TippingPoint X505 V2.2.4

1874 users shared this document! click

TippingPoint X505 V2.2.4 UTM Certification Report














Product X505 System Version 2.2.4.6519 Firewall Version 2.2.4.6519 VPN Version 2.2.4.6519 IPS Version 2.2.0.6883 Anti Virus Version N/A Anti Spam Version N/A Content Filter Version N/A Web/URL Filter Version 2.2.4.6519 Date Submitted October 2006



























First published October 2006 (Version 1.0) Published by The NSS Group
Security Testing Laboratories

E-mail : info@nss.co.uk
Internet : http://www.nss.co.uk







1991-2005 The NSS Group
All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written
consent of the authors. This report shall be treated at all times as a confidential and proprietary report for internal use only.

Please note that access to or use of this Report is conditioned on the following:

1. The information in this Report is subject to change by The NSS Group without notice.
2. The information in this Report is believed by The NSS Group to be accurate and reliable, but is not guaranteed. All use of and reliance on this
Report are at your sole risk. The NSS Group is not liable or responsible for any damages, losses or expenses arising from any error or omission
in this Report.
3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY THE NSS GROUP. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE DISCLAIMED AND
EXCLUDED BY THE NSS GROUP. IN NO EVENT SHALL THE NSS GROUP BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR
INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF
ADVISED OF THE POSSIBILITY THEREOF.
4. This Report does not constitute an endorsement, recommendation or guarantee of any of the products (hardware or software) tested or the
hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products, or that
the products will meet your expectations, requirements, needs or specifications, or that they will operate without interruption.
5. This Report does not imply any endorsement, sponsorship, affiliation or verification by or with any companies mentioned in this report.
6. All trademarks, service marks, and trade names used in this Report are the trademarks, service marks, and trade names of their respective
owners, and no endorsement of, sponsorship of, affiliation with, or involvement in, any of the testing, this Report or The NSS Group is implied,
nor should it be inferred. TABLE OF CONTENTS THE NSS UNIFIED THREAT MANAGEMENT TEST.......................................................... 1 TIPPINGPOINT X505 V2.2.4................................................................................................ 3 Executive Summary ................................................................................................. 3 Architecture .............................................................................................................. 3 TippingPoint X505 Appliance...................................................................... 3 Local Security Manager (LSM) ................................................................... 4 Command Line Interface (CLI).................................................................... 4 Security Management System (SMS)......................................................... 4 Security Effectiveness.............................................................................................. 4 Performance............................................................................................................. 5 Usability.................................................................................................................... 6 Configuration............................................................................................... 6 Policy Management .................................................................................... 7 Alert Handling............................................................................................ 11 Reporting and Analysis ............................................................................. 12 Verdict .................................................................................................................... 13 Contact Details....................................................................................................... 14 TEST RESULTS ................................................................................................................. 15 Testing Methodology........................................................................................... 16 The Tests ............................................................................................................... 17 Section 1 - Firewall ................................................................................................ 17 Section 2 - VPN...................................................................................................... 20 Section 3 - IPS ....................................................................................................... 21 Section 4 - Content Filtering .................................................................................. 22 Section 5 - Anti Virus ............................................................................................. 28 Section 6 - Anti Spam ............................................................................................ 31 Section 7 - All Modules .......................................................................................... 33
TippingPoint X505 V2.2.4 Test Results.............................................................. 35 Section 1 - Firewall ................................................................................... 35 Section 2 - VPN ........................................................................................ 36 Section 3 - IPS .......................................................................................... 36 Section 4 - Content Filtering ..................................................................... 36 Section 5 - Anti Virus ................................................................................ 37 Section 6 - Anti Spam ............................................................................... 38 Section 7 - All Modules ............................................................................. 38
The NSS Group The NSS Group is the worlds foremost independent security testing facility.

With British headquarters, and security and network infrastructure testing facilities in the
South of France, The NSS Group offers a range of specialist IT, networking and security-
related services to vendors and end-user organisations world-wide.

The NSS Groups Security Testing Laboratories are available to vendors and end-
users for fully independent testing of networking, communications and security hardware
and software.

The NSS Group also operates certification schemes for vendors and certification bodies,
and currently provides evaluation and certification of a wide range of security products,
including IDS/IPS appliances, firewalls, VPNs, Web Application firewalls, multi-function
security appliances, cryptographic devices and PKI products.

Output from the labs, including detailed research reports, articles and white papers on the
latest network and security technologies, are made available on the NSS Web site at
http://www.nss.co.uk.

The NSS Group awards are recognised world-wide as being the most desirable and
essential when it comes to security products. Vendors consider the awards to be a crucial
step in any security-related marketing campaign, whilst feedback from readers of the
reports indicates that participation in an NSS Group test and/or one of the NSS Approved
awards is a prerequisite for any security product in order to be considered for purchase.






TippingPoint X505 V2.2.4 Page 1 THE NSS UNIFIED THREAT MANAGEMENT TEST The NSS Group is pleased to present the results of the first round of
Unified Threat Management (UTM) testing, the first test of its kind.

As part of its extensive UTM test methodology (see section on Testing
Methodology later in this report for full details), The NSS Group subjects
each product to a brutal battery of tests that verify the stability and
performance of each device tested, determine the accuracy of its security
coverage, and ensure that the device will not block legitimate traffic.

If a particular UTM has been designated as NSS Approved , customers can be confident that the device will not significantly impact network
performance (up to the bandwidth as rated by NSS), cause network
crashes, or otherwise block legitimate traffic.

To assess the complex matrix of UTM performance and security
requirements, The NSS Group has developed a specialised lab
environment that is able to exercise every facet of a UTM product. The test
suite contains over 2000 individual tests that evaluate the performance,
reliability, security effectiveness, and usability of UTM products, providing
the most thorough and complete evaluation of UTM products available
anywhere today.

The testing covers the seven main security modules typically included in
UTM products: Firewall, VPN, IDS/IPS, Anti Virus, Anti Spam, URL
Filtering, and Content Filtering.

It is important for readers to recognise, however, that NSS would normally
spend a significant amount of time on testing a single IPS, IDS, Anti Spam,
VPN or firewall product. Given that the same amount of time will be
allocated to test each UTM product as would normally be spent on a
dedicated device, it is clearly impractical to test each module of a UTM
device to the same extent as the equivalent dedicated device.

Where vendors wish to prove that a particular module performs in a specific
way, it is possible to submit a UTM device for an additional security-
specific test - NSS has already developed full test suites for all of the
seven security engines listed above. For example, some vendors have
already submitted a product to both the IPS test AND the UTM test.

Readers should therefore not rely on NSS approval of a UTM device to
decide whether that device can operate as a dedicated, single-function
security device (such as a firewall or IPS alone). If a reader is particularly
interested in a UTM device as an IPS appliance or an Anti Virus gateway,
they should look for a product with NSS Approved certification for both
UTM and the specific technology in which he/she is interested.

It is worth pointing out that standards are very high, and not every
product submitted for testing receives an NSS Approved award.

The NSS Group UTM test methodologies have become the de facto
standard for testing in-line UTM devices, and the NSS Approved logo is
now an essential item on the list of requirements when purchasing these
products.

For the purposes of the NSS test, a UTM device is defined as a single
appliance combining the following possible functions:
TippingPoint X505 V2.2.4 Page 2 Firewall - these devices are typically deployed at the network
perimeter, and therefore robust, stateful firewall capabilities with NAT
are required. VPN - often deployed as branch office solutions on a corporate WAN,
the ability to create a small number of secure VPN tunnels is essential. IDS/IPS - a firewall only enforces policy, and if that policy includes
allowing inbound HTTP traffic to Web servers on the DMZ, then there is
nothing the firewall can do to prevent HTTP exploits from subverting the
target Web server. The IPS capability will detect and block such
attempted exploits at the network perimeter, preventing the malicious
traffic from ever reaching the server. An IDS-only capability can detect
exploits and raise alerts, but will be unable to block the malicious traffic. Anti Virus - gateway Anti Virus prevents inbound virus traffic at the
edge of the network, thus reinforcing desktop security solutions and
blocking viruses before they reach the desktop. This solution can also
prevent infected machines from propagating viruses outside the
corporate network. Anti Spam - gateway Anti Spam can tag inbound e-mail, allowing it to
be handled more effectively by desktop filtering solutions, or can block
suspected spam mails completely. This solution can also prevent
internal hosts from sending spam mail outside the corporate network. URL Filtering - using a constantly-updated database of categorised
URLs, a gateway URL filtering solution can prevent employees from
accessing objectionable or inappropriate Web sites from the corporate
network Content Filtering - by scanning Web and mail traffic for specific
content, a gateway content filtering solution can prevent objectionable
or inappropriate material from passing into, or out of, the corporate
network.
In order to conform to the strict definition of a Unified Threat Management
product as defined by IDC, the appliance should include the first three at a
minimum - the remaining items are optional.

Those transparent gateway security devices which combine items three to
seven, but which - by their very nature as transparent, non-routing devices -
may not include items one or two (or, where a layer 2 firewall is included,
may not provide all the functionality of a typical layer 3 firewall device) are
defined as Secure Content Appliances (SCA) and a separate testing
methodology exists for such products.

The NSS tests are designed to determine the suitability of a particular UTM
product for use as a basic, all-in-one gateway security device and will focus
on the effects of combining multiple security technologies (as listed above)
in a single appliance.

Thus, the overall focus of the tests will be on the manageability,
performance and capabilities of the appliance as a basic firewall or
transparent bridge, and how the performance is affected by
enabling/disabling the additional security functions.
TippingPoint X505 V2.2.4 Page 3 TIPPINGPOINT X505 V2.2.4 Executive Summary The TippingPoint X505 is an integrated hardware and software device
designed to be installed at the corporate network perimeter to offer VPN
services as well as complete firewall, IPS and URL filtering protection for all
types of network traffic entering or leaving the company.

The X505 is a 1U rack mount server chassis based on a standard Intel
platform with hardware acceleration for VPN encryption/decryption. It
features four 10/100Mbps copper Ethernet ports for both detection and
management. A separate dedicated management port is also provided, as
is a serial console port. Redundant disk drives, power supplies, and High
Availability (HA) features are not available.

Security effectiveness of the X505 was excellent, and performance was
also excellent for a 100Mbps device under all traffic loads throughout the
tests. No significant impact on performance was noted as NAT was
enabled, firewall rules added, or IPS features enabled.

The management system has been well designed to handle management
and configuration of a single device. Alert handling and reporting are both
good, and will be even better once SMS support for the X-series devices is
available (released October 31, 2006).
Architecture The TippingPoint X505 appliance-based UTM offering (as submitted for
testing) consists of the following components:
TippingPoint X505 Appliance The X505 appliance submitted for testing is a 1U rack mount server chassis
based on a standard Intel platform with hardware acceleration for VPN
encryption/decryption.

It features four 10/100Mbps copper Ethernet ports for both detection and
management. A separate dedicated management port is also provided (this
will disappear in future versions which will offer in-line management only,
which is a shame), as is a serial console port. Redundant disk drives, power
supplies, and High Availability (HA) features are not available.

The X505 runs TippingPoints own secure operating system, with integrated
software for firewall, VPN, IPS and Web Category Filtering. Web Filtering is
facilitated via external SurfControl servers, meaning that a live Internet
connection needs to be available for communication to the closest server to
validate each URL request.

With TippingPoints roots in the IPS market, it is not surprising that this
device can be deployed in both layer 3 routed and layer 2 transparent
bridge modes. This makes for a flexible deployment.

All of the security modules are capable of being managed stand-alone via
the Web-based management interface (LSM). At the time of testing there
was no centralised management system available for multiple X505
appliances, though SMS support will be available from October 31, 2006.
TippingPoint X505 V2.2.4 Page 4 Local Security Manager (LSM) Each X505 appliance includes an integrated Web server allowing it to be
managed directly via a standard Web browser over a secure HTTPS
connection. This provides a complete single-device management solution
out of the box without the need to install a complex three-tier management
solution.

Naturally, this does not scale well when managing multiple appliances,
although forthcoming SMS (TippingPoints Security Management System)
support for the X-series appliances will offer a more scalable, centralised
management solution.

Overall, the GUI is fast, easy and intuitive to use, and is one of the better
Web-based management interfaces we have seen.
Command Line Interface (CLI) The Command Line Interface (CLI) is a standard embedded system
command line interface that provides access to hardware and embedded
software configuration.

The CLI enables the administrator to perform hardware configuration and
monitoring activities using the front-panel serial port of the X505 or via SSH
connection.
Security Management System (SMS) The UnityOne Security Management System (SMS) is an extra-cost
enterprise management platform that provides administration, configuration,
monitoring and reporting for up to 1,000 TippingPoint appliances. It offers
more advanced and scalable functions than the LSM.

SMS is delivered pre-installed on a 1U rack mountable appliance (running a
hardened Linux OS) and features a remote Java client interface that can be
installed on any Linux, Windows XP, 2000, 2003, NT and 9x PC.

In contrast to the two-tier LSM, the SMS makes use of a more scalable
three-tier architecture and is specifically designed to manage multiple
sensor devices. It features a policy-based operational model for scalable
and uniform enterprise management. It also provides detailed analysis with
a number of built-in reports and an extremely flexible query manager.

The SMS dashboard provides at-a-glance monitors, with launch capabilities
into the targeted management applications that provide global command
and control of the appliances under its control.

Note that SMS support was not available for the X-series appliances at the
time of testing. This support was released on October 31, 2006.
Security Effectiveness The aim of this section is to verify that the device is capable of effectively
applying a firewall policy, as well as detecting and blocking malicious traffic
via the IPS.

The basic firewall was secure, with no obvious means of circumventing the
applied policy. TippingPoint X505 V2.2.4 Page 5 Both Network Address Translation (NAT) and Port Address Translation
(PAT, also known as Port Masquerading) are supported. With NAT, both
Many-to-One (single external IP address) and One-to-One (multiple
external IP addresses) NAT are possible. NAT is extremely simple to
configure via the Network Interface Config page. Virtual Servers can be
created to provide a public address for an internal server, allowing traffic to
pass through the firewall to specific public-facing servers.

The X505 provided a good range of VPN configuration options, and
management was straightforward. Unfortunately there were no Wizards to
aid in configuration, although the Default SA proved extremely useful out of
the box for both site-to-site and client-to-site VPNs (termination only). VPN
functionality appeared more than adequate, and the X505 provides the
ability to terminate VPN tunnels in specific security zones (which can then
be protected by individual IPS policies, if required), providing excellent
security isolation for roaming users.

IPS capabilities were excellent, being based on the current TippingPoint
IPS engine used in its stand-alone IPS appliances. Coverage was very
good, particularly in the area of critical severity exploits, and the X505
proved resistant to false positive and false negative test cases. However,
there were some holes in its anti-evasion coverage, though not in any
critical areas (mainly ONC-RPC and FTP evasion techniques).

Overall we felt that the security effectiveness was excellent for a device of
this type.

Please refer to the Testing Methodology section for full details of the
methodology used and detailed performance results of the individual
security modules.
Performance The aim of this section is to verify that the device is capable of operating
under normal network conditions whilst effectively detecting and handling a
range of exploit traffic.

With a capacity of just over 500 TCP connections per second, 450 SMTP
sessions per second, and an effective bandwidth of 100Mbps, the basic
firewall would perform well in most 100Mbps environments. Just over
10,000 concurrent TCP connections are supported. The TCP connections
per second and concurrent connections are just on the limits of acceptability
for a 100Mbps device. No significant degradation was noticed as we
enabled NAT and additional firewall rules.

Latency is in the region of 257-258