NSS Labs Report IPS
NSS Labs Report IPS
NSS Labs Report IPS
Executive Summary
Today, networks and data are more vulnerable than ever before. An essential part of
layered security, network intrusion prevention systems (IPS) must be fast, accurate, and
easy to deploy and maintain. During Q4 2009 NSS Labs performed the industry’s most
rigorous test of leading IPS solutions, including 1,159 validated exploits–the most ever
performed in a test. As part of NSS Labs’ independent testing information services, this
report was produced for our enterprise subscribers. Leading vendors were invited to
participate fully at no cost, and NSS Labs received no vendor funding.
All devices were configured and tuned by the respective vendor’s technical experts; the
time required was recorded for purposes of estimating the ongoing tuning and total cost
of ownership (TCO) calculations. Effectiveness and performance results were obtained
with the vendor-tuned policies and then again using the default policies to provide
readers with a high-low range of possible results.
Key Findings
• Protection varied widely. The difference between the least and most effective products
was 72.2%. The least effective product achieved only a 17.3% block rate, while the
most effective product achieved an 89.5% block rate.
• Tuning is required. Organizations that do not tune could be missing numerous
“catchable” attacks. The average difference in protection between tuned and default
settings was 18%.
• Evasion tripped up most IPS products. Only Sourcefire, IBM, and McAfee successfully
resisted all evasion and obfuscation techniques.
• Vendor performance claims are overstated between 12%-50%.
• The lower priced product is rarely the better value; sub-par protection is a poor
investment at any price. Organizations should evaluate products based upon their
value (protection, performance, and labor costs) within the context of a three-year TCO.
Product Guidance
NSS Labs’ recommendations are based solely on empirical test data, validated over
multiple iterations.
Products
IBM Proventia® Network IPS GX6116
recommend IBM Proventia Network IPS GX4004
McAfee® M-8000 Sensor
McAfee M-1250 Sensor
Sourcefire 3D® 4500
Cisco™ IPS 4260 Sensor
neutral Stonesoft StoneGate™ IPS-6105
Stonesoft StoneGate IPS-1060
Stonesoft StoneGate IPS-1030
TippingPoint® 2500N IPS
TippingPoint 660N IPS
caution TippingPoint TP-10 IPS
Juniper Networks® IDP800
Juniper Networks IDP600C
Juniper Networks IDP250
IBM PASS
McAfee PASS
Sourcefire PASS
Cisco FAIL
Stonesoft FAIL
TippingPoint FAIL
resistance to evasion*
* Although the Sourcefire 3D 4500 failed to detect an RPC Fragmentation evasion attempt in our Q4 2009 test, a fix
to the product resolving this issue was subsequently validated by us on February 10, 2010.
Block Rate
2121 Palomar Airport Road, #300, Carlsbad, CA 92011 USA • (866) 427-1692 • (760) 412-4627 • www.nsslabs.com