3Com’s TippingPoint: Bot Terminator

How to strengthen your network’s immune system against constantly mutating digital pathogens? One step: Give it a shot in the arm with an intrusion prevention system.

TippingPoint, bought last year by 3Com, was among the first developers of devices that automatically block malicious or unauthorized network activity, without having to be touched by an administrator. Traditional firewalls and intrusion detection systems, by contrast, require humans to analyze and respond to new threats.

That means intrusion prevention systems can sniff out—and stop—unwelcome activity that a company may not have otherwise even noticed. T. Rowe Price, the $1.5 billion mutual fund and brokerage company, installed TippingPoint’s intrusion prevention security devices in October 2004. The goal: to provide an additional layer of security for its perimeter defenses, says Scott Davis, manager of network security.

But by then, invaders had already burrowed through its barriers. Davis’ team of five security administrators saw that TippingPoint’s devices were stopping thousands of spyware connections originating from some of T. Rowe Price’s 5,000 desktop computers. “The spyware filters started triggering en masse,” he says. In 2005, TippingPoint’s gear blocked 480,000 spyware connections at the company.

According to Davis, the company’s technical staff could have stopped some of the spyware agents using antivirus software and other security mechanisms—but that it would have been a manual and reactive process. The intrusion prevention system allowed him to almost completely automate the operation. Now, he says, “we’re blocking spyware download attempts before they get to our machines.”

For Gordon Bass, chief information security officer for the American Red Cross, a big part of TippingPoint’s appeal was that it could block undesirable network traffic immediately after plugging into the network, without requiring up-front tweaking or training (see sidebar).

“We didn’t have time to learn a product that needed extensive fine-tuning,” he says. Here’s why: It was early September 2005, a week after Hurricane Katrina nailed the southeastern U.S. The Red Cross was opening its network to provide access from many of its 1,000 shelters in the region to let victims displaced by the storm use Web-based applications, such as a family-locator database.

Literally overnight, Bass and his team needed an intrusion prevention system to isolate the Red Cross’ internal network, with more than 20,000 computers, from publicly accessible segments. TippingPoint sent one to the Red Cross the day after Bass requested one; right after his team plugged it in, the system’s monitoring screens showed Bass that it was dropping traffic from bots and other malware.

“We knew we were stopping that stuff cold right at the perimeter,” Bass says. Another plus: He claims the TippingPoint system has generated no false positives—that is, it hasn’t incorrectly blocked any legitimate traffic—which was a concern since Bass’ team had simply used the default filters without modification.

TippingPoint has also responded quickly when new threats pop up, says Jim Carpenter, manager of information technology at Alon USA, an oil refiner and asphalt producer in Dallas. In April 2005, Carpenter’s team found some of its machines had been infected with a worm variant for which TippingPoint didn’t yet have a filter. “We sent them some info, and in 18 hours they had signature built,” he says.

Since acquiring TippingPoint in January 2005, 3Com has run it as a standalone division, based in Austin, Texas. James Hamilton, TippingPoint’s president, says the 3Com deal has reassured customers that the company will be around for the long haul. “They’ve certainly given us some credibility in the marketplace,” he says. Moreover, Hamilton says, 3Com has a global reseller channel far broader than anything TippingPoint could have developed on its own.

The Red Cross’ Bass initially “had a little bit of concern” that 3Com would dilute TippingPoint’s product mix, but he says “there seems to be a commitment by 3Com for new product development.”

However, TippingPoint hit at least one rough patch in joining its new parent. T. Rowe Price’s Davis says some TippingPoint boxes he bought last year, after the 3Com deal, arrived with bad power supplies or bad drives. “A couple of boxes they sent us were just dead,” he says. Davis estimates he’s had to return about 15% of the units.

A TippingPoint spokeswoman says it initially switched electronics manufacturing operations to 3Com’s partners, but “we found the quality-assurance success rate to be lower.” She says TippingPoint has reverted to its previous partners, which include Jabil Circuit and ModusLink.

To Davis, what’s more important than a few dead-on-arrival systems is that TippingPoint listened to his concerns—and delivered replacement units the next day. “Their customer support has truly been outstanding,” he says. “They’re the most customer-centric company we deal with.”

The Company

Headquarters: 7501 N. Capital of Texas Hwy., Austin, TX 78731
Phone: (512) 681-8000
Ticker: Division of 3Com (NASDAQ: COMS)
URL: www.tippingpoint.com
Employees: 220
Business: Network security systems and software
Founded: 1999
Key executives: James Hamilton, president, TippingPoint; Marc Willebeek-LeMair, chief technology officer, 3Com

Products: 5000E intrusion prevention system can handle up to 5 gigabits per second of traffic; the M60, due in the fall, is supposed to handle up to 60 gigabits per second. The lower-end X505 provides firewall, intrusion prevention and content filtering at up to 50 megabits per second.

Market Share: 23% of the $246 million worldwide market in 2005 for in-line intrusion detection and prevention systems (Infonetics Research)

Key Competitors: Cisco Systems, Internet Security Systems, Juniper Networks, McAfee, Radware, Symantec

The Technology

“Set it and forget it”? The Catch-phrase of late-night infomercials could almost describe how easy TippingPoint’s products are to set up and maintain, according to customers.

TippingPoint intrusion prevention devices come with more than 2,500 filters to defend against threats such as the packet flood characteristic of certain botnet attacks. The company issues regular updates via its Digital Vaccine service as new vulnerabilities are discovered (similar to antirivus software vendors). Recommended settings to stop malicious attacks are enabled by default, so that right out of the box TippingPoint’s system screens out “the really bad stuff,” says Scott Davis, T. Rowe Price’s manager of network security. “It’s not something you have to constantly care and feed.”

And because TippingPoint’s devices can automatically update themselves over the Internet, customers sometimes realize they’re protected from a threat only after it’s hit the news. When the Zotob worm—which targeted a security hole in Windows 2000 operating systems—struck last August, Mike Briggs, director of information technology at the 1,870-student George Washington University Law School, says he didn’t even notice a rise in network traffic.

“That was amazing,” Briggs says. “Before, we’d have to immediately drop everything and patch our systems. But we had the filters in place before there was even public acknowledgment of the issue.”

Reference Checks

T. Rowe Price
Scott Davis
Mgr., Network Security
[email protected]
Project: Broker and investment advisory firm uses 25 TippingPoint devices worldwide to protect 5,000 users and 1,000 servers.

American Red Cross
Gordon Bass
Chief Information Security Officer
(703) 206-8972
Project: Disaster-relief organization deployed TippingPoint systems last year after allowing Hurricane Katrina victims to access applications over its network.

George Washington University Law School
Mike Briggs
Dir., I.T.
(202) 994-5772
Project: Law school in Washington, D.C., deployed a TippingPoint device in the fall of 2004.

Alon USA
Jim Carpenter
Mgr., I.T.
[email protected]
Project: Dallas-based oil refiner and asphalt producer has used a TippingPoint system to protect 500 desktop computers since the fall of 2003.

Louisiana 19th Judicial District Court
Freddie Manint
CIO
(225) 389-5295
Project: State court uses two TippingPoint devices, one at its Internet access point and one to shield about 60 servers.

East Grand Rapids Public Schools
Jeff Crawford
Mgr., Networking
[email protected]
Project: Michigan school district with 3,000 students runs an X505 between student-accessible network and its back-end information systems.


Revenue

FQ2 2006 (ended 12/2/05)$21M

FQ1 2006 (ended 9/2/05)$17M

FQ4 2005 (ended 6/3/05)$13M

Previous operating results**

’05FYTD’04FY ’03FY
Revenue$20.26M$5.77MNone
Gross margin69.7%54.0% N/A
Operating loss -$10.09M -$17.51M-$24.63M
Net loss -$9.83M-$16.25M-$25.44M


* As a division of 3Com
** Prior to the 3Com acquisition. Fiscal Years ended Jan. 31; ’05FYTD reflects nine-month period ended oct. 31, 2004.
Sources: 3Com and Tippingpoint reports