• StoneGate Management Center
• StoneGate FW / VPN
• StoneGate IPS
• Overview
• Features
• Appliances
• Software Solutions
• Virtual IPS
• StoneGate SSL VPN
• StoneBeat

Frequently Asked Questions about StoneGate IPS

Q: What does Intrusion Detection do? How does it differ from Intrusion Prevention?

A: StoneGate IPS can operate as an IDS and/or an IPS appliance. The SANS Institute has defined a network-based Intrusion Detection System (IDS) as one that monitors network traffic and responds with an alarm when it identifies malicious, inappropriate, incorrect, or otherwise abnormal activity. Similarly, Intrusion Prevention System (IPS) products take IDS one step further by not only detecting malicious activity, but also by blocking it. This requires a high level of detection accuracy. In essence, all the intrusion prevention products are intrusion detection products, but not all intrusion detection products are intrusion prevention products. The difference is the response mechanisms that change the role of the IDS from a passive component to an active one.

Q: Does StoneGate IPS protect against viruses?

A: StoneGate IPS does not protect against viruses, but it does protect against worms. In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. Viruses are one of the several types of malicious software or malware. In a common parlance, the term virus is often extended to refer to worms, Trojan horses, and other sorts of malware. A computer worm is a self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers. If you want to protect against computer viruses then you should use host-based virus scanning programs.

Q: How does StoneGate IPS differ from already existing IDS/IPS solutions?

A: StoneGate IPS differs from the others because of three reasons:

• StoneGate IPS, Firewall, and VPN have been designed to work together from the beginning.
• It has centralized management functionality included in the basic package. That makes enterprise-level features available to all customers right from the start. Good examples are the remote upgrade feature, centralized IPS configuration, centralized incident handling, centralized backup and restore for all Sensors and Analyzers. All of them lighten administrator’s daily routines and reduce the overall Total Cost of Ownership.
• It correlates events, reducing the number of false positives and catching complicated attacks.

Q: Who are using the IPS technology?

A: The biggest users are medium-sized customers and large enterprises, governmental organizations, service providers, and the financial sector. Companies that are affected, for example, Payment Card Industry security standards will be using IPS technology. Many customers have to file audit reports for regulatory compliance, an area where StoneGate IPS Reports from audit and log data become handy.

Q: Does StoneGate IPS add administrator workload?

A: No. StoneGate IPS automates and simplifies many routine tasks with enterprise-class security management, allowing security personnel to really concentrate on the security issues detected by the system instead of spending their time on trivial, time-consuming, manual operations. The unified management system and the IPS Analyzer both have a key role in making this possible.

Q: Do I have to buy StoneGate Firewall and VPN in order to use StoneGate IPS?

A: No. StoneGate IPS is fully functional without StoneGate Firewall and VPN. They both share the same centralized management. You can later add the StoneGate Firewall and VPN part if you have a need for that kind of functionality.

Q: What is the benefit of having both StoneGate Firewall and IPS?

A: A better Total Cost of Ownership because you can manage them both from the same centralized management. We have noticed 30-50% increase in timesaving and administration efficiency when compared against solutions that do not have the centralized management. For example, all logs are visible from the same place, while incident handling becomes faster and more accurate when you can follow the attackers’ trail from several devices. Compliance reports for regulatory bodies can be produced from the same central place, saving a lot of time. With StoneGate it is possible to produce compliance reports in hours, instead of days. Ability to generate reports fast means lower administrator costs and significant time saving.

Q: What is the best place to deploy StoneGate IPS?

A: Normally customers deploy StoneGate IPS in the network segments where they have business-critical servers or where the network traffic or computers enter the corporate network. Typical places include; just behind the firewall, inside the DMZ, inside Extranet and branch office network segments.

Q: Why to put StoneGate IPS behind the firewall, why not outside?

A: Inside networks have much less background noise. There is a lot of attack or network scanning activity on the Internet side of the firewall. Normally, security administrators do not want to see that activity, because a well-configured firewall will block attacks anyway. If you place the IPS behind the firewall then it can verify that the firewall is functioning correctly.

Q: Is the product available as both software and as an appliance-based solution?

A: As with StoneGate MultiLayer Firewall and StoneGate Multi-Link VPN, StoneGate IPS will be available both as an appliance and as a software appliance, which has an integrated OS and can be installed on Intel-based systems. This gives customers a choice between an all-in-one package and a fully custom-built system. Our appliance product line has seven models:

• IPS-400C, a combined Sensor and Analyzer for remote offices, capable of handling one inline segment.
• IPS-2000S, a Sensor for medium installations, capable of handling two inline segments.
• IPS-2000C, a combined Sensor and Analyzer for medium installations, capable of handling two inline segments.
• IPS-2000N, a Sensor for medium installations using external bypass devices, capable of handling two inline segments.
• IPS-2000ANZ, an Analyzer that correlates events from Sensors.
• IPS-6000S, a Sensor for large installations, capable of handling four inline segments.
• IPS-6000C, a combined Sensor and Analyzer for large installations, capable of handling four inline segments.

Q: How much will the IPS solution cost? What is the basis for the pricing (e.g., IP-based or throughput-based license)?

A: The total cost of the IPS solution depends on several issues including the number of sensors and analyzers needed, throughput needed on sensors as well as on the number of the appliances under the management. Entry level IPS pricing starts from 4950 euros.

Q: Where can I find more technical info about IPS?

A: Follow this link http://my.stonesoft.com/support/search.do?product=StoneGate

Q: What is needed for a functional IPS system?

A: A minimum IPS system needs one Sensor, one Analyzer, and one Management Center (SMC). Sensor and Analyzer can be combined into one appliance (combo appliance). The management Center has a Management server and a Log server bundled together in it. The picture below shows how events are flowing through the system components.