 |
|
|
Intrusion
Detection Group Test
by
Bob Walder
Click here to access our latest complete IDS Group Test report Introduction When have you ever seen a bank that relies solely on the locks on the front door for protection? Not likely. And it’s not just banks either – even the lowliest commercial premises have a burglar alarm to provide instant notification should the perimeter defences be breached, and some even go as far as installing CCTV too to collect visual evidence of a break in. So it should be on your network. If you consider the firewall as your perimeter defence – the equivalent of your door locks – then you still need to prepare for the almost inevitable possibility that someone may breach that defence. In that case, you need to be informed quickly that someone is wandering your network, launching attacks, bringing down servers, stealing or altering vital data. The equivalent of the burglar alarm and CCTV system is the IDS – Intrusion Detection System. Within the IDS market place are four broad categories of product: 1.�� Vulnerability Scanners – Also known as “risk assessment products”, these provide a number of known attacks – a sort of “hacker in a box” – with which a network administrator can probe his or her network resources proactively.� 2.�� Network-based IDS – These monitor traffic on the wire in real time, examining packets in detail in order to spot denial of service attacks or dangerous payload before the packets reach their destination and do the damage. When suspicious activity is noticed, a network based scanner is capable of both raising alerts and terminating the offending connection. Some will also integrate with the firewall, automatically defining new rules to shut out the attacker in future. Network-based IDS require a dedicated host on which to run due to their heavy use of system resources. You will also need one per segment, since they are unable to see across switches or routers. 3.�� Host-based IDS – These employ an agent that resides on each host to be monitored. The agent may scrutinise event logs, critical system files and other auditable resources looking for unauthorised changes or suspicious patterns of activity. Whenever anything out of the ordinary is noticed, alerts or SNMP traps are raised automatically. It may also behave in a similar manner to the network-based IDS in that it will examine packets on the wire to compare against a database of known attacks – but in this case it is restricted solely to packets targeted at the host machine. For this reason it is ideal in a switched environment or for heavily-loaded networks. Some host-based IDS also include a “personal firewall” capability to provide additional protection for the host machine. 4.�� The “Honeypot” - Although not a new idea, this is a relatively new class of product to be offered commercially. Here we have a product capable of simulating a range of different network servers and devices in order to act as an attractive “decoy” for the would-be hacker. While the hacker concentrates on the decoy services, the honeypot will collect as much evidence as it can as well as raise alerts to the administrator. PRODUCT REVIEWS ISS Internet Scanner Internet Scanner is one of the best known vulnerability scanning products on the market today. Although the program has been ported from its Unix origin to the NT platform (the version we tested here) it has always retained rather too much of its roots to suit die-hard NT users. The latest release sees a complete revamp of the GUI and the underlying architecture resulting in a far more usable product. Version 6.0 of Internet Scanner represents a major change for ISS in that for the first time the X-Press Updates features allows vulnerability modules to be downloaded separately from the main program. Previous versions have included all vulnerability data within the program itself, thus requiring a large download and complete re-install each time the vulnerability database was updated. Although the new architecture allows even individual vulnerabilities to be downloaded, authenticated and applied automatically by the X-Press Update feature, we noticed lengthy delays both when starting the program and when amending policies as the vulnerability list was effectively rebuilt on the fly each time. This delay is strange, since CyberCop Scanner has had the ability to update individual vulnerabilities for some time, and yet does not suffer from similar delays when running. One nice aspect of X-Press Updates is the ability to schedule automatic updates either to individual machines from the ISS Web site, or to a central point on a corporate network. New vulnerabilities can also be distributed as e-mail attachments. In addition to X-Press Updates, there has been a major overhaul of the user interface, making it much more intuitive and usable. The scanning policy is now depicted as a familiar hierarchical tree in the left-hand pane, with vulnerability groups at the highest level (back-door programs, DNS, FTP, network, Denial of Service, etc.) and individual vulnerabilities at the lowest level (Ping Bomb, Teardrop, Syslog Flood, etc.). Selecting any individual attack brings up a detailed description alongside, together with information on fixing the problem, if available. Each vulnerability has a check box alongside, as do the vulnerability groups above them, thus providing the means to quickly include one or more vulnerabilities in a policy. A set of “common parameters” are also included that will apply to a range of vulnerabilities during the scan, and there is a search capability allowing you to quickly locate a particular attack. There are over 600 vulnerabilities in the database now (including 65 new security tests and 30 new tests for malicious “back door” programs such as BackOrifice), so the interface improvement is very welcome. The main problem with the new interface is the time it takes to build a new “view” of the vulnerability list each time you need to edit a policy. When you are performing scans using individual or small numbers of vulnerabilities as I was when testing the IDS products, you spend more time waiting for the views to build than you do actually scanning. This needs changing – when the X-Press Updates are applied, a static view should be built at that point and this should then be used within Internet Scanner. There should be no need to rebuild the view dynamically every single time you start the program or want to edit a policy. One of the nice points about Internet Scanner is the SmartScan capability, which allows it to use information (such as user names) gleaned on one scan to feed into subsequent scans in order to attempt access to other machines on the network. Other features to be improved in 6.x include new reports (such as network inventory and condensed summary reports), full integration with Database Scanner, and enhanced port scanning capabilities. Verdict :� The user interface enhancements and X-Press Update feature have improved this product no end. It sports one of the largest vulnerability databases around, and has some nice features such as SmartScan and excellent reporting. It needs some work on speed of loading the initial program and policy editor, however. Product
: ISS Internet Scanner 6.01 RealSecure With version 3.2 of RealSecure ISS introduces independently-licensed modules that can be purchased and deployed as needed. The components of the RealSecure family are:
Security policies are defined at the console too and loaded to each engine as appropriate. Different policies can be applied to each engine, if required, depending on the expected traffic on any given segment, or perhaps depending on the importance of a segment. Each policy defined in the console consists of a number of security events, connection events, user-specified filters and user-specified actions, and a number of sample policy files are provided to get you going.� New with the latest version is the ability to create user-defined signatures for the network engines (regular expression string matching). It is now possible to perform regular expression string matching on packet contents, looking for things like passwords, e-mail content, login names, URLs, and so on. For each event, there are a number of actions available, including notify console, log to database, log raw data, send e-mail notification, kill connection, view session, lock firewall and send SNMP trap. You can use RealSecure to monitor more than just security problems by using the Connection Events. These are generic events such as HTTP, FTP or SMTP activities, and can be filtered by source or destinations address, source or destination port, or protocol.� Events are flagged in real time on the console, and are marked as low, medium or high priority. Individual events can be examined in the hierarchical activity tree, and there are a number of graphical and text reports that can be run covering such things as event names, source and destination reports, top 20 events, top 20 destinations, and so on.� Verdict :� With a modular architecture, network- and host-based detection in a single product, and one of the most comprehensive attack signature databases available, Real Secure is still one of the best IDS products on the market. Product
: ISS RealSecure 3.2 Cisco Secure Intrusion Detection System Becoming part of the Cisco product portfolio during the Wheelgroup acquisition, the Cisco Secure IDS (formerly known as NetRanger) is an enterprise-scale, real-time, intrusion detection system designed to detect, report, and terminate unauthorised activity throughout a network. The Secure IDS is a two-part system of management console (Director) and multiple IDS Sensors. The Sensor is dedicated network appliance based on a single or dual-processor Pentium II with 64 or 128MB of RAM, and running a specially hardened version of Sun Solaris 2.6. On this is installed the IPCHAINS packet filter software and the IDS code. Dual network interfaces are provided, one for packet capture (which does not have an IP address and is thus invisible to the network on which it is placed) and the other for management. Packet capture interfaces can be 10/100 Ethernet, Token Ring or FDDI. Management is via an HP OpenView console running on a Sun Sparc box (the Director), which is capable of controlling multiple Sensors. For extremely large, distributed networks with complex alarming and communication requirements, the Director can be implemented in a multi-tiered hierarchy, enabling a virtually unlimited number of Sensors to be monitored from a single, central console. Unfortunately, in the current release communication between the Director and Sensors is not encrypted, but Cisco recommends a dedicated management network, which will maintain security since intra-device communications are then kept off the live network. Future releases will see such communications encrypted via IPSec. OpenView provides a graphical interface for configuration of the Sensors as well as a means of gathering alerts. The Sensor uses a rule-based engine to distil IP traffic on the packet capture interface into meaningful security events, which it forwards to the Director. The Director displays real-time security information transmitted by Sensors, presented via icons drawn on network security maps. Clicking on an attack alert icon allows further context-sensitive information to be retrieved, as well as a detailed page of HTML information on the nature of the attack and possible countermeasures. Attack details are also logged to disk, though there are no built-in reporting tools to allow this data to be presented usefully.�� When an attack is noted, as well as logging and alerting, the Sensor can instantly cut TCP sessions, and dynamically manage a Cisco router’s access control list to “shun” intruders, thus preventing further attacks from that source. This feature can be temporary, if desired, or maintained indefinitely. The rest of the network traffic will function normally - only the unauthorized traffic from internal users or external intruders will be removed.� Configuration of the Secure IDS via the graphical interface is simple, and there is very little to do in order to get it up and running. In addition to the default logging and alerting capabilities, each attack signature can be assigned additional actions when triggered, including shunning, TCP reset, and detailed logging (full packet trace rather than simple event log). There are around 300 attack signatures in the vulnerability database currently, and it is possible to add new ones based on matching packet contents with user-defined rules. Verdict The network appliance approach will suit many organisations, providing rapid installation without having to source hardware internally. The reliance on HP OpenView may present a slight problem for some, since it needs a Sun Sparc box at the moment (though an NT-based version will be released eventually). Product
: Cisco Secure IDS 2.2.1.3 NetProwler Professional NetProwler is Axent’s real-time network-based IDS designed to complement and integrate with the Intruder Alert product. It comes with a wide range of predefined operating system and application attack signatures that can be enabled for a single host or range of hosts. It also allows the attack signature database to be extended with user-defined attacks to address company-specific resources and applications. New signatures can be defined and applied without having to bring down the monitoring engine. On firing up NetProwler the administrator is presented with two windows – Monitoring and Configuration. The configuration window is initially very confusing and somewhat daunting. Unlike most network-based IDS the NetProwler engine does not automatically monitor everything that passes on the wire. Instead, for each category of attack it is necessary to associate one or more hosts, either by name or IP address. Although this provides tremendous flexibility (for instance, the monitoring on heavily loaded segments can be split between several agents), it does sound like a horrendous task, but is simplified by the “Profiler”. This automated configuration tool scans the network for live systems and services running on them. It then guides the administrator through the process of defining which systems should be monitored and what attack signatures should be associated with which systems. Since changes in the network could cause such “fixed” configurations to become outdated, the Profiler can be scheduled to run at regular intervals to keep things up to date. Given that many networks are too heavily loaded for a traditional network-based IDS to keep up with all the traffic, this selective configuration is a good solution. Other useful features of NetProwler include live session monitoring and file consistency checking. The former allows NetProwler to monitor and capture TCP/IP session types such as ftp, telnet and HTTP as they occur in real time. Full protocol decode is provided, and sessions can be captured to file for review later. File consistency checking compares Web and ftp server configuration files on a byte-by-byte basis with files on a mirrored site. DNS host name and router configuration files can also be monitored for unauthorised changes When attacks are spotted, NetProwler can be configured to respond by e-mailing or paging an administrator, dynamically reconfiguring a firewall, sending SNMP traps, capturing an attack session, resetting a TCP session, or spawning an external command. NetProwler can also be used to stop traffic on one or more TCP/IP-based applications on a monitored system. This can be used to restrict access to an internal server to certain times of the day or to certain workstations. Once the engine is running, the Monitoring windows provides constant real-time indications of attacks and alerts. From here, captured attack sessions can also be replayed. As well as real-time alerts and statistics, NetProwler can generate three different types of reports – attack details, executive summary and cost analysis. The attack details report describes attacks that have taken place during a defined time period, whereas the executive summary compares the number of attacks at each priority level with the number you expected to see. If you can place a value on how much server down-time costs you, the cost analysis report will use this to estimate how much a specific attack could cost you. Verdict As with Intruder Alert, NetProwler takes a subtly different approach to other products of this ilk, and that makes it a little confusing at first sight. However, the architecture is extremely flexible and the product is very powerful. Product
: NetProwler Professional Intruder Alert Intruder Alert is Axent’s host-based IDS which complements NetProwler. The two can be configured to integrate closely, though the fact that there is an entire manual dedicated to this indicates that it is not as straightforward as it could (or should) be. This complexity is echoed in Intruder Alert itself. However, as with NetProwler, the complexity is a by-product of the considerable flexibility and scalability of the product.� The architectural components of Intruder Alert include ITA Admin (the management interface), ITA View (the alert viewer and reporting tool), Manager (collects events from Agents) and the Agent (actually monitors the host).� ITA Admin contains the master list of “Drop and Detect” and “Detect and Respond Template” policies. Drop and Detect policies are designed to work right out of the box with no further configuration. Detect and Respond Template policies require some configuration before they can be activated, and this is achieved via the split-pane view of ITA Admin. ITA View is a separate utility that is used to view event data captured by Agents. Using ITA View it is possible to query the database and view selected events as they happen (or take historical snapshots of the data), use one of five pre-defined views, send internal commands to Agents, or generate and view Agent reports. The reports are more statistical in nature, however, lacking some of the detailed vulnerability data of the competition (though this gap is plugged by NetProwler now) Finally, the Agent runs as a Unix daemon, Windows NT Service or NetWare NLM, capturing events from various system audit and security logs (or key NetWare events) depending on the platform. Policies are defined within ITA Admin and applied to the Agents throughout the network. These policies are made up of a number of rules that detect and respond to events. In turn, these rules are comprised of three parts – a select clause (determining which events are to be included), an ignore clause (to exclude certain events) and an action clause (to perform if the select and ignore clauses yield a positive result. Any number of rules and clauses can be combined to make a policy, and rules can even be chained together, subsequent rules depending on the output of preceding ones. This makes Intruder Alert one of the most flexible scanners we have seen to date.� A number of default policies are created during installation depending on the platform, and these provide a good point for administrators to start to develop a more company-specific policy. Verdict Despite being initially very complex and daunting, Intruder Alert will prove to be extremely flexible and powerful once you get used to it. Product
: Intruder Alert 3.01 CyberCop Scanner As the name suggests, CyberCop Scanner is a vulnerability scanner along the lines of the ISS Internet Scanner product. Until recently there have been some significant differences between the two products, but these seem to be disappearing in the latest releases we have here.� For instance, in the past CyberCop has always been much easier than IS to handle, with a much nicer interface and less configuration to get in the way. This has made it very easy for the novice to run, but has not provided much in the way of “tweaking” for those who know what they are doing. IS, on the other hand, had a relatively poor interface, but this was largely due to the fact that it provided much more in the way of configuration options. With the latest releases, CyberCop has inherited a more detailed configuration window (which would normally remain hidden, however) whilst IS has acquired a much more user-friendly front end. The UI has changed somewhat in this release of CyberCop Scanner, thought it retains its ease of use factor. There are now only two tabs to worry about – Scan Progress and Current Configuration. All of the configuration options are now hidden in three menu options: Scan, Module and Application Configuration. “Scan” allows a number of global parameters to be set as well as a number of module-specific ones too. For instance, here you can specify which ports should be included in the port scan, as well as being able to tell CyberCop your preferred NT Account, Audit, Legal and Browser Zone policies which will be compared against each NT host scanned.� “Module Configuration” allows you to determine which attack signatures will be employed during the scan. These are grouped together and individual attacks or entire groups can be selected via a single check box against an attack or group heading. Selecting an individual attack brings up a detailed description of the vulnerability and suggested fixes, and complex configurations can be saved as Template files to be used repeatedly. Once configuration is complete, all module settings and variables can be confirmed in the Current Configuration tab, though there does not appear to be any way of printing this out for reference, which is a shame. During a scan, progress is monitored in the Scan Progress window, though there is no real-time indication of vulnerabilities found in the scanned hosts. In fact, this is one area where the current version suffers in comparison to the previous one. Now, you are forced to run one of the many excellent reports to determine which vulnerabilities were found. In previous versions, however, there was an on-screen “quick report” that was very useful as a rapid indication of problems found without having to wade through the reports. I am missing this feature already. A network map window provides a graphical view of the network as determined during the scan, which serves no purpose as far as I can see, but there are a couple of other feature which do set CyberCop apart from the competition. The first is the hostile DNS server, which allows you to audit a DNS server for cache corruption attacks. There is also a set of tests specifically designed to exercise Intrusion Detection Software. The final feature worthy of note is the Custom Attack Scripting Language (CASL) that allows you to construct your own TCP/IP packets and attacks, and this has been further improved in the latest release. Verdict I would like to see the “quick report” feature reinstated, but apart from that the latest release shows some minor, but nice, improvements over the previous one. The excellent user interface, detailed reports, open licensing model and additional features such as the hostile DNS server and custom scripting language still make CyberCop Scanner the one to beat. Product
: CyberCop Scanner 5.5 CyberCop Monitor CyberCop Monitor is part of the CyberCop Intrusion Detection Suite, along with CyberCop Scanner and CyberCop Sting. CM is a host-based IDS, but is not restricted to examining log files on the host. Instead, it offers all the usual capabilities of a network-based system, but restricts its packet sniffing to the host on which it is installed. Whilst this makes it more difficult to deploy than a true network-based system such as RealSecure, it is more useful when deployed on switched networks or very heavily loaded subnets where a traditional network-based IDS would struggle to examine all the packets. As with other NAI products (such as Gauntlet) Monitor is managed by a Microsoft Management Console (MMC) snap-in called the Security Management Interface (SMI). This provides a consistent look and feel across all the NAI products, as well as a central means of deploying and managing the Monitor agents across the network. It does, however, have its drawbacks - at least I assume that the reason there is no real-time alert monitoring capability is something to do with the MMC architecture, because otherwise NAI has simply messed up.� The problem is that the only means of providing notification of attacks is via e-mail, logging to database or network messaging (i.e. a pop-up window). Clearly the logging and e-mail capabilities are useful, but network messaging is not the best way to provide on-screen notification of alerts. Take a look at RealSecure, with its excellent monitoring window where attacks are displayed in real time as they occur. The administrator can select individual attacks and view details, and this screen provides instant feedback of the number and type of attacks that have been detected. All you get in CM is a small flag against the database to show that there are new entries, and it is necessary to run reports to view the attacks. Also, where are the options to reset a connection, capture a session or generate SNMP traps? This whole area requires improvement. On the plus side, defining security policies is very straightforward. Once an agent has been deployed to a target host, it will automatically perform a quick inventory of hardware, memory, network and environment variables which is reported back to the SMI, following which it is ready to have a policy applied. A number of default policies are provided, and these can be amended to suit. Groups of users, hosts, subnets, time periods, TCP/UDP ports, files and registry entries can be created to make policy definition more streamlined. Following that, individual attacks can be selected and applied to one or more of these groups to build a policy. Policy entries can be quickly and easily modified, deleted, cloned or switched on and off. Once the policy has been applied, matched attack signatures trigger one of the three alerting options already mentioned, the most common action being to log the event for analysis. Having criticised the real-time element of Monitor’s alerting, the reporting is truly excellent. A number of pre-defined reports are available, and these can be customised to quite a high degree. The information contained in each report is extremely detailed, and graphical summary reports are also available. Verdict We liked CyberCop Monitor and found the host-based approach to packet-sniffing to be more useful in today’s environments of heavily loaded subnets and switched networks. However, the real-time alert viewing lets it down badly. Product
: CyberCop Scanner 5.5 CyberCop Sting CyberCop Sting simulates a network of routers and workstations using a single PC, and then monitors all activity sent to its virtual hosts, acting as a decoy to lure potential attackers while tracking the origin of suspicious interest in your network. While watching all traffic destined to hosts in its “virtual network”, Sting performs IP fragmentation reassembly and TCP stream reassembly on the packets destined to these hosts, convincing snoopers of the legitimacy of the secret network they have discovered. Sting can emulate Cisco routers, Solaris servers and NT servers, each of which appears to offer typical services such as FTP and telnet. For Cisco routers, services include chargen, daytime, discard, echo, finger and telnet. Solaris services include finger, telnet, Sendmail, FTP and SNMP, and fake password files can be created for some of these services to entice the would-be hacker. NT services are limited to FTP only at present, however, there is a way of extending any of these by including a real host in the decoy network – called a redirect host. In this way, for instance, you could place a sacrificial NT box running the IIS Web server on the same network as Sting and have that included in the Sting virtual network. All access to the IIS server is controlled via Sting, and the IP address presented to the hacker is that specified in the Sting configuration files, but access to the “real” Web pages are handled by the IIS server itself. Any attempted access to the decoy network is logged full in the Sting log files, which are rotated daily. These files provide the security administrator with the means to examine any potential attacks or “reconnaissance missions”.� All configuration is via a couple of text files and a directory structure designed to mimic the structure of the decoy network. Each decoy host is represented by a number of entries in the STING.CF file which specify the host name, IP address of the network interfaces (multiple interfaces can be created for each decoy server, and multiple IP addresses can be specified for each interface), the default route (which can be the “core” Cisco router – the entry point to the decoy network – or any number of other fake Cisco routers created as part of the hierarchy), and the device type (Solaris, Cisco or NT). Creating this configuration file is the trickiest part of the operation, and there is little help offered by Sting should you get anything wrong in there. Some sort of graphical utility would be very welcome. The “honeypot” idea is not particularly new, but commercial implementations are. As first versions go, this is not a bad attempt. Verdict Whilst not particularly intuitive to configure, Sting is a good way to create your own “decoy” network, with a single PC emulating hundreds of Solaris boxes, NT servers and Cisco routers.� Product
: CyberCop Sting 1.0 ICEpac ICEpac is a suite of products from Network Ice designed to provide network-wide IDS capabilities for the corporate environment. BlackICE Agent is a host-based packet-sniffing engine that acts as a personal firewall and IDS tool for the PC on which it is installed. Configuration is minimal, with just four settings available: Paranoid, Nervous, Cautious and Trusting. There is no means to determine exactly what each of the settings means and no means to otherwise affect the security policy.� Providing a constant watch on all inbound and outbound network or Internet traffic, BlackICE will detect any suspicious activity as it occurs and immediately begin monitoring the intruders activities. If the activity looks potentially damaging, BlackICE initiates a "back trace" designed to identify who the intruder is. BlackICE will determine if the suspicious activity has the potential to damage or access information on the host system, and will immediately block all access to the host from the hacker's system (IP addresses can be blocked manually too).� A useful monitoring window displays all suspected attacks as they occur showing time, attack name and description, classification (critical or suspicious), and the intruder’s address. A separate intruder window displays more detailed information about each suspected hacker if the back trace was successful, and the history window provides graphical displays of network traffic and hacking attempts. Each BlackICE Agent works in conjunction with other Agents and the ICEcap central monitoring and reporting tool to provide network-wide IDS capabilities. Once an attack has been detected on one host, ICEcap sounds the alarm to all Agents in its management database. A hacker is denied access to every machine where BlackICE is installed before they have a chance to breach another system. ICEcap ships with Microsoft Access but can be configured to use Microsoft SQL Server 6.5 or 7.0 for database storage. The ICEcap database schema is also available for developers who wish to design their own applications or reports to work off the ICEcap database. ICEcap makes use of a browser interface so it can be accessed remotely from anywhere on the Internet, as long as the user has the proper security credentials. ICEcap also has several different alerting options, including pager and email alerts Network-based IDS monitoring is provided by BlackICE Sentry, which provides protection for an entire subnet rather than an individual host. Network Ice claims that Sentry is capable of full analysis of a 100 per cent load of 64 byte TCP/IP packets on a 100Mbps Ethernet segment. The final component is InstallPac, a set of three utilities used to automatically install, update, or remove BlackICE Agents from end systems. These utilities can be used to easily install or update BlackICE on a single system, a Microsoft Workgroup, an NT Domain, or on a range of IP addresses. All BlackICE Agents and BlackICE Sentry probes can be configured to be controlled by a single ICEcap console, and ICEcap can install and update BlackICE Agents and BlackICE Sentry probes automatically and transparently via the InstallPac utilities. Verdict ICEpac is very easy to install and configure and works well as both a host-based IDS and “personal firewall”. The provision of a network-based module too makes it very flexible, though we found the lack of ability to custom configure IDS policies to be somewhat limiting. Product
: ICEpac 2.0.13 SPECTER Intrusion Detection System SPECTER is a completely different product from most of those reviewed here. Of all of them, it probably has more in common with CyberCop Sting than anything, since it appears to act more as a “honeypot” than a traditional IDS. Designed to run on “older” or “obsolete” equipment (a Pentium 90 with 32MB of RAM is the minimum footprint) Specter puts the host network card into promiscuous mode and sniffs all packets on the wire. Rather than collect packet streams and compare them against a database of signatures, however, Specter is designed to emulate a number of common operating systems and services, making a would-be hacker think he is attacking a real system. Instead, SPECTER logs the attempt, and can even launch a Finger or Port Scan back at the hacker to glean as much information as possible. SPECTER consists of two parts: the Engine and the Control. The Engine performs the packet sniffing duties and handles the network connections, whilst the Control provides a simple GUI front-end for configuration. All configuration is performed from a single screen (you could not get much more simple than this) and every option has a Help button associated with it – this is just as well, since we did not see any documentation, either printed or on-line The SPECTER system can simulate one of nine different operating systems (Windows NT, Windows 95 / 98, MacOS, Linux, SunOS / Solaris, Digital Unix, NeXTStep, Irix, and Unisys Unix). We are not sure to what extent this simulation is carried out – for instance, the host OS always appeared as Windows NT to our scans, although the types of vulnerabilities found did vary depending on which OS we were emulating. Fake password files can be provided by SPECTER to the attacking host, the format also depending on which OS is being emulated. The character of the simulated host can also be chosen from five different settings – open (badly configured), secure, failing (a machine with hardware and software problems), strange (unpredictable) and aggressive (collects information from the hacker and then announces itself). If you really want to lure a hacker, we would suggest that Open would be the most appropriate setting. The SPECTER system can simulate five different network services (SMTP, FTP, Telnet, Finger and NetBus) and seven traps (connections to specific ports, such as DNS, HTTP, Sun-RPC, POP3, IMPA4, and Back Orifice). All connections are logged with the IP of the remote host, exact time, type of service and state of the Engine at the time of connection. There is also one Generic user-defined trap, where the administrator can specify the port to be monitored. We would like to see this extended to provide several user-defined ports. A small real-time status window on the Control GUI provides brief details of alerts as they occur, and more detailed information can be e-mailed to the administrator or logged to disk. When SPECTER notices a suspicious connection, it can be configured to perform a Finger and/or a port scan back at the attacking host, and this information can also be logged. Unfortunately, every alert is stored in its own log file, making information-gathering after the fact cumbersome – some form of reporting tool is desperately needed. Verdict� Specter is unlike most of the other IDS systems on test here, since it is designed more as a “honeypot” than a true IDS system. As such, it will quite happily complement any of the more traditional IDS implementations, providing a means of creating an illusion of network resources to lure the would-be hacker, whilst reporting as best it can on the hackers movements and identity. Well worth a look.� Product
: Specter Intrusion Detection System 4.01 HackerShield If anyone should know about security auditing it is BindView, having produced a very successful line of NetWare and NT auditing tools over the years. It is only natural, therefore, that they should venture into the vulnerability scanning market place. HackerShield presents you wish an Outlook-style three-pane interface. The icons in the left-hand pane provide access to Reports, Targets, Jobs and Archive. On the right is a network map and a list of target hosts. HackerShield will automatically scan the local subnet to populate the network map, but other subnets can be entered too. Hosts or networks can then be dragged from the map pane to the target pane ready for scanning.� Right-clicking on a host or group of hosts provides the scanning menu. A number of pre-defined policies are available, or a new one can be created on the fly. Creating a new policy is simply a matter of selecting vulnerability groups or individual attacks from a checklist, but there is no scope for altering the behaviour of any of these. Whilst this does make the product very easy to run by almost anyone – no hacking knowledge required - it does limit the flexibility somewhat. Scans can be run immediately or saved as jobs for schedule at off-peak times or for repeated running. A RapidFire Update option provides regular updates to the vulnerability database, and these can be applied automatically via a scheduled process. Whilst the scan is running, there is a real-time display of its progress. Once it has finished, the report can be accessed from the Reports icon in the left-hand pane. Reports are excellent, provided in HTML format and can be viewed directly from the console. Selecting a job from the job list brings up the appropriate report with a superb navigation frame to the left, that allows you view individual sections of the report at the click of a button. All the detected vulnerabilities are displayed with full explanations, and fixes can be applied automatically where applicable. Older reports can be moved to the Archive section once they are no longer needed. All in all, HackerShield is extremely easy to use, but we found that it did not trigger anything like the number of alerts on RealSecure and BlackICE that the other major scanners – CyberCop and ISS – did. This is probably down to the fact that HackerShield does not seem to use a raw packet driver to generate its attacks, relying instead on a number of NT services. Verdict� Nice looking product, easy to use, excellent reports, but with some shortcomings compared to the competition Product
: HackerShield 2.0 Kane Security Analyst More of an auditing tool than a true IDS, KSA is designed to analyse an NT domain for potential security problems. Security policies are defined in terms of NT policy, covering such areas as account restrictions, password strength (including password cracking tests), access control, system monitoring, data integrity, and data confidentiality. Within each of these sections, further criteria can be specified. For instance, in the password strength section, you can specify minimum password, length, expiration periods, history counts, and so on. Administrators can use the built-in “best practices” policy or define their own. Once the corporate security policy has been defined (any number of these can be created, perhaps one for each department rather than a single, corporate-wide one), a scan is run against the entire domain or individual hosts. It is also possible to perform inter-domain scans from a single, central console, an extremely useful feature. Jobs can be run on demand or scheduled for off-peak or regular runs. Run options include password cracking, where checks are run against user passwords for common mistakes such as using the user name (forwards or backwards) or using common words (as defined in the “crackers dictionary”). On completion of the scan we get a “report card” which summarises strengths and weaknesses by giving a percentage score against each of the categories in the security standard. From here, we are also given the opportunity to view the top 10 security risks. The next step is to survey the risk analysis. This allows us to drill down into the summary figures and examine individual user accounts for problems. The final option - review compliance history - provides a trend table showing the scans run and the results in summary form over a period of time, allowing comparisons between domains, servers and workstations, as well as different assessments of the same environments over time. Other options available� from the main screen include account policy analysis, report manager, event log analysis, C2 security summary, file rights, and registry rights. Each of these provides a summary screen which can be used to drill down into the scan databases. Reports option provides a number of standard reports such as a management summary, account restrictions, compliance with security policies, and so on. The output from these is clear and easy to read, though there is no way to filter or customise the content.� Verdict Clearly aimed more at NT system auditing than true intrusion detection. Useful if you have a number of NT boxes, but not a direct competitor to the likes of Internet Scanner and CyberCop Monitor. Product
: Kane Security Analyst for NT 4.6 Sybergen Secure Desktop Sybergen Secure Desktop provides basic IDS capabilities plus a personal firewall rolled into a single package. It is thus ideal as a secondary level of defence for users behind a corporate firewall or IDS system, as well as providing protection for mobile users when they venture out from behind the company firewall. In addition to blocking ports and periodically self-scanning for vulnerable spots, Sybergen also monitors open ports, closing and opening them whenever access is required and automatically closing them if no ending packet is received within a certain period of time. It also analyses the network traffic and compares it against a database of attack signatures, alerting users to potential problems. If suspicious activity is noted, Sybergen will close the offending connection automatically as well as logging the attempt. When used in conjunction with Sybergen Management Server, the system administrator can view the individual user logs. Unfortunately, the user interface is a little tacky, looking more like something out of a computer game than a serious security tool. It also requires at least 65000 colours to be set on your monitor otherwise it is virtually unreadable (and thus unusable). No serious tool of this nature should depend so heavily on the host’s graphical capabilities. The main control on the interface is the Security Level, which can be set from Off (no protection), to Ultra (nothing at all gets through). In-between are Low (accepts inbound requests), Medium (allows any local applications to communicate with the Internet) and High (only allow certain protocols). This provides a rapid means of setting the appropriate level of security required. If more control is required over the firewall settings then the Configure button provides access to this. Here the user can specify trusted applications and IP addresses, as well as adding or removing access to specific protocols, ports and ICMP capabilities. All changes made in this section are tied to the particular Security Level currently in force. Thus, a user may wish to use the High setting, but allow a couple of extra ports through. Once the ports are added, they will be enabled every time the user selects “High”. Unfortunately, we could see no means of similarly controlling the IDS policy in Cybergen. In a corporate environment, it is possible for a system administrator to control these setting from a central location if required.� The final buttons on the front panel provide access to the log file and a neat Test facility, which contacts the Cybergen site over the Internet and runs a port scan against the user’s machine. This is handy if you do not have access to high-end scanners such as CyberCop or ISS. Verdict Ideal as a secondary defence behind a corporate firewall or for mobile users who do not have the benefit of firewall protection. Product
: Sybergen Secure Desktop 2.0 Sniffer Pro Whilst not exactly an IDS, Sniffer employs many of the basic techniques of the network-based IDS given that it is based upon ad advanced packet sniffing engine. Instead of comparing packet contents with a database of attack signatures, however, Sniffer provides an excellent decode capability allowing the network administrator to examine network packets in detail for himself. At the highest level, Sniffer provides some very simple monitoring screens. The dashboard display is the typical network monitor display, showing three car dashboard-style dials illustrating packets per second, network utilisation and errors per second. It is also possible to define alerts that will be triggered should network utilisation jump above a certain percentage, or if the errors per second figure gets too high for comfort. Other useful monitoring displays include the hosts table, which shows packet stats per host, and the matrix display, which shows conversations by MAC address or IP address. Despite the inclusion of a number of historical sample-gathering routines, Sniffer does fall short of some of the major competition (such as CNA Pro) in the area of monitoring statistics. Where it is very strong, however, is in packet decode. The packet capture window can be fired up from the toolbar, and it can capture all packets on the wire or only certain ones depending on the currently-active user-defined filters. It is also possible to select a conversation (or single host) from the matrix window and have only the packets for that conversation (or host) captured, with the appropriate filters being defined automatically. Once the capture session is closed the packets are decoded, an area where Sniffer shines. The decodes are extremely informative, accurate and easy to read, and the captured buffer can be replayed across the network via the Packet Generator. The latest release sees a whole new set of decodes, including VPN traffic (though contents are not decrypted obviously), and a new packet sequencing and reassembly module. Also included is the new Sniffer Predictor, an automated network planning tool that predicts the impact of network changes before they are implemented based on packet traces, and ATMBook support to provide advanced monitoring, 7-layer decodes and real time analysis at ATM OC-12 speeds. Verdict � All in all, Sniffer is a valuable tool for the network administrator, providing a range of useful monitoring and analysis capabilities in a single, easy-to-use package. Product
: Sniffer
Pro 3.5 Chevin CNApro Analyser As with Sniffer Pro, CNApro is not an IDS, but a network monitoring and analysis tool.� One of the first things you notice with CNApro is the lack of any obvious monitoring screen when you first fire it up. Instead it looks more like a general network management console, as it goes out on the network to auto-discover all the nodes it can find. Once they are on screen, it is possible to move them around to create a representation of your physical network layout, and even overlay maps and office floor plans. With each of the on-screen icons, CNApro uses colour coding to visually identify problems on the network. The software also provides automatic diagnosis of problem nodes identifying exactly where the problem lays, and responds with alarms (visual and audible) based on pre-set, adjustable threshold levels being exceeded, again in the style of a typical SNMP management system.� One of the areas the Chevin software really scores over the competition is the ability to monitor multi-segment networks using remote software “PODs”, all reporting back to a central console. These communicate using a highly efficient proprietary protocol providing much greater scalability than RMON-based solutions, though full RMON support is also included for those daft enough to want to use it. As well as catering for the large scale WAN overview, the Chevin software also lets you focus down to a single node. For example, you can take a node "snapshot" at the click of a mouse, or you can monitor a "conversation" between any two or more nodes.� Packet capture can be initiated at any time, with full automatic decode. The decode window shows the different OSI layers of the packet, each of which can be switched off or on, and both packet capture and decode options have extensive filter options. Unfortunately, the packet decode facility is the one area of CNApro that requires some work, being basic to say the least. However, this is probably a facility that is used more in the lab than on a real life network. Any number of nodes can be made into a "group" and monitored independently of the rest of the network. Excellent use is made of multiple windows, so you can get a lot of information on-screen whilst keeping it easy to read. Any element of the network being monitored can be highlighted and viewed in great detail. For example, for each specific protocol active on the network, windows showing both numerical and graphical detailed breakdowns are available.� A wide range of real-time traffic statistics can be brought up on-screen at any time while the network is being monitored. These include statistics boxes showing real time graphical displays of network loading, together with numerical data on the packets and bytes being transmitted. The number of active nodes, protocols in use and traffic peaks are also displayed. One very useful feature is a display of the top ten busiest nodes, along with their names and addresses, the percentage use of each node, and their error statistics - again in both numerical and graphical form.� Chevin has made tremendous efforts to produce hard-copy output which is genuinely readable, and complete network health-checks can be output and formatted automatically into a Word document – ideal for consultancy operations. Verdict� Extremely versatile and very easy to use once set-up, with flexible views of the wealth of statistics it provides. It scales extremely well and is at its most competitive when used on larger multi-segment networks. Product
: CNApro
6.0 SUMMARY Since much of this review is comparing oranges to apples, we have decided to award three Best Buy categories. As far as vulnerability scanners are concerned, we found that both ISS and NAI had improved their offerings in some areas and let new weaknesses creep in. We still like the ease of use factor of CyberCop Scanner (despite the loss of the Quick View Results option, which we hope will be reinstated), and that - coupled with the IDS testing, poison DNS server and CASL scripting - earns it a Best Buy. ISS Internet Scanner also fared well in our tests and has received a much needed improvement to its user interface and architecture (although it is now slow to start and run the policy editor). Internet Scanner too, therefore, deserves a Best Buy. We also have to split out the network monitor/analyser products, since these are not true IDS. Here, the choice was difficult, since Sniffer Pro has a more attractive user interface and is easier to use in many respects, whilst CNApro provides a much more extensive array of monitoring and reporting options, and is more scalable thanks to its distributed POD approach using a highly efficient proprietary protocol (as well as RMON if you really want). For this reason, we thought that CNApro just edged the Best Buy, with Sniffer Pro earning a Recommended. We would class all the rest of the products here as true IDS – whether host or network-based – and the choice was quite difficult given that they all have something positive to offer. We particularly liked NetProwler for its flexible architecture and Cisco Secure IDS, although the latter could be considered a little expensive. Both of these deserve a Recommended award. We are also going to give Specter a Recommended too, since it is a quirky product that combines limited IDS with a honeypot, and we quite liked it. However, our overall favourite IDS once again has to be Real Secure from ISS, which combines an efficient monitoring engine with a very usable management interface and easily-configurable security policies. It spotted all the attacks we threw at it and provides a range of actions and reporting options. For all these reasons and more, Real Secure gets this year’s Best Buy award. How We Tested Our test network consists of two subnets separated by a router, each subnet sporting multiple clients, servers and “hackers”.� The vulnerability scanners were installed and configured to run their heaviest scans (including DoS attacks) against machines on the far side of the router. On the target subnet we installed RealSecure and Cisco Secure IDS to monitor the network for attacks to ensure that the vulnerability scanners were operating correctly.� To test the IDS systems, we installed them on various hosts on the target network. We then used ISS Internet Scanner and NAI CyberCop Scanner (as well as some custom-designed tools) to launch attacks against them. We also ran Chevin CNApro to ensure that the IDS systems did not miss any packets. We assessed all products on ease of installation, ease of use, flexibility of management and reporting options (and alerting options in the case of IDS), ease of defining security policies and the range of attacks covered. Click here to access our latest complete IDS/VA Group Test report
|
|
Send mail to webmaster
with questions or�
|
