series) patch protection SIM/SEM and adds 10 GbE and IP products or with this V 6 support; and the

traffic on multiple VLANs simultaneously (both ISL and 802.1q-encoded) IPS-1 is highly using the VLAN interoperable. It ACL capture is certified with feature or SPAN popular network function (rather management than using standards external IPS including HP sensors OpenView and connected to a OPSEC as well switch SPAN as third-party port). security event management Cisco IPS solutions, such provides broad as ArcSight. coverage for a variety of environments. The product supports numerous operating systems, including Windows, Solaris, and Linux. environments, including RedHat Linux, Solaris and Windows.

product, which aims to protect systems against attack during the interim period between the discovery of a vulnerability and the manual application of a security patch. This is key as the time between disclosure and applying a vendor-supplied patch is extended. IBMs new NIPS firmware release revamped the user interface to streamline operation and performance. Specifically, IBM made it much easier to go from detection simulation mode to blocking mode by rightclicking to create a new blocking policy based on actual threats discovered. IBM - Security Network Intrusion Prevention System IBMs detection techniques include signature-based detection and protocol anomaly detection to protect against

S1200N IPS module for the HP A7500 Series switch (formerly 3Coms 7500 chassis switch). TippingPoint also supports virtual server environments with its new vController, which Sourcefire routes VM-to-VM or VMreplaced the to-physical server traffic Snort internal to a separate IPS pattern matching engine appliance for inspection. with Intels Quick Assist pattern matching technology, which improves throughput and lowers latency for the 3D System. network management consoles such as IBM Tivoli, HP OpenView or CA Unicenter. Sourcefire provides coverage for key operating system environments. The management console is Webbased, and the appliances are supported by Linux systems. RNAs GUI runs on Linux, Windows and Mac OS X. Sourcefire - 3D System TippingPoint - Intrusion Prevention System

Detection and Response

Check Point IPS-1

Cisco - IPS Series, Version 7.0

Detection and Response IPS-1s hybrid detection engine uses multiple detection and prevention methods to guard against known attacks, stealth attacks, anomalous Cisco IPS uses signature-based detection and protocol decoding to provide denial of service (DoS) protection and guard against known and Sourcefire uses the popular Snort rulesbased engine, which can be configured to detect both signature-based events for known exploits TippingPoints filtering mechanisms include signature-based, protocol anomaly, and vulnerability and traffic anomaly to identify and block known and unknown attacks in order to protect the network. TippingPoint

unknown cyber attacks. This detection method has been enhanced to include NBA technology, as well as a risk and threat rating function that lets users fine-tune the IPS to be more policybased. The Cisco IPS appliance and module features a strong signature engine, based on Ciscos Threat IPS-1 provides Analysis MicroEngine (TAME) an opensignature format technology, whereby through the Ncustomers can Code language customize so network sensor administrators can tune or add signatures in order to to existing signatures. This minimize false provides a lot of positives. Cisco develops all its flexibility in own signatures. creating a detection system. Cisco added new Global IPS-1 includes Correlation proactive functions on top protection of the existing technology signature base called Dynamic to improve the Shielding efficacy and Architecture, lower the rate of which includes false positives in correlation and its IPS 4200 prioritization of Series. Threat network data, including vulnerabilities, reputation and vulnerability vulnerability shielding and signatures, is protection from collected globally new network through Ciscos changes. Security Intelligence IPS-1, through Operations and its Situational processed in Visibility feature, Ciscos Threat allows users to Operations behavior, first strikes, DoS floods and polymorphic attacks. The Sensors use vulnerability signatures, exploit signatures, anomaly detection, protocol analysis, OS and application fingerprinting, correlation and worm mitigation.

zero-day vulnerability of unknown attacks, zeroday exploits of known vulnerabilities, and known exploit attacks. The product is integrated with network behavior anomaly detection functionality provided by Arbor Networks, although it is no longer offered by IBM. Such integration helps customers protect against unknown threats. This functionality has become almost a standard feature among the leading IPS solutions because it helps customers protect their internal networks through an added layer of threat protection. IBMs inline blocking mode automatically blocks viruses, unauthorized access, network attacks, malicious code, hacker exploits and hybrid threats. It includes antispyware capabilities, providing prevention at

and anomalous behavior for unknown threats, to guard against threats such as worms, viruses and spyware. The Sourcefire sensors can perform stateful protocol analysis to detect anomalies, including port scans, IP stack fingerprinting and DoS attacks. Sourcefires strategy for realtime protection is its integration of IPS, NBA, NAC and vulnerability assessment.

has just under 5,000 filters, and by default, the company ships about 1,000 filters enabled in blocking mode. This differs from the approach of other vendors, which turn on customers blocking filters gradually.

TippingPoint IPS is supported by the companys signature engine, called the Threat Suppression Engine, which detects and prevents viruses, Trojans, known and unknown attacks (zeroday attacks), worms, SYN floods, and DDoS attacks, among others. TippingPoint includes anti-phishing capabilities with its prevention capabilities as well as Sourcefire RNA VoIP and SCADA passively support. monitors a companys TippingPoints IPS has network and evolved over time to identifies all protect not only systems, networks and including client/server operating hardware, systems, but also operating client/server Web and systems, and enterprise applications. applications for Protection for XSS, PHP, strong SQL injection, and correlation spyware are evercapabilities. RNA expanding components also aggregates of TippingPoints Digital endpoint Vaccine service that can intelligence also address data through leakage and support for Sourcefires custom Web Adaptive IPS applications. technology for added network TippingPoint IPS is protection. RNA managed centrally by includes the the Local Security Policy and Manager (LSM), a Web Response GUI management Module, which application that is allows included with each companies to appliance, providing enforce policies administration,

configuration, and reporting capabilities for one device. Customers have the option of purchasing the Sourcefire RUA TippingPoint Security Management System allows (SMS) for more customers to link user identity advanced and scalable functions. The SMS to security and centralized management compliance platform provides events. trending reports, correlation, and real Sourcefire time graphs on traffic IPS-1 has a provides the strong real-time ability to disable statistics, filtered attacks, network hosts reporting or edit existing and services, and IPS IBM ISS uses mechanism that rules under the inventory. It also a broad set of is diagnostic in rules-based includes a profile editor specific nature. It gives engine, which signatures users a view of can reduce false feature, which provides within its the enterprises Ciscos positives. Some a very flexible means for analysis engine. competing security policy, detection creating and deploying A large providing vendors are not policies across all the capabilities signature set historical willing to open include devices in the system. can, however, management up their application SMS, which is bought by result in trends to offer a inspection, so signatures for about 80% of increased broad view of review, making TippingPoint customers, policy can be signature tuning it difficult for security events enforced based is being integrated with requirements over an customers to on content 3Com/H3Cs Intelligent extended period. detection at the from customers. troubleshoot Management Center. IBM ISS has However, the alerts. application increased its product does not layer; RFC TippingPoint made an detection support Sourcefire has important move in its compliance accuracy and automated and built a data checking for NAC strategy, decreased its scheduled management HTTP methods; repurposing its IPS reporting system into the technology to provide filtering of traffic reliance on capabilities. Sourcefire based on select signatures in blocking and quarantine past years, Defense Center, functionality in a NAC MIME types which helps making it a solid solution. TippingPoint (such as JPEG extensions); and reduce the need platform for provides a broader set for system managing, detection and of enforcement tuning. reporting and prevention of capabilities, including Additionally, the analyzing the covert channel pre-admission host product comes information tunneling posture checks and through Port 80 with over 1,600 generated by quarantine as well as out-of-the-box IDS, IPS and to determine post-admission threat RNA sensors. A policy violations recommended protection built on IPS. blocking actions scaled-down, (this helps to guard against less-costly preserve TippingPoint includes threats. version of network an advanced denial of Defense Center, service capability that bandwidth by IBM uses the coupled with disallowing not only detects, but ease of use also blocks a variety of applications such SiteProtector enhancements, DoS and DDoS attacks, as inappropriate Management Console to makes the including SYN floods, file sharing centralize Sourcefire IDP connection floods, tools). management of more appealing packets floods, and pinpoint serious attacks against mission critical systems and drill down to get details on the attack, such as the source, type and effect of the attack as well as recommended remediation and packet capture. Center; once new attacks are identified, new lightweight rules are automatically generated and deployed to sensors at userconfigured time intervals. Onceambiguous attacks such as SQL injection can now be better clarified to reduce the risk of blocking legitimate SQL traffic. the network level. A new Web application security module for the IPS provides Web application firewall protection to block attacks such as SQL injection, crosssite scripting (XSS) and shell command injections.

regarding applications and services running on the network.

In 2010, Cisco discontinued its add-on SIM product, called CS-MARS, citing reduced demand, most likely due to its limited multivendor input. Cisco migrated event monitoring and management to its Cisco Security Manager, which centrally manages configuration and security policies for Cisco IPSs, VPNs, and firewalls. To date, CSM does not support a manager-ofmanager capability. Although Cisco intends to add that capability at a later date, the ability to scale CSM deployments is limited until that happens. In the most recent round of NSS Labs testing of IPS appliance effectiveness against real world threats, Ciscos IPS 4260 Sensor scored well when tuned, and Cisco improved its effectiveness when using default settings. In addition, Cisco improved the IPSs ability to thwart malware using

multiple sensors. The console provides automatic product updates and installations, the ability to see real-time reporting trends, and the ability to correlate vulnerabilities with intrusion attempts. Improved policy management capabilities let administrators control policy at the device, port, VLAN and IP address levels. An integrated, automated ticketing feature allows ticketing on vulnerabilities and incidents within SiteProtector or with standalone systems such as Remedy Action Request System.

to medium-sized attacks originating from enterprises that spoofed and nonwant to deploy spoofed sources. three or fewer sensors. Sourcefire IPSs perform well in third-party testing, receiving top scores for blocking realworld threats from independent testing organization NSS Labs.

The integration of Rational AppScan with SiteProtector allows recommended custom policies to be automatically generated from vulnerabilities discovered by AppScan as it scans new Web application code for defects.

evasion techniques. Throughput (Performance) Check Point IPS-1 Cisco - IPS Series, Version 7.0 IBM - Security Network Intrusion Prevention System The IBM Security Network IPS is very scalable, offering varying levels of performance, reaching multiGigabit levels. Performance is of particular importance to intrusion prevention appliances, because the device sits inline and must run in real-time to keep up with traffic. Sourcefire - 3D System TippingPoint - Intrusion Prevention System

Throughput (Performance)

The product includes sensor products starting at performance levels of 50 Mbps, and supports Gigabit speeds of up to 4 Gbps when operating in IDS mode. As an IPS device, IPS-1 is rated up to 2 Gbps.

Cisco IPS provides enterprise protection with Gigabit speed analysis. The Cisco IPS-4270 performs at 4 Gbps for media rich application environments. The IPS-4260 performs at 1 Gbps (IDS) and 800 Mbps (IPS), IPS-1 sensors or at multiinclude multiple Gigabit speeds (up to 8 Gbps) interfaces to with load monitor highbalancing. availability EtherChannel networks. If a Load Balancing primary server fails, the sensor functionality allows the is redirected solution to scale automatically. up in The product is performance. scalable to meet There are eight EtherChannels the growing demands of the supported on a switch, which enterprise. The allows a total of product gives eight devices to customers be linked to the deploying EtherChannels. hundreds of This is a sensors the networking ability to feature that manage all when applied to these sensors a security using a single application interface. provides load However, the balancing, using system gets pricier with very switch features to span traffic large across multiple deployments. blades or multiple The IPS-1 appliances. 2070 with 50

The TippingPoint Core Controller is an The IBM appliance that enables intrusion 10 Gbps of bi-directional prevention traffic inspection by the system TippingPoint IPS to technology is provide infrastructure extremely protection for missionflexible and critical OSs and scalable. The bandwidth-intensive technology applications. Driving the Sourcefire operates across supports a need for this high level a number of of performance and failover design. platforms, Multiple sensors scalability is data center including the can be used in a consolidation and an desktop, server, load-balanced increased use in virtual server configuration to latency-sensitive and network, applications such as ensure high and protection video and voice (VoIP). availability. products include The product targets scanning and Sourcefire IPSs large enterprises and wireless service providers. include the solutions. ability to throttle traffic to thwart The TippingPoint series To allow the denial of service offers two different GX 5208 and attacks and to model lines, including GX6116 Series rate-limit the low-end TippingPoint sensors to unproductive S10, S110, and S330 operate on 10 traffic such as models for sub-20Mbps

Sourcefire provides a broad range of performance options, including multiGigabit performance levels that lead the industry. Sourcefire 3D appliances now reach speeds of up to 20 Gbps for analysis performance in a two-sensor cluster of its 3D 9900 high-end appliance, meeting the needs of most enterprise networks, including those with latencysensitive applications such as VoIP.

TippingPoint is very scalable, offering varying levels of performance. Performance is of particular importance to appliances of intrusion prevention, because the device sits inline and must run in real-time to keep up with traffic. TippingPoint IPS is a series of appliances with throughput ranges from sub-20 Mbps to 10 Gbps when the IPS is deployed in conjunction with the TippingPoint Core Controller.

Mbps of IPS throughput starts at about $7,000, and maintenance and support costs vary depending on the class of support chosen by the customer. The 4070 with 200 Mbps of IPS throughput lists for $16,000, the 5070is priced at $28,000 for 500 Mbps performance, and the performance range tops out at 2 Gbps of IPS throughput in the IPS-1 Power Sensor 2000, which lists for $115,000.

Gbps network segments, IBM The IPS product includes added the $35,000 support for advanced traffic Network Security normalization algorithms such Platform, which as fragmentation acts as a 10 Gbps aggregator reassembly. for those The Cisco IPS devices. It does is competitively not require a priced. The 4200 separate bypass Series appliance unit for active/active starts at smart bypass $11,995 for a 250 Mbps speed functionality. appliance and The IBM goes up to $89,995 for the Security Network IPS 4270 4 Gbps speed appliance. GX4004 through GX6116 Series The Catalyst ranges in price 6500 IDS module is priced from $10,995 to $179,995. IBM at $29,995 and performs at 500 does not include Mbps. Although the first years maintenance the ASA 5500 and support in line is its pricing. The considered a product line UTM appliance, customers at the ranges from the low end typically GX4004 product buy the 5510 for with up to 200 Mbps combined IPS throughput, to and firewall the GX6116 functions, supporting up to delivering 150 6 Gbps Mbps performance for throughput, targeting large $5,995. This does not include enterprises and carriers. For the first years support. Support very large enterprises and is delivered carriers, IBM through the added the new purchase of a Cisco Services" IBM Security Network IPS for contract. The CrossBeam, price of this service contract which can is not included in deliver just under 40 Gbps the price of the of throughput various using multiple platforms. modules in the CrossBeam

to 300 Mbps performance, as well as Sourcefire the new, more modular offers nine IDP N-Platform with four appliances, models that can more ranging from the readily support multiple entry-level filter packs and 3D500 (a 5 additional planned Mbps T1-grade security services. IDP) and TippingPoint also offers 3D1000 (a 45 an IPS blade for the HP Mbps T3 device), A7500 Series switch, to the midrange and it supports virtual server environments 3D2500 (a 500 through the vController. Mbps sensor) and 3D3500, (a The SMS Enterprise1 Gbps sensor), Level Management System manages a to the highmixture of those performance models, and the 3D9900 (a 10 appliances can be Gbps sensor). deployed in a variety of The company locations on the more recently added the ability network, including internal or external to cluster two firewall connections, at 3D900 sensors the companys core to handle up to network infrastructure 20 Gbps of or data centers, or at network traffic, remote branch offices. which is load balanced across the two sensors TippingPoints base without requiring cost per 100 Mbps throughput is about a separate $6,000, varying by controller. platform. Pricing does The Sourcefire not include the first years maintenance and 3D appliances support. Pricing ranges range in price from $3,995 to from $3,995 to $169,995. $259,995, not including firstyear support.


chassis. Vendor Support Check Point IPS-1 Cisco - IPS Series, Version 7.0 IBM - Security Network Intrusion Prevention System IBM ISS provides worldwide support for its intrusion prevention appliance products through response teams based in numerous countries throughout North America, South America, Europe/Middle East/Africa and Asia-Pacific. IBM ISS delivers 24/7 response capabilities through the IBM ISS X-Force response team. The research team is dedicated to searching for malicious behavior before widespread attacks occur. IBM also tracks Internet threats through its Global Threat Operations Center (GTOC). IBM ISS response team provides monthly signature updates and regular algorithm Sourcefire - 3D System TippingPoint - Intrusion Prevention System

Vendor Support The SmartDefense subscription service provides vulnerability intelligence updates and advisories to customers. This service is included with the product for one year. Check Point SmartDefense Research and Response Centers are located in multiple regions circling the globe and provide 24/7 research and coverage. The centers carry out research on network, protocol and application vulnerabilities, and actively monitor to identify vulnerabilities and potential exploits before they are introduced into the wild. To match customer priorities when it comes to specific attack surfaces, Check Point has emphasized signature Cisco provides worldwide support for its IPS products through response teams based in all of the major international markets, including North America, South America, Europe/Middle East/Africa, and Asia-Pacific. Cisco provides 24/7 response capabilities through a rapid response team, which writes its own signatures and countermeasures to combat threats, as well as an internal team, called the Product Security Incident Response Team (PSIRT), which focuses on any disclosed vulnerabilities that impact Cisco devices. Signature updates are provided as needed on a 24/7 basis. Global Correlation updates are bundled in with Ciscos services Sourcefire has access to tech support through the open source community at large. Sourcefire provides 24/7 support and the backing of its internal Vulnerability Research Team which includes some 20 to 25 researchers and is growing. Signature updates are provided by Sourcefires team once a week, and as necessary when new attacks appear. In addition to the internal DVLabs research team, TippingPoint receives data feeds or raw intelligence feeds from organizations such as CERT, vendor advisories, and Bugtraq. The company also has a relationship with the SANS Institute (which provides certification training for security personnel). SANS delivers a newsletter called @Risk Weekly Report, authored by TippingPoint, which goes to over 250,000 IT professionals. TippingPoint offers 24/7/365 response capabilities through its rapid response team.

TippingPoints rapid response service is Sourcefire called Digital Vaccine. streamlined the TippingPoint provides updating of updates twice a week Snort rules by (or more frequently in automating the case of emergencies) to process of provide protection for downloading and the latest vulnerabilities, applying new exploits, viruses, and security rogue applications. enhancement updates, TippingPoint allowing users to customers have wide focus on other service and integration priorities. support through a strong channel program. Sourcefires TippingPoint sells the growth indicates appliance indirectly that it is about 90% of the time. leveraging the channel more TippingPoints new effectively, with ThreatLinQ portal

development for vulnerabilities specific to Microsoft applications as well as Adobe applications, where it leads competitors on the number of signatures it has created for exploits and vulnerabilities specific to those application areas. IPS-1 customers have strong service and integration support through Check Points strong channel program. Check Point has greatly expanded the size of its SmartDefense Research and Response team, which is focused fairly closely on IPS signature development. Check Point continues to invest in additional tools and assets to deliver accurate, responsive and broad coverage. Performance And Sizing Check Point IPS-1

for its IPSs, rather than priced separately. With the increased efficacy that Global Correlation brought to Ciscos IPSs, Cisco added a new, moneyback guarantee in 2010 that it will provide 100% coverage for all Cisco, Microsoft, and common enterprise application (e.g., Apache, Adobe, Oracle, etc.) vulnerabilities announced within 24 hours, and 90% of Cisco and Microsoft vulnerabilities will be covered within 90 minutes of their announcement. While half of Cisco customers deal directly with the vendor, more than half of Cisco IPS sales are fulfilled through channel partners.

a near doubling of its business that was initiated by channel partners IBM ISS offers from 2009 to 2010. Sourcefire some channel in 2010 added presence, 20 new channel bringing partners in customers EMEA. Notable additional support through resellers include these third-party Dell; SRS, which serves the integrators. federal About 70 government; percent of IBM and Symantec, Security which uses the Network IPS sales worldwide Sourcefire IPS as a part of its are through managed resellers, security services although in the business. U.S. its closer to 50 percent. Sourcefire sensors and RNA run on Intelbased hardware as well as Crossbeam Systems XSeries hardware and Bivio Networks highend appliances. updates in response to suspicious activities.

exploits its global Lighthouse network of installations to allow customers to assess the latest threats and compare notes on how peers set policies in response to the changing threat landscape. The latest version of ThreatLinQ gives participants access to real time attack data to help them tune their IPS filter settings and create custom profiles that can be ported to the SMS. About 2000 customers contribute data to ThreatLinQ.

Cisco - IPS Series, Version 7.0

IBM - Security Network Intrusion Prevention System Yes Yes Yes Yes

Sourcefire - 3D System

TippingPoint - Intrusion Prevention System

Intrusion Prevention Intrusion Detection In-line Test Mode Simultaneous IDS/IPS Mode

Yes Yes Yes No

Yes Yes Yes Yes

Yes Yes Yes Yes

Yes Yes Yes Yes

Max. In-line IPS Throughput Max. IDS Monitoring Throughput Max. Virtualized IDS/IPS Polices

2 Gbps

Multi-gigabit with Load Balancing Multi-gigabit with Load Balancing Four fully virtualized sensors (state & policy with 2000 virtual pairs) 16 ports of GE

Up to 15 Gbps

20 Gbps

20 Gbps (with Core Controller) 20 Gbps (with Core Controller) Approximately 100 virtual segments

4 Gbps

Up to 15 Gbps

20 Gbps


Max. Interface Capability/Capacity


2x10GbE, 10x1GbE SFP, 10x10/100/1000BaseTX, (3x10GbE w/Core Controller) 12 10/100/1000BaseT, 1GbE SFP, 10GbE XFP

Monitoring Ports (IDS Mode)

Up to eight physical ports, with up to 255 VLANS per port Up to four physical pairs, with up to 2040 logical pairs Yes

Up to 16

In-line Pairs (IPS Mode)

Up to 8

11 segments with a mix of 1GbE and 10GbE

TCP Reset Ports

Yes, 4 or 8 Depending on Mode Yes, 1 Yes



All ports

Management Network Ports High Availability

Yes, dedicated network ports Yes

Up to 2 Yes

Yes Yes

1 Yes, Active/Active, Active/Passive, ZeroPower HA, Layer 2 Fallback, and Active/Passive Management Yes Yes Yes, removable flash on all N-Series products Yes

Fail-open Fail-closed Removable Hard Drive

Yes Yes Yes

Yes Yes Yes

Yes Yes

Yes Yes

No for GX4, Yes No for GX5 and GX6 Series No No Yes Yes Yes Yes Yes on some models

Solid-State Memory Only (no hard drives) Interface Grouping Redundant Power Supply Utilizes hard drive for operation 10 Gigabit Ethernet support Yes Yes

Yes Yes Yes No Yes

2 Yes In some models Integrated 2x10GbE on 2500N and 5100N, 3x10GbE w/Core Controller Ranges from two to five

10/100/10000 Support



segments depending on the model Detection Check Point IPS-1 Cisco - IPS Series, Version 7.0 IBM - Security Network Intrusion Prevention System Sourcefire - 3D System TippingPoint - Intrusion Prevention System

Vulnerability Attack Detection


Yes Signatures are primarily vulnerabilityfocused. Vulnerability signatures are enhanced with Global Correlation, the first reputationbased service for IPS solutions. Yes Yes Yes



Protocol Anomaly Detection Attack Detection on non standard ports and Application tunnelled traffic DoS Attack Detection DoS Attack Prevention Stateful Signature Detection



Yes Yes


Yes Yes

Yes Yes Yes 197


Yes Yes


Yes Unlimited through universal engines Customers can create their own original signatures as well as modify existing Ciscoprovided signatures. Customers can create their own original signatures as well as modify existing Ciscoprovided signatures. Yes

Yes Unlimited

Yes 500+

No. Network & Application > 100 Protocols

User-defined Signatures





Clone and Modify All Vendor-Provided Signatures


No; ability to add custom filters for proprietary or homegrown Web applications

Detailed Visibility into All Parameters and Fields for All Signatures IPS and IDS for SSL






encrypted traffic Evasion Detection/Res. IDS Attack Fragmentation Attack Detection Asymmetric Routing Support Web Application Firewall Capability Apply Policy on a Directional Basis VLAN Aware Detection IPS and IDS for IPv6 Traffic Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

Yes in IPS mode, Yes not in IDS mode Limited Yes Yes Yes, the same sensor can inspect both IPv4 and IPv6 traffic Yes

IPS and IDS for Tunnelled traffic (IPv4 in IPv4, IPv6 in IPv6, IPv4 in IPv6, IPv6 in IPv4) Double VLAN Aware Detection MPLS Aware Detection Behavioral Traffic/Flowbased Det. Scan and Reconnaissance Detection SYN flood attack prevention with proxy Phishing Attacks Data not provided Data not provided



Yes Yes Yes Yes Yes

Yes Yes No Yes No Yes Yes

Yes Yes Yes (roadmap) Yes Yes Yes

No No, Cisco has a dedicated e-mail security product. Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes No Yes Yes Yes

P2P Traffic Detection P2P Obfuscation Detection Full connect TCP connection DoS detection Profile driven self-learning based DoS detection DNS DoS detection ARP spoofing detection IP Spoofing detection Botnet detection Generic Buffer overflow detection based on detecting embedded shellcode Expose all fields of all

Yes Yes Yes Yes Yes Yes Yes Yes Yes




protocols in User Defined signatures to enable customers to write high fide Detection Engines/Technologies Capable of Update Without Update of Sensor Software Backdoor Detection Other Features Data not provided Check Point IPS-1 Yes Yes Yes

Yes Cisco - IPS Series, Version 7.0

Yes IBM - Security Network Intrusion Prevention System No No No IBM - Security Network Intrusion Prevention System Yes Yes Yes Yes

Yes Sourcefire - 3D System

Yes TippingPoint - Intrusion Prevention System

Traffic Management to rate limit traffic Marking of packets using Diff Serv and 802.1p Stateful Access Control Lists (ACL's) Analysis Check Point IPS-1

Yes No Yes Cisco - IPS Series, Version 7.0

Yes No, since it is a bumpin-the-wire solution Yes Sourcefire - 3D System TippingPoint - Intrusion Prevention System

Third-party Event Integration Built-in Real Time Event Corr. User-tunable Event Correlation Cross-sensor Event Analysis Full Packet Capture Event Filtering

Yes Data not provided Yes Data not provided Yes Yes

Yes Yes Yes Through Cisco Security Manager Yes Yes Yes Yes Yes No

Yes Yes Yes Yes

Yes Yes Yes Yes

Yes Yes Yes Yes Yes No IBM - Security Network Intrusion Prevention System Yes

Yes Yes Yes Yes Yes

Yes, configurable Yes Yes Yes Yes Yes

Additional Reference Data Yes Provided Event Annotation/Auditing Yes Event Description Updates Yes On demand vulnerability assessment capability Response Capabilities Check Point IPS-1

Cisco - IPS Series, Version 7.0

Sourcefire - 3D System

TippingPoint - Intrusion Prevention System

Inline Attack Blocking



TCP Session Reset (Passive Mode) Prior to attack packet logging Packet Logging Forensic Packet Logging


Yes Yes Yes Yes

Yes Yes Yes Yes


Yes Yes Yes Yes, with integrated trace capability; also integrated with Niksun Yes

Alert Filters E-mail Notification SNMP Interaction SNMP Notification Session Record Console Response Export Flows Custom Response Firewall Interaction Router Interaction Session and Flow Rate Limiting Quarantine Source and Remediation Rate Limiting (port # or Protocol Detection Based) QoS marking and inspection Management Check Point IPS-1 Yes Yes Yes No Yes Data not provided Yes Yes Yes

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No, since it is a bumpin-the-wire solution

Yes, quarantine. Yes No, remediation. Yes Yes Cisco - IPS Series, Version 7.0 No No IBM - Security Network Intrusion Prevention System Yes Yes Yes Yes Sourcefire - 3D System

TippingPoint - Intrusion Prevention System

Secure Remote Management


Yes Yes Yes Yes

Yes Yes Yes

Yes Yes Yes Yes, hitless OS updates

Multi-sensor Management Yes Automatic Signature Update Automatic Detection Engine Updates (not signatures) Auto Apply Sig. Updates to Policies Auto Enable Signature Blocking Pre-defined Protection Policies Clone/Copy Protection Policies Yes Yes Yes No No

Yes Yes Yes Yes

Yes Yes Yes Yes

Yes Yes Yes Yes

Yes Yes Yes Yes

On-Off Toggle for Blocking Yes Data Storage Secure Data Storage External Built-in Data Storage Hierarchical Management (Manager of Managers) Default IPS Blocking Policy Disaster recovery (MDR) Yes Yes No Yes

Yes Yes Yes Yes Yes No Yes Yes

Yes Yes Yes Yes, third-party adapter Yes Yes Yes Yes

Yes Yes Yes Yes Yes

Yes Yes Yes Yes Yes Yes Yes Yes, management system can be redundant in different locations Yes Yes Yes Yes

Graphical, drill-down management User Defined Signatures Troubleshooting tools Ease of use - eg: Wizard based sensor setup, valnerability analysis Reporting Check Point IPS-1

Yes Yes Yes Yes

Yes Yes Yes Yes

Cisco - IPS Series, Version 7.0

IBM - Security Network Intrusion Prevention System Yes, via SiteProtector Yes Yes, via SiteProtector Yes, via SiteProtector Yes Yes IBM - Security Network Intrusion Prevention System Yes, via SiteProtector Yes Yes, via SiteProtector Yes

Sourcefire - 3D System

TippingPoint - Intrusion Prevention System

Scalable Info Presentation Yes Web-based Reporting SQL Export Automated and Schedulable Reporting Customizable Reports Audit Reports Integration/Correlation Check Point IPS-1 No Yes Yes

Yes Yes Export in XML format Yes Yes Yes Cisco - IPS Series, Version 7.0

Yes Yes Yes Yes

Yes Yes Yes Yes Yes Yes

Sourcefire - 3D System

TippingPoint - Intrusion Prevention System

Analysis of Firewall Alerts Analysis of HIPS Alerts Analysis of HIDS Alerts Correlation with Vulnerabilty Assessment Alerts


Yes Yes


Yes, with partners Yes, with partners


Yes Yes


Yes, with partners Yes, with partners

Anal. Vulnerability Assmt. Yes Alerts Analysis Third-party Net. IDS Alert Data Export Enterprise Mgmt Product Security Content No Yes Check Point IPS-1

Yes Yes Yes Cisco - IPS Series, Version 7.0

Yes, via SiteProtector Yes, via SiteProtector Yes, via SiteProtector IBM - Security Network Intrusion Prevention System

Yes No Yes Sourcefire - 3D System

Yes, with partners Yes, with partners Yes TippingPoint - Intrusion Prevention System

Dedicated Sec. Research & Response


~100 worldwide Yes Cisco Security Intelligence Operations has 500 researchers, analysts, and technicians researching, discovering, reporting on threats daily. Cisco Sensorbase analyzes 500GB of data daily from 700,000+ sensors (including firewall, IPS, email and web security appliances) worldwide Cisco provides Average 20/year Yes both traditional signature update as well as reputation updates from Cisco Global Correlation. Analyzing over 500GB of data from 700,000+ sensors worldwide daily, Cisco Sensorbase provides reputation updates to Cisco IPS sensors globally every 5 minutes, 100 times faster than signature-based


Regular Security Updates


Yes, at least twice a week

IPS. 365x24x7 Outbreak Updates Regular Threat Report Console Based Real Time Vendor Notifications Services Available Check Point IPS-1 Yes Yes Yes Yes Yes Cisco - IPS Series, Version 7.0 Yes, automatically Yes, daily Yes IBM - Security Network Intrusion Prevention System 6 5 Sourcefire - 3D System Yes Yes Yes Yes Yes, real-time DV announcements TippingPoint - Intrusion Prevention System

Full Time Managed Services SLAs with Managed Service

No No

Yes In addition to managed services guarantees for IPS, Cisco provides a 24hour coverage guarantee for Cisco, Microsoft, and critical enterprise application vulnerabilities, as well as a 90% in 90 minutes guarantee for Cisco and Microsoft vulnerabilities. Yes Yes Yes Yes

Yes through partners Yes through partners

Yes, through partners Yes, through partners

Strategic Planning Services Deployment Services Incident Response Services Custom Filter Development Based on VA Input WW Threat Analysis Tool (threats in the wild) Education Services Security Assessment Services On Site Spare Option Support Options

No Yes No

Yes Yes Yes Yes

Yes Yes Yes through partners

Yes Yes Yes, through partners Yes

Yes Yes No Yes Yes Yes Check Point IPS-1 Cisco - IPS Series, Version 7.0

Yes Yes Yes Yes IBM - Security Network Intrusion Prevention System Sourcefire - 3D System Yes Yes through partners

Yes Yes Yes Yes TippingPoint - Intrusion Prevention System

Telephone and Web Support Product Notifications

Yes Yes

Yes. Yes.

24x7, Certified SCP Support


Yes Yes

Yes Yes, Online, Email, In-Product Notification Yes

Software Upgrade Insurance


Software Yes upgrades are included in standard support offerings Yes 90 day warranty; hardware support and replacement are included in standard support offerings. Yes. Yes. Cisco - IPS Series, Version 7.0 Yes Yes IBM - Security Network Intrusion Prevention System


Year Appliance Hardware Warranty




Advanced Alerting Service Yes Access Sec. Experts/Acct Managers Pricing Yes Check Point IPS-1

Yes Yes Sourcefire - 3D System

Yes Yes TippingPoint - Intrusion Prevention System

Appliance MSRP

Start at $7,000 (Sensor 50)

$9,995Price ranges from $11,995 up $188,995 to $89,995 Varies

$3,995 $229,995 15-22%


First Year Maintenance/Support

24% of list for Depends on class of support one-year contract chosen by customer. IPS-1 fllows the std CP support classes. 24% of list price Depends on class of support chosen by customer. IPS-1 fllows the std CP support classes. Depends on model. Sensor 200 is $16,000 and delivers 200Mbps IPS data rates, thus equals $8,000 per 100Mbps. Data not provided Data not provided $2,250


Renewal of Maintenance Support




Base Cost per 100 Mbps Throughput


Varies significantly

~ $6,000 varying by platform

Flex Licensing-No Forklift Upgrades Licensing Model

Data not available




Price for Device - Subscription Throughput

IPS - "Per Hardware: Appliance;" RNA throughput+port count

- "Per Host;" RUA - "Per User"

All materials Copyright 1997-2011 Current Analysis, Inc. Reproduction prohibited without express written consent. Current Analysis logos are trademarks of Current Analysis, Inc. The information and opinions contained herein have been based on information obtained from sources believed to be reliable, but such accuracy cannot be guaranteed. All views and analysis expressed are the opinions of Current Analysis and all opinions expressed are subject to change without notice. Current Analysis does not make any financial or legal recommendations associated with any of its services, information, or analysis and reserves the right to change its opinions, analysis, and recommendations at any time based on new information or revised analysis. Current Analysis, Inc. 21335 Signal Hill Plaza, Second Floor, Sterling, VA 20164 Tel: 877-787-8947 Fax: +1 (703) 404-9300 Current Analysis, Inc. 2 rue Troyon, 92316 Sevres Cedex, Paris, France Tel: +33 (1) 41 14 83 17