As a user of NetScreen products for many years, I was intrigued to see that the company has decided to go with the trend and branch out into the field of intrusion detection and prevention appliances. The IDP-100 is actually a Dell PowerEdge 1650, a 1U rack-mountable server with four network interfaces and a high-availability power supply, which despite being small and cuddly arrives in a box the size of a small shed. It runs what looks suspiciously like Red Hat Linux 7.2, albeit personalised to NetScreen and probably with plenty of elements left out for security reasons (not that RH7.2 is buggy, but if you don't need a feature take it out just in case). Our unit came pre-configured with the management server package (the server component that provides the interface between the network manager and the low-level code) installed internally but you can split it onto a separate Linux/Solaris box if you wish. Sniffing around
The unit can be used in different modes. The basic out-of-the-box configuration is 'sniffer' mode, where the unit sits on the network rather like a network monitoring tool, watching for dodgy activity but not necessarily preventing it from getting into the network. Using sniffer mode you can allow the unit to detect what's happening and fiddle with the rules that define what to do with each type of traffic - including dealing with false positives (connections that look like attacks but are actually innocent). Once you've defined the rules of engagement, you can change the configuration to put the unit in-line, so that all traffic has to go through the appliance before it can get to the LAN. As with traditional firewalls, you can either give the appliance real network addresses and subnet masks or you can simply tell it to make itself invisible. There are two management screens - one for the management server itself, which is web-based, and one for the network manager's desktop computer. The management server interface lets you configure the basics of the system, such as the addresses of the various interfaces and the security code applied to the 'sensor' components that run on the appliance. This security code is a one-time password used when you first connect to the server, a much tidier approach than having default passwords lying around unnoticed. The desktop application is the network manager's window onto the appliance. Just as a virus checker package uses a set of signature files to identify nefarious code coming into the network, so the appliance uses a set of attack descriptors to spot dodgy activity. Just as you would with a traditional firewall, you define rule-sets along the lines of 'attack type X coming from network A to host B, take this action and report it in this way'. The central management console allows you to distribute the rules to various sensors around the network, with any one rule applying to none, some or all of the network's sensors. Because the appliance can be connected to the network in 'invisible' mode, the management application communicates with it via a separate network interface (the unit has four Ethernet connections in total). Reporting and logging are comprehensively covered in the management application, which is essential for this type of application. A nice touch is a near real-time 'dashboard' that gives an overview of what's happening on the network, or on specific hosts (web servers or email gateways, for instance) that you're particularly interested in watching. The IDP-100 is a nicely implemented offering in the IDP appliance market. Our review unit took some getting to grips with, but all the issues we found could be put down to the fact that it had done the rounds of the computer magazines (it's a little disconcerting when the manual says 'the setup program will run automatically' and it doesn't) and the defaults had been set a little oddly.

OUR VERDICT

In any security device, you need something that is easy to manage, from which you can easily get logging and reporting data. Something that's hard to configure and doesn't tell you much is little or no help to the network manager who's trying to prevent attacks hitting his network.