IDS and IPS products have come a long way in a short time, as vendors have been fast to incorporate new detection techniques and bolster defences to an ever-widening range of threats. TippingPoint is one vendor that has blazed the trail to multipronged protection.
Considering the company’s strong legacy (it brought the first IPS to market in 2002) and its market leadership (it developed the open source IPS testing tool Tomahawk and created the VoIP Security Alliance), we were expecting the TippingPoint IPS to be the Bentley of network intrusion prevention. We weren’t too far off.
The TippingPoint IPS line consists of eight products, ranging from the TippingPoint 50, which handles throughput of as much as 50Mbps, to the top-of-the-line TippingPoint 5000, which handles as much as 5Gbps. We tested the TippingPoint 400 — and the TippingPoint SMS (Security Management System) appliance — on a live network at the Naval Postgraduate School in Monterey, Calif. There the IPS was exposed to thousands of “events” originating from the Internet and from several thousand hosts inside the network. As in previous IDS and IPS tests, we also exposed the device to more than a dozen exploits of the SANS Top 20 vulnerabilities using Core Security’s Impact penetration testing tool.
Gang of Four
The TippingPoint 400 uses a fusion of four techniques for intrusion detection and prevention: signatures, protocol analysis, traffic-anomaly detection, and vulnerability-based filtering. Signature and protocol anomaly protection, like open source Snort but without as complete a signature base, guard against known viruses, Trojans, and worms. Vulnerability filtering, which TippingPoint calls the virtual patch, and traffic-anomaly protection defend against DoS, DDoS, and unknown or zero-day attacks.
During months of testing, the 400 successfully detected hundreds of worms, viruses, and other threats, and allowed us to flexibly mitigate anomalous or rogue network traffic by imposing rate limits, blocking, or alerting on preconfigured thresholds. We also used the appliance’s traffic-throttling features to allow IM and peer-to-peer traffic to run only when bandwidth was not being utilized by critical services.
Performing a total inspection of network layers 2 through 7, TippingPoint seems to have all of the functionality necessary for defending the enterprise network. Despite the amazing breadth, we found at least two places where it lacked depth, allowing us to slip exploits of two well-known vulnerabilities past the device and onto our network.
During manual testing with Core Impact, the TippingPoint 400 missed our exploits of the several-year-old IIS ASN.1 Bit String SPNEGO vulnerability (CVE-2003-0818) and the MS RPC DCOM vulnerability (CVE CAN-2003-0352) that Blaster made famous. In the first miss, it turned out that TippingPoint didn’t have a signature to detect the IIS exploit. In the second, although the IPS had logged the DCOM event as blocked, we were still able to get a root-level command shell on the target machine, thanks to Core Impact’s fragmenting this attack (the Blaster worm uses an unfragmented attack). Because the TippingPoint box allows traffic to flow through unbuffered until it has enough information to flag the traffic as malicious, we were able to push enough of our exploit code through the device to gain a foothold — a command prompt — before the rest of the attack was blocked.
To its credit, TippingPoint was quick to provide new signatures that successfully plugged the holes we discovered. We were also impressed by the granularity of the 400’s defences, which allowed us to continue accessing network resources from our attack machine even while malicious traffic was being blocked.
Plug and Prevent
Our installation of the IPS and SMS appliances was as quick and painless as programming a car stereo, requiring roughly five minutes. As for management, although we’d prefer a Web GUI to the dedicated client, the SMS interface is clear and simple. The customizable dashboard is readable at a glance, and the events screen lets you easily filter based on key criteria, drill down for detailed information, and save filtered searches for reuse. Reporting is strong, but the default reports could be better. Each report is a template, allowing you to apply a decent amount of customization before generating the final report for distribution.
TippingPoint’s spyware protection proved extremely useful. Over a weeklong period, it identified more than 60 occurrences of unwanted spyware, which were subsequently and speedily cleaned up. On the downside, the 400 was not capable of full packet logging, useful in the forensic investigation of anomalous events. The IPS will log the packets that trigger an event, but not the packets preceding or following that event.
Unlike Lancope’s StealthWatch and SourceFire’s Real-time Network Awareness products, the TippingPoint cannot zero in on unauthorized or rogue services on the network. Although you could create signatures that filter traffic based on IP and port, the 400 does not help build a baseline of known good services on each host. As a result, TippingPoint leaves the network vulnerable to some types of quiet zero-day attacks. Of course, the absence of service anomaly detection can be seen as an advantage in environments where an unusual but legitimate service, such as an emergency network backup, could trigger alarms.
Despite its shortcomings, we found the TippingPoint 400 to be solid, fast and, for the most part, effective. It accomplishes the job with a detailed interface, good reporting structure, and capabilities that include high-availability configuration, spyware defences, and VoIP (SIP and H.323) security filters. Its failure to block two SANS Top 20 exploits is cause for concern, but overall, this is a powerful and flexible IPS, easy to implement and armed with a rich set of tools for bolstering network security.