Product review: ISM Express 1000; a mixed bag

A powerful, useful product with strong reporting and policy management capabilities, but ISM Express is surprisingly lax security should be tightened.

ISM Express 1000
iPolicy Networks
Price: $30,000

Bigger, faster boxes have created the need for an enterprise market segment for unified threat management (UTM). Beyond performance, how-ever, strong central management of multiple UTM appliances is critical for distributed environments.

That's where iPolicy Networks' ISM Express appliances come in, managing up to 15 iPolicy Intrusion Prevention Firewalls (IPF). The IPF (see Information Security review, December 2004) is a stateful inspection firewall with integrated IDS, IPS, anomaly detection and Web-filtering capabilities.

Policy Control: B
For an organisation with multiple IPFs, ISM Express can enable centralised and consistent rule enforcement and management across multiple networks. Its intuitive and well-designed management console allowed us to apply granular firewall, IDS, IPS and URL filtering rules across multiple IPFs. Rules can apply to individual IPFs or globally.

We were able to successfully create and apply many different rules--such as allowing inbound SSH, blocking access to a specific Web page and sending an alert when a port scan occurred.

Configuration/Management: B
iPolicy's thorough documentation made it easy to configure initial IPF management.

We liked the layout of the management interface, which provides a unified view of IPF configuration and real-time monitoring of IPF events. We found it easy to modify rules and view events. We were able to create multiple administrators, who could manage global and local security policies per specific privileges. Local or RADIUS authentication can be used.

Security updates such as attack, worm and spyware signatures are regularly released by iPolicy; ISM Express can automatically download the updates and then apply them to all managed IPFs.

Device Security: C-
It is critical that a security management system be fully secured, so we were quite concerned when we discovered several security weaknesses in ISM Express. A compromise could be catastrophic for an organization, possibly giving an attacker control of multiple IPFs.

A Nessus scan found high-risk vulnerabilities in the appliance's Oracle database (patches have been available since January 2005 or earlier). We also found the appliance had a remotely reachable Web page containing sample JSP and Servlet examples plus a management application, which could be exploited to compromise the appliance.

ISM Express was running Oracle's HTTP server with a Web page containing sample scripts, though the scripts could not be reached remotely. Finally, we found that two basic security hardening steps had not been taken--renaming the Windows administrator account and not displaying the last logged-in user (making it an easier chance for an attacker to log in if he can just obtain the user's password).

Reporting: B+
ISM Express offers both real-time and historical reporting. It can collect and display events from multiple IPFs, and alarms can also be forwarded to syslog, SNMP and SMTP servers. The customizable monitoring console provides a unified, near real-time view of system events and rule-enforcement actions.

Administrators can create a variety of predefined reports ranging from high-level executive summaries to detailed technical reports about specific IPFs. Reports can be exported as HTML or PDF documents.

ISM Express is a powerful, useful product with strong reporting and policy management capabilities, which can provide centralized, consistent management across distributed IPFs. However, its surprisingly lax security should be tightened.

Testing methodology
Our test network included an ISM 1000 Express (a lower-performance 400 model is also available), an unmanaged switch, a Windows server and an IPF 3300 appliance.

This review originally appeared in the Sept. 2006 edition of Information Security magazine.

Read more on IT risk management