TippingPoint IPS struggles in new security tests

Testing outfit NSS Labs says it has seen a sharp drop in the security performance of one of the leading intrusion prevention products (IPS) products on the market, the TippingPoint 10.

Running 622 known exploits gathered from a range of Windows and Linux applications and operating systems going back several years in some cases, the TippingPoint 10 in default configuration blocked only 247 (39.7 percent) of them. In terms of the most serious ‘attacker-initiated' exploits, the box performed only slightly better, detecting 205 (49.8 percent).

This iffy security performance contrasts with similar IPS products the company recently tested from McAfee and IBM, which both scored "in the 95 percent range" when pitted against the same family of exploits, said NSS Labs' Rick Moy.

Despite the having a price tag in the region of $4,000 (approx £2,400), the TippingPoint 10 lies at the entry-level point of the company's intrusion prevention appliance range, and is designed to serve smaller or remote offices. According to Moy, the core security technology would be the same across all TippingPoint products, however, and he also doubted that adjusting the default configuration would have made any difference.

"Five years ago it was the leader of the pack and it got a Gold award," said Moy. "Something has clearly slipped in the mean time, and competitors have surpassed them. This should give IT security buyers a good think about the risks of buying based on brand name, marketing and historic performance data."

Throughput was one bright spot, with the TippingPoint 10 easily achieving its stated packet inspection performance level of 20Mbit/s, even under heavy test loadings.

"We found the TippingPoint 10 to be stable and reliable, handling our extensive reliability tests without failure. Management is easy to use and suitable for small office environments, where simplicity is a must," the post-test notes said.

"In summary, with a protection rating of 39.7 percent, the TippingPoint 10 is unlikely to stop the majority of attacks, but it does offer stable performance for a small office."

So why has the TippingPoint declined on the NSS Labs' tests? Moy was unsure, but suggested that the company had possibly not been investing the same resources in the time-consuming and complex business of coding signatures.

TippingPoint Technologies was bought by 3Com in 2004, but has ploughed a fairly arms-length furrow as the premier IPS vendor ever since. Probably its most controversial moment was the inauguration in July 2005 of its Zero Day Initiative (ZDI), under which independent researchers were paid by the company for reporting security vulnerabilities. These are then added to its IPS database.

It seems unlikely that the ZDI program would have had any bearing on the NSS results given that reported vulnerabilities are unlikely to make up more than a small subset of the company's signature updates.

TippingPoint was unable to offer comment at the time of going to press. The full NSS Group report on the TippingPoint 10 can be downloaded from the company's website.