 |
|
| Centrax
by Bob Walder
Already the lines are blurring in the Intrusion Detection System (IDS) world. We originally had a clear distinction between host-based and network-based systems, but this is changing. Host-based systems ran on, and monitored, individual hosts for changes in the OS and critical files at a high level. We also had network-based systems which worked at a low level like packet sniffers, looking for common attack signatures on the wire. Lately we have seen the appearance of hybrids of these products, as well as a new breed of network-based system which works at the packet level, but only looks at traffic aimed at the host machine – is this host based or network based then? Centrax is one of the new breed of product that is difficult to classify. It is primarily a host-based system, which monitors the OS at a high level as well as at the packet-level (though not across the network), and allows a number of target agents to be controlled from a single console. It also manages to include some basic security assessment stuff too. This makes it slightly confusing at first, since there is so much going on and so much to be configured. Essentially, you need to install the Command Console on one machine, followed by the Target Service, Real-Time Service, and Network Service as appropriate on each of the targets (to provide the host and network-based scanning and communications). Target machines can be either NT or Solaris. On firing up your command console you are presented with a tool bar that can call up a number of windows to view the Alert Manager, Target Manager, Alert Filter, Assessment Manager, Services Manager, Event Log and Reports. The key one is the Target Manager Service, which allows you to select one or more target machines (each of which requires the Target Agent) to scan. You can then apply an Audit, Batch Detection, Real-Time Detection, Network Detection and Collection Policy to each target as required. The Audit Policy determines which NT audit events are monitored, and the interface for this is almost identical to the audit policy dialogue you find on NT Server itself. Different options are available for the Solaris platform, of course. It is also possible to audit the file system by specifying file lists, users, groups and file operations such as successful read and write, failed delete, and so on. So, for instance, you could audit your R&D directory, and be alerted of all successful file read operations by users not in the R&D group. A similar facility exists for auditing Registry Keys. Detection policies are of three types as mentioned before – Batch, Real-Time and Network (Batch policies only, for Solaris targets). In the NT environment, the Batch and Real-Time policies monitor target activity (not just the usual auditable events) at various levels covering everything from Registry Key modification to user/group modification or Trojan horse activity. The Real-Time policy is running constantly on targets that have the Real-Time Service installed, whilst the Batch policy is under the control of the Collection Policy, which specifies days and times when Batch policies will be run. Admin-related events that can be monitored include such things as changing audit policies or clearing audit logs, modifying the Administrator account or changing passwords. Access-related events include warning of three consecutive failed logins, after-hours logins, login to expired accounts, and so on. It is also possible to monitor critical system file modifications, general virus and Trojan horse activity, modifications to Centrax files and Registry keys, and modifications to any other files and Registry settings the administrator deems to be important. A number of sample policies are defined, and these can be amended to suit your environment or new ones can be created from scratch. The Network Policy covers a number of attack signatures to provide packet-level Intrusion Detection (ID) capability on each host with the Network Service installed. Although working at a low level in the stack, this is still host-based since it is only possible to monitor traffic aimed at the target host, not on the network as a whole. This is in stark contrast to products such as RealSecure, which operate in promiscuous mode to monitor all local network traffic (although RealSecure also includes a micro-agent now which allows similar host-based packet-level ID). A number of common attack signatures are included in the Network Policy covering known FTP, SMTP and HTTP bugs and loopholes. Also covered are the more common NT Denial of Service attacks such as TearDrop, OOB, and Land, as well as Ping of Death, Chargen loopback, echo loopback and Back Orifice (among others). Though the common ones are covered, Centrax has a much more limited attack signature database than the more specialised network ID systems such as ISS RealSecure. New signatures cannot be added by the administrator, the only modification possible to a Network policy being the ability to enable or disable each signature check. While you have scans running (either batch or real time) alerts will appear in the Alert Manager window for an instant indication of the status of the target, and you can run a number of reports to summarise data after the fact. Reporting on the main ID activities is via Crystal Reports, which provide plenty of opportunity for customisation. As well as the Detection policies, Centrax also includes some basic security assessment capabilities, providing an indication of where your security policies need tightening up. For instance, you are rated as Poor, Fair or Good in a number of categories (posture, login configuration, drive configuration, passwords, screen savers, accounts and system configuration) depending on such things as how long your default passwords are, whether you have a guest account enabled, whether you have renamed your administrator account, whether you allow all users to access the NT system directory, and so on. Verdict� Centrax is very complicated to get to grips with due to its extensive feature set, but once you have your policies set up it runs itself. The first product we have seen to combine extensive host-based ID with security assessment, though it falls short of some of the best of breed ID products in both its packet-level ID and its security assessment capabilities. Contact: CyberSafe� +1 425 391 6000��
|
|
Send mail to webmaster
with questions or�
|
