 |
|
|
Intrusion Detection
Click here to access our latest complete IDS Group Test report Introduction Whenever a company connects its network to the Internet, it opens up a whole can of worms regarding security. As the network grows, it will play host to numerous bugs and security loop holes of which you have never heard - but you can bet intruders have. Many organisations are recognising the value of a good security policy to define what is and is not allowed in terms of network and Internet access Then they deploy a number of tools to enforce that security policy – usually in the form of a firewall or two. Firewalls may be billed as commodity items, but the "shrink wrap" element certainly doesn’t extend to their configuration. A detailed knowledge of what a hacker can do and what should and shouldn’t be allowed through the firewall is required before embarking on the configuration adventure, and a slip of the mouse is all it takes to open up a hole big enough for your average hacker to drive the proverbial bus through. The problem is, a badly configured firewall can be worse than no firewall at all, since it will engender a false sense of security. To protect an organisation completely, therefore, it is necessary to audit the network on a regular basis, and in order to achieve this, a whole new category of software has emerged in the last couple of years: Intrusion Detection Systems (IDS). Within the IDS market place are three broad categories of product:
Taking an analogy of physical security for a moment. If you think of your firewall as the door and window locks of your home and business, then Intrusion Detection Systems are the burglar alarm. It’s nice to feel secure, but someone can always throw a brick through your back window and get in that way – or perhaps you forget to lock your door one day. You don’t want your first knowledge of the resulting break-in to be when you return home to the ransacked contents. A burglar alarm alerts you or your neighbours to the break in immediately, and provides an additional deterrent to the would-be thieves. The final part of the analogy is the vulnerability scanner, which is the equivalent of your local crime prevention officer, testing your security and advising you of any potential weaknesses. For those of you with a reasonable security budget, we would recommend purchasing a firewall and at least one product from each of the above categories. The firewall guards your perimeter, whilst the IDS’ monitor what is happening on your network, guarding against slip-ups by the firewall as well as internal mischief-makers. Both host-based and network-based scanners are worth investing in, since they each have their own strengths. We would consider the network-based products to be marginally more effective if you can only afford one type, however, since they are better at warning of an attack that is in progress or just beginning, whereas host-based IDS will usually respond to changes in, or attacks on, the host which have already occurred. Finally, you can use the vulnerability scanner to continually test your defences and update your security policies accordingly. Only by continual vigilance and refinement will you stay one step ahead of the hackers. PRODUCT REVIEWS ISS Internet ScannerInternet Scanner is part of Internet Security Systems SAFEsuite portfolio, an integrated line of network security assessment and monitoring solutions. The basic aim of Internet Scanner is to scan an entire network or individual hosts in order to verify and report on both network and system security issues. Internet Scanner has a number of different scan categories, including network services, Web servers, firewalls and routers, firewall-specific brute force options, firewall denial of service tests, Windows NT configurations and UNIX configurations. The idea is to define your security policy in terms of what sort of attacks you want to run against your network. This is the trickiest part of using the scanner, since you need to know quite a bit about hacking yourself in order to make sure you are defining some worthwhile policies. A range of basic Policies are included out of the box, however, and it is a simple matter to alter these to suit individual requirements. The actual interface is very easy to use. To select the IP addresses to scan you can enter them directly, or have the software ping them for you (not wise on larger networks). The various configuration screens provide a number of tests or attacks, covering areas such as firewalls, Web servers, DOS attacks, IP spoofing, and various NT-related vulnerabilities. Most of these are selected by checking a box, with a few requiring input of additional information. As new attacks are discovered, updates to the product add the relevant tests to the policy definition screens - Version 5.6 includes over 85 new NetBIOS checks plus specific checks for routers, for instance. Each time you run a scan you can save the results in a session file, allowing you to later run reports against multiple sessions to compare results and monitor changes in policy and vulnerability. This approach enables you to use Internet Scanner as an ongoing "health check" on your network security. A new feature in release 5.6 is Smart Scan, which enables Internet Scanner to automatically "learn" more in-depth security information about a network and more precisely report an organisation’s true security profile. Each time a test is run, the scanner remembers past history and uses this information to conduct automatic analysis and draw important conclusions about security posture that would otherwise have been missed. A similar concept to Axent’s Adaptive Scanning, this would allow Internet Scanner to grab a password file from a desktop machine in the first pass, and then use this in subsequent passes to attempt to gain access to other machines on the network. A number of excellent reports can be run to highlight any weaknesses found, and these will often include specific advice on how to plug the holes. Product : ISS Internet Scanner 5.6 For : Against :
Verdict : It may not be the easiest product in the world to get to grips with, but in the hands of someone who knows what he is doing, Internet Scanner is a powerful tool. Is in danger of being overtaken by CyberCop Scanner, however, which offers similar levels of functionality and a more attractive licensing/pricing structure. HackerShieldOn contacting Netect technical support it transpired that the company had been taken over by BindView Corporation. The HackerShield product will thus make a useful addition to the already extensive BindView security auditing suite. As with NetRecon, HackerShield is a vulnerability scanner, rather than a host or network-based monitoring system. The first thing that strikes you about HackerShield is the very modern (Outlook-style) user interface and uncluttered appearance. You can take a look at the vulnerability test library in order to select individual tests or groups and create security policies, but there is no scope for altering the behaviour of any of these. This is a dual-edged sword, of course, On the one hand, it makes the product very easy to run by almost anyone – no hacking knowledge required. On the other hand, it does limit the flexibility somewhat. A shortcut pane down the left hand side of the screen provides access to the security checks database, test targets (one license required per IP address scanned), job scheduler (for automatic runs) and reports. Running a scan is simply a matter of selecting one or more target machines and the required security policy. Unfortunately, there is precious little on-screen information provided during a scan. This is made up for by the excellent reports, however, which are provided in HTML format and can be viewed directly from the console. Selecting a job from the job list brings up the appropriate report with a superb navigation frame to the left, that allows you to re-sort in various sequences, as well as remove or include almost any sub-section of the report immediately via a number of check boxes. All the detected vulnerabilities are displayed with full explanations, and fixes can be applied automatically where applicable. We were a little disturbed to find a large difference in reported vulnerabilities between CyberCop Scanner and HackerShield, even when we selected ALL tests. On closer examination, it would appear that apart from a few user and registry type tests for NT, many of the others may well be UNIX-specific. It also worried us that it incorrectly determined that a number of hot fixes had not been applied when we were running Service Pack 4 on our target NT 4 machine. Product : HackerShield For:
Against:
Verdict : A nice looking product, very easy to use, but with some shortcomings in a mainly NT environment. CyberCop ScannerCyberCop Scanner is a network security vulnerability detection product that can run stand alone or participate as the sensor component in Network Associate’s new Active Security infrastructure. In use, it tests for a comprehensive set of known security vulnerabilities found across an enterprise network – in Web sites, firewalls, routers and servers. On firing up the scanner you are presented with a number of tabs along the top of the screen. The Scan Configuration tab allows you to specify the location of some of the important files and the domain name, and provides various options for specifying the range of machines to be scanned. The next step is to specify what you want to include in the scan on the Module Configuration tab. CyberCop Scanner allows you to select a custom set of vulnerability tests from a palette of over 500 available tests in the vulnerability database. These vulnerabilities are organised into modules by subject area: for example, Hardware Peripherals, SMTP and Mail Transfer, Web, Networked File Systems, DNS, Firewalls, and so on. Within each module are a number of different tests which can be selected or deselected via individual check boxes. NAI has attempted to keep the reliance on banner checks to a minimum in order to reduce the incidence of false positives and negatives. You can, of course, create your own custom scans to mirror your security policy, and these can be saved in files and recalled for use again and again. As you click on each module or test, it provides you with a direct view into the vulnerability database, displaying a wealth of information about the problem, which systems it affects, how it manifests itself, and what you can do to fix it should CyberCop report that the vulnerability is present in your system. Once the configuration file has been completed (or recalled), you can start a scan of the network, with multiple threads being spawned to scan more than one host simultaneously. Unlike some of the competition, the Scan Progress screen provides a realistic view at all times of the progress of the test, showing you exactly what is going on behind the scenes. Once a scan is completed reports can be generated from the Reports tab. Quick results can be viewed via the hierarchical report tree, where highlighting a vulnerability pulls up the relevant screen from the database, providing you with detailed information and information on how to fix the problem wherever possible. A network map window provides a graphical view of the network as determined during the scan, and more detailed reports can be generated in HTML, RTF, ASCII or CSV format. Differential reports can be created comparing one result set against another so you can see the effects of changes in policy or of applying suggested security fixes and patches. CyberCop also has a few unique and rather cool features up its sleeve. The first is the hostile DNS server. Which allows you to audit a DNS server for cache corruption attacks. For those with Intrusion Detection Software installed, the specific IDS testing capability will also be very welcome. The final feature worthy of note is the Custom Attack Scripting Language (CASL) that allows you to construct your own attack signatures to add to the vulnerability database. Product : CyberCop Scanner 5.0 For:
Against:
Verdict : CyberCop seems to have taken the vulnerability testing market by the scruff of the neck and given it a damn good shake. It provides an excellent interface, a huge vulnerability database, and several unique features that are genuinely useful, and certainly make it one of the top products in this market place. NetReconNetRecon is another member of Axent’s OmniGuard information security suite, providing a vulnerability scanner option in the same vein as ISS Internet Scanner and NAI CyberCop Scanner. Axent claims this is a 3rd generation scanner, since it offers a "threat assessment" capability, using a technique called "adaptive scanning", or "UltraScan". In short, where other scanners might report a number of unrelated potential vulnerabilities, NetRecon attempts to combine those (even across multiple machines) to gain real access to a system or highlight the potential for a Denial of Service (DoS) attack. In theory, this provides a much more useful set of results, since it works the way a real-life hacker would work. For instance, NetRecon actually makes multiple passes during a scan. If it finds a password list on a desktop machine during the first pass, it will attempt to use those passwords to gain access to server resources during the next pass. In use, NetRecon is fairly simple, and it does not appear to be necessary to have a detailed knowledge of hacking in order to run it. The down side to this is that you don’t get the opportunity to tweak the tests. The user interface consists of three panes in a single window: Objectives, Graph and Data Table. The Objectives pane shows the tests to be run in a hierarchy, and you can select all, or groups, or individual tests. During and after execution, the Data Table lists individual vulnerabilities and potential problems, whilst the Graph window summarises these pictorially. Once a scan is finished, the objectives hierarchy can be examined manually for vulnerabilities, or you can produce an extensive report highlighting vulnerabilities by resource. A hyperlinked report is produced organised by node, and clicking on any vulnerability takes you to a detailed description of the problem and suggested solution. Finally licensing. Axent has adopted an extremely user-friendly and cost-effective method of licensing, certainly compared with ISS, it’s main competitor. At the end of the day, NetRecon is actually quite a different beast to the NAI and ISS scanners. It’s vulnerability database is not as extensive as either NAI or ISS’, and it is not possible to tweak the parameters of a test or perform DoS attacks directly. However, it’s adaptive scanning technology provides a means to look beyond individual vulnerabilities to identify real threats, and it supports NetWare and VMS, as well as NT and Unix. Given the two different approaches, I would recommend using both NetRecon and CyberCop Scanner on a regular basis (if you can afford it, of course). Product : NetRecon For:
Against:
Verdict : Whilst not quite as configurable as you might like, the "adaptive scanning" technology is capable of discovering more potential vulnerabilities than the competition in certain situations. The pricing and licensing models are certainly more attractive than ISS. Kane Security Monitor KSM is a real-time security monitor that constantly watches an NT network for security violations. Unlike some of the competition – such as RealSecure and CyberCop Monitor, however – KSM focuses on the NT event logs. It scrutinises event log entries for patterns that signify improper behaviour of some description and condenses the huge amount of data contained in the logs to simple database entries and alerts within the KSM system. KSM is actually split into three module: the Console, the Auditor Service and one or more Agent Services. The Auditor Service is the central repository for data collected by the Agents, which are installed one on each machine to be monitored. The Console provides a GUI front end for the system from where alerts can be collected and reports viewed. Once the agents have been deployed, alerts generated from the event logs are displayed in real time in a pane on the left of the console. New alerts will flash until acknowledged by the administrator, and it is possible to generate e-mail notifications from these. Clicking on any of the alerts on the left brings up a detailed analysis pane on the right. Alerts can be summarised graphically or viewed individually (and filtered) at the click of a mouse. Further analysis can be performed by drilling down to view individual records, time-lines of security violations, period and historical averages, or one of the many detailed reports that are available from the report manager. When running CyberCop Scanner against the KSM machine, KSM only recognised a hack attempt by detecting rapid successive failed logons. It missed the port scanning and denial of service attacks completely. This indicates the niche at which KSM is aimed – that of internal security auditing in real time rather than true intrusion detection. As such, it is a useful complement to the likes of RealSecure and Centrax, but cannot be used on its own as protection against serious hackers. Product : Kane Security Monitor for NT 3.20 For:
Against:
Verdict : Once again, the Kane product is tackling intrusion detection from another angle to the likes of NAI and ISS. KSM is concerned with monitoring event logs in real time for unusual activities – it will not detect attempted denial of service attacks or vulnerability exploits and does not really tell you much that you cannot find out yourself by sifting through your event logs (although the real-time alerting aspect is attractive). Horses for courses, really…. Intruder Alert Intruder Alert is part of Axent’s OmniGuard information security suite. Intruder Alert provides a host-based intrusion detection capability to complement the NetProwler network-based product (which was still in Beta at the time of this review). Intruder Alert was without a doubt one of the most bewildering products we reviewed here, both in terms of architecture and in use. However, this is the price you pay if you want a product that is extremely flexible and scalable. One example of this flexibility is in the availability of product for NT, NetWare and Unix platforms (we tested on NT). The architectural components of Intruder Alert include ITA Admin (the management interface), ITA View (the alert viewer and reporting tool), Manager (collects events from Agents) and the Agent (actually monitors the host). This makes it overly complex in small installations, but very flexible and scalable in large ones. In the normal course of events, as with most NT host-based scanners, Intruder Alert is designed to collect and process data from the three event logs – System, Application and Security. In addition, the standard audit sources – such as NETLOGON, Service Control Manager and NwRdr, amongst others – are also monitored, and additional monitoring sources can be configured. During installation you get the opportunity to install default policies for UNIX, NT or NetWare environments, and these may well be enough for many installations. These policies are made up of a number of rules that detect and respond to events. In turn, these rules are comprised of three parts – a select clause (determining which events are to be included), an ignore clause (to exclude certain events) and an action clause (to perform if the select and ignore clauses yield a positive result. Any number of rules and clauses can be combined to make a policy, making Intruder Alert one of the most flexible scanners we have seen to date. Reporting is also extensive and flexible, using the ITA View utility to query and process events to provide a range of graphical and text-based reports. However, given the way that policies are constructed in Intruder Alert, these can provide little more than statistical output. They lack, for instance, the detailed vulnerability descriptions provided by some of the competition. Product : Intruder Alert 3.0 For:
Against:
Verdict : Intruder Alert is one of the best host-based scanners we have seen due to the incredibly configurable vulnerability database and scalable architecture. Not too easy to use, but an extremely powerful tool once you get used to it. System Scanner ISS System Scanner is designed to provide host-based security assessment within Windows environments, checking both servers and desktops for security weaknesses from the operating system perspective. System Scanner examines potential vulnerabilities by checking system characteristics including file permissions, login permissions, registry settings, user and group passwords, security settings for applications such as Microsoft Internet Information Server, and a wide variety of other settings that can be exploited to gain unauthorised access to the organisation's enterprise network. Windows-based servers are proactively audited for mis-configurations, operating system and application vulnerabilities. As with Internet Scanner, System Scanner allows you to define different policies depending on the purpose of the host machine, and a number of sample policies are provided to get you going, covering common server uses such as a departmental server, an FTP, Web or mail server on a firewall’s DMZ (De-Militarised Zone) interface, an intranet server, a power user, a normal user, and some "technical" scans. These can be accepted as they stand or can be modified to any level of detail. If you want to create your own policies from scratch, System Scanner helps you out with the Smart Policy Configurator. This is an automated wizard that examines your system to see what is installed and makes intelligent decisions on what checks should be included in the policy. Once again, the option is there to further refine the policy manually if required. Running a scan is simply a matter of clicking on the "Scan" button and selecting the appropriate policy. System Scanner can also be installed as a native NT Service so that scans can be scheduled to run automatically and at regular intervals. During a scan, results of the checks are shown in the main window, categorised into high, medium or low risk. By right-clicking on any vulnerability you can pull up a window containing detailed information on that vulnerability, what it consists of, which operating systems it affects, and how to fix it (including where to find the appropriate patch to download if applicable). Running the report produces output as plain text or HTML which includes every vulnerability in order of severity together with the detailed information mentioned above gathered from the vulnerability database. As well as detailed individual reports, System Scanner can produce trend and differential reports based on multiple scans over a period of time. Once the appropriate patches have been applied and the system is as secure as it can be, the final option is to establish technical "baselines". These record the current state of critical OS and application settings providing a means to do comparison runs in the future. This would allow immediate indication of a change to a single registry setting, for example. Product : ISS System Scanner 1.0 For:
Against:
Verdict : A good first attempt by ISS at host-based scanning, providing simple policy creation and a good range of output options. CentraxCentrax is unusual in the IDS market place in that it combines both network AND host-based intrusion detection technologies into a single application, and then bundles in some basic security assessment stuff too. This makes it slightly confusing at first, since there is so much going on and so much to be configured. Essentially, you need to install the Command Console on one machine, followed by the Target Service, Real-Time Service, and Network Service as appropriate on each of the targets (to provide the host and network-based scanning and communications). There are a number of policies included to get you started, but some are less than useful, so it is best to define your own. Each target machine has an Audit, Batch Detection, Real-Time Detection, Network Detection and Collection Policy associated with it. The Audit Policy determines which NT audit events are monitored, whilst the various detection policies cover a much wider range of high and low-level NT activities that can occur on the host (the Collection Policy determines how often the Batch Detection Policy is run). Finally, the Network Policy covers a number of attack signatures to provide the network-based ID capability (though a much smaller number than the likes of ISS RealSecure). Reporting on the main ID activities is via Crystal Reports, which are adequate at best, and not customisable. Centrax also had one or two peculiarities in the security assessment reporting department. Firstly, navigation of the reports is not that intuitive. The overall assessment summary provides limited information other than some arbitrary security categories and your rating (poor, fair, good) in each one. If you want detailed information on why you received the rating you did, and how to improve it, you have to run a separate report. The second issue we had was with the fact that you cannot customise the reports in any way to suit your own corporate security policy. The reporting modules use some arbitrary rules to determine which settings result in a particular rating, and these cannot be changed or disabled. This led to us receiving a POOR rating for not setting a forced logout for remote users. The reason we didn’t set this was because NT will not allow you to do so unless you have RAS installed. In other words, our server (rated POOR in this area) was actually more secure than if we had installed RAS in order to set a parameter that would have enabled us to finally achieve a GOOD rating under Centrax. Go figure….. Centrax actually encompasses most of the ID functions you would require, but falls short of the best of breed products in each of the areas network ID, host-based ID and security assessment. One to watch out for in the future, though. Product : Centrax 2.2 (Beta 3) For:
Against:
Verdict : One of the first products to combine both host and network based ID technology, Centrax also (uniquely) includes some basic security assessment capabilities. Runs the risk of being the archetypal jack of all trades, however – evaluate carefully. ISS RealSecureRealSecure is still the best known of the real-time network-based ID systems, and is still - at the time of writing – fairly unique. ISS’ major competitors are rushing to bring out their own versions, however. RealSecure is split into three sections – the engine, the console and the system agent. The engine is the actual packet sniffer part of the product, and you need one for each subnet you are protecting. The engine also compares the traffic with the signature database and generates the appropriate actions when necessary. One console can control any number of engines and all the engines can report back to a single console. Security policies are defined at the console too and loaded to each engine as appropriate. Different policies can be applied to each engine, if required, depending on the expected traffic on any given segment, or perhaps depending on the importance of a segment. New for Version 3.0 is the plug-in module for existing HP OpenView systems that allows such systems to manage RealSecure network engines securely. The final part of the equation – also new with this release – is the RealSecure System Agent. The system agent is the new host-based detection module that monitors the operating system log files for signs of unauthorised activity. Like the network engine, it can take action automatically to prevent further system incursions, and it is possible to create user-defined signatures for the system agent within the management console. Each policy defined in the console consists of a number of security events, connection events, user-specified filters and user-specified actions, and a number of sample policy files are provided to get you going. For each event, there are a number of actions available, including notify console, log to database, log raw data, send e-mail notification, kill connection, view session, lock firewall and send SNMP trap. Kill connection resets the IP connection to terminate the attack immediately, whilst the lock firewall option works with Checkpoint’s FireWall-1 to automatically reconfigure the firewall to prevent the attacking source from crossing the firewall boundary for a user-specified period of time, ranging from one minute to forever. You can use RealSecure to monitor more than just security problems by using the Connection Events. These are generic events such as HTTP, FTP or SMTP activities, and can be filtered by source or destinations address, source or destination port, or protocol. In addition to the real-time monitoring, there are a number of graphical and text reports that can be run covering such things as event names, source and destination reports, top 20 events, top 20 destinations, and so on. Product : ISS RealSecure 3.0 For :
Against :
Verdict : One of the first network-based ID systems and still one of the best. A huge attack signature database that is regularly updated, but the competition is hot on ISS’ heels now, and pricing could be an issue in the future. SessionWall-3 Originally billed as a "network analyser and blocker", SessionWall provides the ability to monitor all your TCP/IP traffic across the full range of protocols – HTTP, FTP, SMTP, POP3, UDP, etc. – and selectively ignore, report, log, alert or even block traffic depending on combinations of the source and destination addresses, protocol and contents of the data packet. It does not appear to have required too many changes to bring it squarely into the world of Intrusion Detection. The SessionWall station passively monitors all IP traffic on the local segment without requiring any configuration changes to network, clients or servers. It is completely transparent, except when one of its rules are violated, at which point it will raise alerts, log the violation, send an e-mail or fax, send SNMP traps or terminate the connection (amongst other things). In addition to providing Web site blocking, one of the other features offered by SessionWall not included in the competition is the ability to monitor e-mail traffic, right down to the point of being able to read the messages themselves. Configuration is a breeze, and is performed via an intuitive interface which allows you to define an unlimited number of rules to handle URL and malicious applet control, attack detection, suspicious network activity and intrusion attempts, as well as the general traffic monitoring/alerting/blocking already mentioned. Simple check boxes also enable virus checking of e-mail and news messages and attachments (both incoming and outgoing), as well as the ability to block network games such as Doom and Quake. All network activity that is not associated with a rule is identified for statistical and real-time analysis, often identifying the need for additional rules. SessionWall-3 provides extensive and easy to use intrusion detection and response capability. This includes an ever-increasing list of service denial attacks such as the "ping of death", probes, and workstation and server intrusions which exploit operating system and application bugs. SessionWall-3 also includes the capability to detect and respond to password hacking by defining challenge and response character strings that are issued by the various applications to determine user ID and password for the specific applications Finally, there is an extensive set of reports available covering such subjects as characterisation of protocols used, identification of services being used (i.e. specific Web sites, e-mail, FTP, Telnet, etc.) and a list of blocking situations which have occurred Product : SessionWall-3 For:
Against:
Verdict : With a firewall-like approach to configuration SessionWall is one of the most flexible ID packages. The ability to decode packets form the wire (to reassemble an e-mail message for example) will be very useful in some situations, but does make it more resource hungry even than RealSecure. Another jack of all trades, risking being master of none. Kane Security AnalystKSA is a security assessment tool that will analyse an NT domain, server or workstation for security exposures. The user experience starts with a rather dated-looking screen with four large buttons along the bottom: Set Security Standard, Run Security Audit, Survey Risk Analysis, Review Compliance History. These are designed to be taken in order, the first being "set security standard" which is used to define security policies. Within each policy are sections covering account restrictions, password strength (including password cracking tests), access control, system monitoring, data integrity, and data confidentiality. Within each of these sections, further criteria can be specified. For instance, in the password strength section, you can specify minimum password, length, expiration periods, history counts, and so on. Having developed the security standard, we can then use it to run a scan. One nice feature of KSA is the ability to scan all machines in a domain from a single point, and even perform inter-domain scans, and they can be run on demand or automatically via a scheduler. Run options include password cracking, where checks are run against user passwords for common mistakes such as using the user name (forwards or backwards) or using common words (as defined in the "crackers dictionary"). On completion of the scan we get a "report card" which summarises strengths and weaknesses by giving a percentage score against each of the categories in the security standard. Clicking on the "List Risks" button pops up the top ten risks encountered during the scan, though there is no way to examine these risks in more detail from here. The next step is to survey the risk analysis. This allows us to drill down into the summary figures and examine individual user accounts for problems. The final option - review compliance history - provides a trend table showing the scans run and the results in summary form over a period of time. Other options available from the main screen include account policy analysis, report manager, event log analysis, C2 security summary, file rights, and registry rights. Each of these provides a summary screen which can be used to drill down into the scan databases. Reports option provides a number of standard reports such as a management summary, account restrictions, compliance with security policies, and so on. The output from theses is clear and easy to read, though there is no way to filter or customise the content. Product : Kane Security Analyst for NT 4.50 For:
Against:
Verdict : More of a system auditing tool than true intrusion detection, KSA does not provide enough information about actual vulnerabilities such as susceptibility to denial of service attacks, and so on. Useful for deciding which of your users have access to things that they shouldn’t, however. SUMMARY: When summarising our findings, we decided to split the offerings into the three broad categories mentioned in the introduction. As far as vulnerability scanners are concerned, we did not feel that HackerShield was quite ready for the big time as yet. ISS has led the field for a long time and is still a worthy offering, though it is apparent that NetRecon and Intruder Alert are hot on its heels (or may have already caught up). However, the addition of Smart Scan technology still makes it a valuable product, and a worthy recipient of the NSS Recommended award. This time round, the NSS Recommended award is shared with CyberCop Scanner, which offers similar levels of functionality, with the addition of IDS testing and CASL scripting. When it came to host-based ID systems, things were not quite as clear cut. Kane Security Monitor, Axent Intruder Alert and ISS System Scanner each have their strengths and weaknesses, though the latter two edge out the Kane product in terms of functionality. By virtue of the flexibility offered by the Axent product, however, we have given the NSS Recommended award to Intruder Alert in this category. Finally we come to the network-based ID systems, represented by Centrax and RealSecure (both of which offer elements of host-based ID as well). Centrax had the advantage of including some basic security assessment capability (along the lines of Kane Security Analyst), but did not quite inspire the confidence that RealSecure did, which has an established pedigree in this area. The NSS Recommended award in this category goes to ISS RealSecure, then. Most of the leading vendors are now bringing out integrated security suites or hybrid products, but it is a little early in the game to recommend any one vendor. For now, we would recommend buying "best of breed" from each product category. If you want all three, our current recommendation would be Internet Scanner or CyberCop Scanner (depending on which of the unique features of each product are most important to you), RealSecure and Intruder Alert. If you can only afford one piece of IDS software, we would have to say that the real-time network monitoring product is the key one – and that would be RealSecure. Click here to access our latest complete IDS/VA Group Test report |
Security Testing |
Send mail to webmaster
with questions or
|