Describe the attack detection techniques your product uses.
Does the product use stateful analysis? If so, describe its use.
What network protocols can be analyzed?
What application protocols can be analyzed?
Can your product operate in both inline and passive mode?
If malicious traffic is detected, what response capabilities does your product have (log, drop packet, and so on)?
How is fragmented traffic handled?
Does the NIPS have any remediation capabilities? If so, describe them.
False positives are an issue for most NIPS products. If we encounter false positives with your products, how do we tune them?
Is there a tuning, learning, or testing mode?
What is the inline throughput and latency for your products?
What is the detection-only throughput and latency for your products?
What information do logged events contain?
Can event severity be modified?
What types of signatures/policies are used (atomic, stateful, and so on)?
What triggering mechanisms does your product use (pattern detection, anomaly-based, behavior-based, and so on)?
Can signatures/policies be applied to specific categories of traffic (VLAN, subnet, IP address)?
Can policies/signatures be customized or created?
Does the product have any application-specific signatures/policies? If so, what applications are included?
What self-defense capabilities does the product have?
Does your product have the capability to detect or stop known attacks? How?
Does your product have the capability to detect or stop unknown attacks? How?
Does your product have the capability to detect or stop network worms? How?
Does your product have the capability to detect or stop Trojans? How?
Does your product have the capability to detect or stop spyware? How?
Does your product have the capability to detect or stop adware? How?
Does your product have the capability to detect or stop viruses? How?
Does your product have the capability to detect or stop traditional hacking attempts? How?
Does your product have the capability to detect or stop encrypted attacks? How?
Does your product have the ability to control bandwidth utilization? How?
Does your product have the ability to enforce acceptable use policies (peer-to-peer file sharing, pornography, and so on)?
Does your product have the ability to enforce security policies (confidentiality of data and so on)?
Can your product isolate malicious traffic/hosts?
Can your product overcome evasion techniques? How?
Are languages other than English supported? If so, describe the level of support and list the languages.
If the product fails, does it fail open or closed?
Please describe the current roadmap for future product releases.
Is the product centrally managed?
Describe the management infrastructure.
Does the management solution have a database component? If so, what type of database?
What architectural options are supported (single-server, tiered, hierarchical)?
How many devices can each architecture (single-server, tiered, hierarchical) support?
Describe the high availability and failover capabilities of the management solution.
How do administrators access the management interface?
How are administrators authenticated?
How is administrator-to-management communication secured?
Is there an audit trail? If so, describe it.
Is role-based administration supported?
How many events can one management server store?
How many events per second can one management server handle?
What are the bandwidth requirements? Describe the communication protocols between the managed devices and the management server.
How does management avoid denial-of-service because of event flooding?
Can a policy/signature be backed out?
What capabilities does the management offer for signature/policy testing before they are deployed?
Describe any centralized notification/alerting capabilities.
Are events collected in real time?
Are alerts delivered in real time?
How can alerts be delivered (e-mail, SNMP, and so on)?
How is device-to-management communication secured?
How is the management infrastructure itself secured?
If your product requires updates, how are the updates distributed? Is it automatic?
How are configuration changes distributed?
Are languages other than English supported? If so, list them.
Can logs be exported?
Describe any capability to group managed devices.
Does the management solution provide detailed status of the devices it manages?
What happens if the management solution fails?