In-Depth

Protecting Data From Events Firewalls Can't Catch

TippingPoint releases Peer-to-Peer control, intrusion prevention devices

• By Mathew Schwartz
• 06/18/2003

Devices such as UnityOne sit at the network gateway; all traffic is inspected as it passes through them. “We look at every packet on the wire, with very minimal latency … and we either block it or give you the ability to stop it,” says Don Ward, TippingPoint vice president of technical field operations. Hardware such as UnityOne protects “network integrity and availability against events that cannot be blocked at the firewall,” notes Eric Ogren, senior analyst with The Yankee Group in Boston.

This functionality is known as an intrusion prevention system (IPS), though the term is overly broad. It can apply to everything from network gateways to Web server and Web application protection. No matter, the premise is simple—if something can detect an attack, why not save administrator time and energy, and improve security, by automatically blocking the attack? For devices such as UnityOne that sit at the network gateway, blocking attacks simply means just dropping offending packets.

In the network gateway space, many intrusion detection systems (IDS) also now have intrusion prevention capabilities, though neither replaces the other. Similar products are available from such companies as Check Point Software Technologies Inc., Internet Security Systems Inc., and Top Layer Networks Inc.

TippingPoint’s just-released UnityOne 200 appliance has price and performance aimed at “small and remote branch offices,” notes Ogren. IPS vendors now target all market segments with IPS network gateway products.

Each of the UnityOne models feature total packet inspection, high availability, and Layer 2 fallback in case of failure or direct attack. UnityOne 200 is rated at 200 megabits per second. By contrast, the top-of-the line UnityOne 2000 is rated at 2 gigabits per second.

TippingPoint publishes updated attack filters—called “digital vaccines”—weekly or as needed. These get pushed down to the flash chips inside the appliance; the company clams less latency with its hardware-based approach versus a software-based approach. The company also says its UnityOne filters can protect against zero day exploits—attacks that no one yet knows about—because they stop bad packets before they reach vulnerable hardware or software.

A TippingPoint twist is preventing another liability—peer-to-peer (P2P) file sharing of copyrighted material. Products with peer-to-peer blocking capability are also available from such companies as Akonix Systems Inc., Packeteer Inc., and Palisade Systems Inc. (See “Tackling the File-Swapping Threat,” http://www.esj.com/News/article.asp?EditorialsID=562)

Besides keeping a company from getting sued by the copyright holders—such as the Motion Picture Association of America or the Recording Industry Association of America—cutting out P2P traffic can also recapture bandwidth, says Mike Phillips, CIO of Texas Tech University’s Health Sciences Center. “The ability to monitor peer-to-peer traffic helps us manage our bandwidth consumption.”

TippingPoint CEO John McHale notes, “Our customers have seen a 20 to 40 percent increase in available bandwidth by controlling peer-to-peer traffic.”

TippingPoint says PPPP capability is now included in all UnityOne Intrusion Prevention Appliances and Systems. Existing users can upgrade to PPPP for free.

The next hurdle? Distributed denial of service attacks, says Ward. “People are asking us, we need protection against the latest, packet-based denial of service attack.” The problem, typically, is that such attacks use real traffic, making them hard to detect. “These attacks are valid patterns, but they're done at a rate beyond what firewalls, switches and load balancers can handle.” Ward anticipates a September release for distributed denial of service attack prevention functionality.