Radware DefensePro DP102 review

Attacks on networks are getting so sophisticated that a standard firewall may no longer be able to protect against them all. That’s Radware’s philosophy and its DefensePro appliances are designed to sit in front of your firewall and provide top-level intrusion prevention and DoS protection for networks and individual servers.

These new attack types use legitimate application services which makes it less likely they’ll get picked up by static signature-based IPS solutions as they aren’t exploiting known vulnerabilities. Session-based HTTP floods are a good example where a botnet of infected systems requests legitimate web pages. Standard IPS systems will probably just see the increased levels of traffic and block all requests so stopping genuine users accessing these services.

The DefensePro uses behavioural analysis for the network, servers and clients and generates real time signatures. In our example the infected systems would be making multiple requests for a small number of pages whereas genuine browsing habits would be completely different. Based on these patterns the appliance creates a signature specifically for the attack taking place allowing normal services to be accessible whilst blocking attacking systems.

The DP102 on review protects a single network segment and functions as a transparent gateway so we just dropped it straight into our network between our firewall and Internet router. For management Radware offers two versions of its APSolute Insite product where the standalone software version only currently supports Windows XP. The ManagePro appliance provides a central location for managing all of Radware’s products.

Insite opens with a global view of all managed appliances where we defined the unit’s management IP address and set up SNMP trap sending and reporting. From the appliance’s Connect and Protect window you define your policies where the Network option combines traffic sources, the protected network segment and an action. Here, you can protect against network worms, known application vulnerabilities, DoS/DDoS attacks and so on and set connection limits.

Server policies look after individual systems on the LAN and protect against a wide range of attacks including HTTP and SYN floods, server cracks such as application scans and brute force attacks. Suffice to say Radware has all the main avenues covered and the use of multiple policies allows the DP102 to be customised to suit a wide range of requirements.

For testing we set up the DP102 to protect our LAN and placed an attack system and genuine clients on the outside. We ran a variety of network attacks including TCP SYN floods and TCP scans and the DP102 identified and blocked them according to our policies. We also tried an HTTP flood attack on a 2003 R2 server running IIS and watched the appliance block it but allow our normal clients to access its web pages during the attack.

Reporting facilities are very impressive as you can view a history of all attack types, watch them in real time and see which systems were involved. The DashBoard is also useful as its radar sweep shows attacks as they occur and graphs alongside show distributions, targets and severity levels.

Companies running business critical web services can’t afford to have genuine customers affected by the new wave of web attacks. The DP102 is easily deployed and its unique method of dealing with the latest threats means you can now extend your defences beyond the firewall.