Data Center Intrusion Prevention System (DCIPS)


Why DCIPS is Important

Data center network security (DCNS) is a term used to describe devices that provide network security for the data center. The two main devices in this category are the data center firewall (DCFW) and the data center intrusion prevention system (DCIPS). The DCIPS device sits inline behind the data center perimeter (as "a bump in the wire") and provides internal network segmentation and deep inspection without introducing the complexity of a routing firewall. The DCIPS works as a layer 2 device and is configured to have bypass (fail-open) capabilities.

DCIPS handle traffic for potentially hundreds of thousands of users who are accessing large applications in a server farm. Application traffic generates many connections and transactions per request for different traffic types (email, video, ecommerce, database, file shares), which places a high demand on a DCIPS device's ability to set-up many connections quickly, hold many connections open, and achieve high throughput rates. Data centers host the crown jewels of an enterprise, e.g., customer data, intellectual property, and mission-critical applications. Therefore, security effectiveness is critical to organizations evaluating these devices. A DCIPS should be capable of correctly blocking malicious traffic through comparison of packet/session contents against signatures/filters/protocol decoders.

Enterprise servers and applications being protected by DCIPS host a myriad of content such as streaming audio and video, retail and b2b e-commerce, mission-critical business applications, and the routing infrastructure that runs Internet. In addition to ensuring security effectiveness and resiliency against attacks and evasions, providing high throughput, low latency and high availability are critical in a DCIPS device. For the enterprise's data center network security deployment and strategy, it is important to understand whether data center security products are deployed at the perimeter or in the interior (zero-trust model). It is also important to understand if enterprise data centers are zoned for breach containment, if they are passively monitored, and if there is data center redundancy for high availability.

NSS Research Security Insight Study in 2018 found that latency and throughput are the most important factors to consider in understanding the performance of a data center security product

NSS research has found that there are many factors involved in understanding the performance of data center security products, each of which can be critical in evaluating their value. To ascertain which performance factors are most salient to enterprises, participants were asked to rate the importance of five data center security technology performance factors for their organizations on a 0-10 scale, with 0 indicating not important at all and 10 indicating critically important. Unsurprisingly, all performance factors were rated highly important; however, latency and throughput received the highest median scores (9.0).

What We Tested & Why

Exploit Block Rate - NSS Labs

Attackers can modify basic attacks to evade detection in a number of ways. If a device fails to detect a single form of evasion, any exploit can pass through the device, rendering it ineffective. What's worse, when an attacker successfully uses an evasion to bypass defenses, there is no trace of the attack. There are no logs; there are no alerts. Providing exploit protection without fully factoring in evasion can be misleading. The more classes of evasion that are missed (such as IP packet fragmentation, RPC fragmentation, URL obfuscation, FTP/Telnet evasion, resiliency, and attacks on nonstandard ports), the less effective the device. Find out which products were the most resistant to evasions in our latest DCIPS Group Test.

Evasions - NSS Labs

Attackers use evasions to bypass security controls. A single evasion can grant an attacker access to your network. What's worse, when an attacker successfully uses an evasion to bypass defenses, there is no trace of the attack. There are no logs; there are no alerts. Which products were the most resistant, and which were the least resistant, to evasions in our latest DCIPS Group Test?

Performance and Latency - NSS Labs

Data center technologies are changing rapidly in response to the adoption of social media, streaming video, teleconferencing, and other bandwidth-intensive technologies. Many factors must be taken into account in order to understand the performance of a data center security product, and each of these factors can be critical in evaluating its value. When evaluating performance, the following should be taken into consideration: HTTP capacity for application average response time and for HTTP persistent connections, single application flows, UDP throughput, and latency. DCIPS devices must be resilient to attacks when they are operating at near maximum traffic capacity. Find out which DCIPS devices were able to provide effective protection without compromising on security when they were subjected to high TCP traffic throughput and attacks happening over a period of time.

Throughput - NSS Labs

To account for significant variances in data center network traffic between industries and enterprises, NSS considered three traffic profiles in this test: transactional, multimedia, and corporate. The average throughput across these three profiles reveals which DCIPS product is best for your data center. Other important metrics to review when understanding a DCIPS inspection engine's effectiveness in the real-world are TCP connections per second and HTTP connections per second. Rated throughput should focus on packet sizes and protocols that are more likely to be found in typical enterprise deployments, such as email, video, e-commerce, database, and file sharing.

Stability and Reliability - NSS Labs

Long term stability is particularly important for an inline DCIPS device where failure can produce network outages and disrupt business operations. Find out which of the DCIPS products remained operational and stable throughout our tests.

Total Cost of Ownership - NSS Labs

The Security Effectiveness of a device is determined by factoring the results of evasions testing and stability and reliability testing into the exploit block rate. Our latest DCIPS Group Test reveals how the tested DCIPS products fared.

Security Effectiveness - NSS Labs

A security product that fails to protect what's important to you can have catastrophic consequences for your organization. Just because a product is the least expensive doesn't mean it provides the best value or meets your needs. NSS Labs can help you determine which products are right for you.

Value To You - NSS Labs

If your data center security product fails to protect your crown jewels, this can lead to catastrophic consequences for your organization. In addition, providing the optimal combination of security effectiveness and performance is critical for real-world data center deployments. Just because a product is the least expensive doesn't mean it provides the best value or meets your needs. NSS Labs can help you determine which DCIPS products are right for you.

Is Your Enterprise Looking for Insights in addition to the DCIPS Test Reports?

Exploit Block Rate - NSS Labs

Still have questions? Ask us! Any time we conduct a test, there is more information than we can possibly include in our test reports. NSS Research Analysts help clients from the world's most demanding organizations get the answers they need.

Who We Tested

FortiGate 3200D
v5.4.10 GA Build 7811
FortiGate 6300F
v5.4.10 GA Build 4283
TippingPoint TPS 8400TX

What are the Key Takeaways from 2018 DCIPS Group Test (2nd Edition)?

3 out of 3
Products Achieved a
Recommended Rating

Overall Security
Between 99.0% and 99.2%

TCO per Protected
Ranged from
US$3.78 to US$6.68

Exploit Block Rate - NSS Labs

Attackers continue to leverage old vulnerabilities using variants of known exploits. That is why the latest DCIPS Group Test introduced resiliency testing. A system's resiliency can be defined as its ability to protect against multiple variants of an exploit, not just the known exploit variant.

By testing resilience, NSS Labs enables you to know which DCIPS products will continue to protect you after the spotlight has moved on.

Threat Protection - NSS Labs

NSS research has found that the key threats detected in US enterprise data centers include HTML injection, SQL injection, cross site scripting (XSS), OS command injection, and more. DCIPS products are designed to provide inline protection against threats, anti-evasion capabilities, and full resilience to attack variants. Find out which products were effective against the key threats impacting enterprise data center deployments.

99 Evasion Techniques - NSS Labs

Providing results for a product's protection against exploits without fully factoring in evasions can be highly misleading in terms of understanding a product's security efficacy. That is why NSS Labs' Security Effectiveness score includes evasion techniques. The more classes of evasion that are missed (such as IP packet fragmentation, RPC fragmentation, URL obfuscation, FTP/Telnet evasion, resiliency, and attacks on nonstandard ports), the lower a product's security efficacy. In the latest DCIPS Group Test, products were tested against 99 evasions to evaluate how well they were able to detect and block them.

Performance VS Security - NSS Labs

Data center network traffic varies significantly between business applications, multimedia and mission-critical corporate applications. NSS-tested throughput for DCIPS products took into consideration transactional, multimedia ,and corporate traffic for both IPv4 and IPv6:

  • The transactional traffic profile is intended to represent a data center with traffic that is more transactional in nature, such as B2B (business-to-business) or B2C (business-to-consumer) e-commerce. The rated throughput emphasizes smaller packet sizes and connections per second.
  • The multimedia traffic profile is intended to represent a data center whose purpose is to serve media content. The rated throughput emphasizes larger packet sizes, maximum concurrent sessions, and streaming protocols.
  • The corporate traffic profile may be best described as the data center footprint of a typical enterprise, where mission-critical applications such as email and ERP (enterprise resource planning software) are kept. The rated throughput emphasizes various packet sizes and protocols that are more likely to be found in those situations, such as email, database, and file sharing.

Latency - NSS Labs

DCIPS inspection engines must be capable of performing optimally under stress and at maximum real-world traffic capacity. The following critical latency parameters were taken into consideration for DCIPS products for both IPv4 and IPv6 traffic:

  • Excessive concurrent TCP connections - Latency within the device is causing an unacceptable increase in open connections.
  • Excessive concurrent HTTP connections - Latency within the device is causing excessive delays and increased response time.
  • Unsuccessful HTTP transactions - Normally, there should be zero unsuccessful transactions. Once these appear, it is an indication that excessive latency within the device is causing connections to time out.

Operational Efficiency - NSS Labs

DCIPS devices are required to remain operational and stable under different traffic loads. The DCIPS Group Test determined the behavior of the state engine under load. All devices must balance the risk between denying legitimate traffic or allowing malicious traffic once they run low on resources. A DCIPS device will drop new connections when resources (such as state table memory) are low, or when traffic loads exceed its capacity.

Product Tuning - NSS Labs

NSS research has determined that the majority of enterprises tune their DCIPS products. Even though attacks against desktop client applications are mainstream, servers will always be the primary targets in data center deployments, so tuning is critical. Therefore, all DCIPS products in this test were optimally tuned similar to a typical customer deployment, keeping in mind security effectiveness and performance.

TCO Protected MBPS - NSS Labs

NSS Labs uses a unique formula, Total Cost of Ownership (TCO) per Protected Mbps, to enable value-based comparisons of DCIPS products in the market. TCO per Protected Mbps is calculated using three-year TCO, security effectiveness, and NSS-tested throughput.

Contrary to popular belief, the biggest risks are not always driven by the latest "Patch Tuesday" disclosures. NSS' threat research reveals that many older attacks are still in circulation and therefore remain relevant. Review NSS Labs test results before making key decisions.

Exploit Block Rate - NSS Labs

Different vendors take different approaches to adding coverage once a vulnerability is disclosed. Attempts to provide rapid coverage for vulnerabilities that are not fully understood can result in multiple exploit-specific signatures that may be inaccurate, ineffective, or prone to false positives. Vendors that have the resources to fully research a vulnerability should be able to produce vulnerability-oriented signatures that provide coverage for all exploits written to take advantage of that flaw. This approach provides more effective coverage with fewer false positives.

Vendors may retire older signatures in attempts to alleviate product performance limitations; however, this may result in inconsistent coverage for older vulnerabilities and varying levels of protection across products.

What You Get
DCIPS Product Test Reports

Security Comparative Report

The Security Comparative Report provides high-level analysis of the security effectiveness of different DCIPS products in the market. The report provides comparisons of blocking capabilities, stability and reliability, and resistance to common evasion techniques.

Using this report, enterprise security teams can compare security effectiveness and resistance to evasion techniques across different DCIPS products.

Example Report

Performance Comparative Report

The Performance Comparative Report provides analysis of various performance metrics for tested DCIPS products. The report contains comparisons of maximum capacity, HTTP connections per second and capacity, and UDP throughput and latency, all while using real-word traffic mixes.

Using the Performance Comparative Report, enterprise networking teams can compare performance across DCIPS products and select those that will support their volume and type of network traffic.

Example Report

Total Cost of Ownership (TCO) Comparative Report

The TCO Comparative Report provides a comparison of the costs associated with product purchase, installation, maintenance, and support, as well as threat-associated costs.

Using the TCO Comparative Report, the enterprise C-Suite and management can understand the true TCO of a product over a three-year period, incorporating product purchase cost, product operational cost, and the overall capability score of a product.

Security Value MapTM (SVM) Comparative Report

Empirical data from individual Test Reports and Comparative Reports is used to create NSS Labs' unique Security Value Map (SVM). The SVM illustrates the relative value of security investments by mapping the Security Effectiveness and the Total Cost of Ownership (TCO) per Mbps of tested product configurations.

The SVM Comparative Report provides an aggregated view of the detailed findings from the NSS Labs group tests. Using this report, enterprise security decision makers can see the relative value of security investments.

Example Report

Individual Test Reports

Test Reports provide detailed analysis for each product tested. Data from these reports is used in the NSS Labs Comparative Reports.

Test Reports enable enterprise security teams to understand the impact of features and limitations across different products. These reports are used to shortlist products for further evaluation and proof-of concept testing.