Review: Deep Security is a solid IPS

HOST-BASED IPS
Deep Security 4.5 from Third Brigade
Price: $880 per server

Facing an ever-growing number of attacks and stretched resources, more security managers are considering intrusion prevention systems (IPSes), capable of taking preemptive actions against attacks, to protect their systems.

Third Brigade's Deep Security is a host-based IPS consisting of installed agents and a centralized Web-based manager. Coupled with conventional antimalware tools, it adds an extra layer of desktop defense.

Policy Control: B+
Security managers can create detailed security policies--including highly granular packet filters, stateful inspection rules and payload filters--and define the actions to be taken (allow, log, block, alert) when rules are triggered. Deep Security comes with several useful security templates, such as a Web server policy that can be used as is or fine-tuned. Rules can be applied to both inbound and outbound traffic. Deep Security can also filter traffic by IP or MAC address.

Policies can be pushed globally to specific hosts or groups (for example, to a group of Web servers), which can be imported from Active Directory. Deep Security can also be synchronized with AD to automatically add or remove hosts. Once the hosts are imported from AD, Deep Security automatically applies appropriate policies.

We liked the use of digital signatures to authenticate the manager and agents, and verify the integrity of rules.

We were able to successfully create and distribute several different security policies for our test servers (for example, an FTP server policy).

Configuration/Management: B+
Using Third Brigade's excellent documentation, we were able to quickly and easily install the Deep Security manager and agents. Our manager had no problems initially detecting and connecting to our test agents, and then sending several different security policies. The browser-based management interface was clearly organized and easy to navigate.

Using the manager's role-based access control, we created multiple administrators with granular rights. Administrator actions are audited in detail.

Effectiveness: B+
The agents did an excellent job of protecting the servers on which they were installed. We ran many manual and automated attacks against our test servers; in every case, the agents' stateful firewall and deep-packet inspection resulted in the correct actions, like blocking or logging attacks.

Our tests included heuristic detection. Some of the payload filters define expected application data and can block malicious data based on its content. We included Nessus-generated attacks, which sent malicious data and executed unexpected actions with protocols, such as sending unusual FTP commands. Just as important, permitted traffic was allowed by the agents. Deep Security can do payload inspection on SSL traffic.

The agents seemed to have only a small impact on the functioning of our test servers' CPU utilization. We liked that many key tasks, like update hosts and generate report, can be scheduled.

Reporting: B
Managers will appreciate the customizable dashboard, which allows detailed drill-downs on many Deep Security events. Deep Security produces nine useful predefined reports in .pdf, .rtf or .csv format; however, customized reports cannot be generated.

Deep Security's packet and payload logging is very detailed. Logs can be sent to a syslog server; a variety of alerts can be sent as email notifications.

Verdict
Deep Security is a well-designed, effective product with strong configuration and policy control capabilities. It can provide centralized, consistent management and protection across distributed servers.

Testing methodology
Our test network included a Windows XP laptop, an unmanaged switch and three Windows 2003 Web, FTP and domain controller servers.

This article originally appeared in the December 2006 edition of Information Security magazine.