Since 200E is what we call a learning device, it requires a little time on the network to begin protecting assets.
The concept of a learning device is open to interpretation, however. With this product, there are two considerations. First, the device, as with most IPSs, must discover the network. It does this on an ongoing basis, assuring that it knows about all devices on the enterprise.
Additionally, we found that, during our initial vulnerability scan, the product could be seen transferring attacks to its blacklist. At that point, the NetClarity attacker reported that the target, presumably protected by the IPS, was visible and was vulnerable. Subsequent scans were ineffective and the target became invisible to the NetClarity device.
Additionally, when we then attacked with Core Impact, we were able to crash the target service on our victim machine, but were not able to penetrate.
Although the 200E performed very well under most of our tests, this penetration attack (a Microsoft RPC buffer overflow) partially succeeded. All information screens auto-refresh every 30 seconds, so most current information is always easy to see and find on the intuitive web interface.
This product sits at the front end of the network transparently and monitors all incoming and outgoing traffic for any malicious content.
This is an IPS with very simple configuration. You just plug it in and go. After the simple quickstart is completed, the 200E begins gathering network traffic and information and setting its own policies accordingly. Its policies are reasonably selfmaintaining and the 200E requires little administration time.
The TippingPoint appliance comes with only a simple, onesheet quickstart guide that only describes the initial turning on, and simple initial configuration of, the appliance. Additional documentation is on the supplied CD, and we found it adequate, if not extensive.
Support for the product is available, but you have to look for it on the website. Instead of being in a more intuitive “support” section, it is hidden under the company information as part of the “contact” screen.
However, there is the Threat Management Center that provides, among other things, real-time attack filter updates, an extremely valuable service.
This device is very reasonably priced for a full-service solution to protect most sizes of network from intrusion or malware.
For: Very self-contained and automated
with little need for full-on management.
Against: Protection failed under some
fragmented RPC attacks against a
Microsoft operating system.
Verdict: Full-service solution with
effective blacklist blocking.
