 |
|
|
CA eTrust Intrusion Detection v1.4.5 Formerly known as SessionWall, eTrust Intrusion Detection has a new name – if not a new look – since the acquisition of Abirnet by Computer Associates (CA). Offering more than just IDS, eTrust Intrusion Detection provides surveillance, intrusion and attack detection, inappropriate URL detection and blocking, alerting, logging, and real-time response in a single software package. It offers: Network usage reporting ranging from high level statistics down to specific user usage. Network security including content scanning, intrusion detection (service denial attacks, suspicious activity, malicious applets, viruses), blocking, alerting and logging. Web and internal usage policy monitoring and controls to monitor and enforce Web access and inter-company policies by user ID, IP address, domain, group, content, and control list. Company preservation - often referred to as litigation protection - monitoring e-mail content, logging, viewing and documentation. eTrust IDS can be installed on any network-attached Windows 95/98, NT 4.0 or Windows 2000 machine and can process the network traffic from one or more Ethernet, Token Ring and FDDI local network segments. eTrust Intrusion Detection includes policy folders for Web access, for monitoring/blocking/alerts, for intrusion detection, and for attack detection, malicious applets, and malicious e-mail. These policy folders contain the rules that eTrust Intrusion Detection uses when scanning network communications. The rules specify the patterns, protocols, addresses, domains, URLs, content, etc. and the actions to be taken should these be encountered. eTrust Intrusion Detection includes the same detection engine and signatures that are used in CA's InoculateIT anti virus product. Using this engine and signatures, eTrust Intrusion Detection detects all known viruses and monitors network traffic to detect their entry into or movement around the network The URL Category List is composed of hundreds of thousands of URL’s determined to belong to one or more of 27 categories, as defined by Secure Computing's Web Tools Division. Although the categories represent general content types encompassing an often wide variety of material, all are deemed potentially inappropriate for today's typical workplace eTrust Intrusion Detection Enterprise The Enterprise version provides the ability to centrally monitor and manage multiple distributed eTrust detection engines, and to consolidate selected information in a common relational database. This is achieved by installing eTrust agents on different segments of the network (local and remote), which are controlled by a central station from which the administrator can view and generate reports based on the consolidated information collected by the agents. eTrust Intrusion Detection Central allows a single remote administrator to monitor and manage multiple local and remote eTrust Intrusion Detection hosts. Using this capability, the administrator sees alerts on the console and has the ability to remotely control specific eTrust hosts as if they were local.
The main Central component operates on Windows 95, Windows 98 or Windows NT/2000. It receives, sorts and displays alerts generated by one or more remote agents and allows the administrator to connect to and operate the agent. Communication between the central console and remote hosts is achieved via Central Agents installed on all stations running Enterprise software. The Central Agent operates in the background on the remote host, receives alerts from the local eTrust ID, and sends these alerts to eTrust ID Central. eTrust Intrusion Detection Remote allows remote control of eTrust Intrusion Detection via dial-up or direct network connections Finally, eTrust ID Log View allows users to monitor usage details over an extended period of time by targeting a specific database and browsing and viewing the archived information. Users can also consolidate session information from multiple eTrust stations in a relational database. The system includes the database front end and distributed collection components that are invoked by events in eTrust Intrusion Detection based on eTrust Intrusion Detection rules. The eTrust ID Log View consists of three main components:
Installation is the usual straightforward Windows InstallShield routine. Inserting the CD brings up a menu of installation choices which provides the option to install a stand-alone engine or the eTrust Intrusion Detection Enterprise components. The eTrust Intrusion Detection engine is installed as a native NT service and operates in stealth mode to make it difficult to detect on the wire. An on-line registration function finishes the installation routine, and this was our only gripe with installation, since if your network connection is down at the time of install it could cause problems. Documentation could only be described as basic, with a Getting Started Guide in PDF format on the CD. However, it has to be said that eTrust IDS is fairly simple to get up and running, so more extensive documentation is probably unnecessary. Once installed, eTrust Intrusion Detection immediately starts its surveillance for intrusion attempts and suspicious network activity and begins logging all e-mail, WEB browsing, news, Telnet, and FTP activity using a default security policy. New rules can easily be added or the existing rules can be changed using menu driven options. All network activity that is not associated with a rule is identified for statistical and real-time analysis, often identifying the need for additional rules. When it comes to editing the various detection rule sets, anyone familiar with the FireWall-1 rules definition user interface will be quite at home with eTrust Intrusion Detection. It’s not that it is similar - it’s identical. CA has a development relationship with Checkpoint that allows it access to the actual FireWall-1 code for rules maintenance. �Any number of eTrust users can be defined to the system, each one authorised to perform only certain actions if required – one user may be allowed to create new rules, for example, whereas another might only be able to run reports. Its just as well that rules definition is so straightforward, because there is a lot of it to do. eTrust does a lot more than Network IDS, and there is a set of rules for each or its major functions:
eTrust Intrusion Detection checks each session against the rules until either the session terminates or a match occurs. The first place to start is to define the various network objects – specific hosts, networks, users, domains, workstation, and so on - that will be referred to by name in the rule sets – and those services which will be excluded from detection. For instance, you might decide that all NetBIOS services over TCP for the internal network need not be examined by eTrust.
Once you have this basic information entered, you can begin defining the rule sets for each of the above capabilities. What you would refer to as “signatures” in other products are “Rule Types” in eTrust, and the Intrusion Detection rule set contains just over 360 signatures at the time of writing, which is considerably less than some of the competition. CA is working hard to catch up in an area that is relatively new to it, and new signatures can be downloaded regularly from the CA Web site. Rule Types can be Service or Content-based, and a number of different parameters can be added instructing eTrust to check session content for “active” components, such as Java or ActiveX, or compare session data with strings or commands that are specified as part of the rule. It is incredibly easy to add new signatures of your own, making eTrust Intrusion Detection one of the most readily extensible products we have seen. The actual rules are created from these Rule Types (attack signatures) combined with a source and destination, an action and a time when the rule is applicable. If any of the characteristics of the session correspond with the rule conditions, a match occurs. This match triggers an Action, which can include logging to file, blocking the session, raising an alert, writing to the NT event log, audio alert, NT message, running an external program, sending an e-mail, fax, SNMP trap, pager, syslog, and reconfiguring your firewall (eTrust, Cisco or any OPSEC-compliant firewall), amongst others. Any combination of these Actions can be triggered from a single event, and this is probably the widest range of alert types we have seen in a single product. Rules can be turned on and off in the rule set by clicking on a check box, allowing them to be disabled temporarily on the fly for testing purposes without having to delete them. When you choose to log details of an event in the Tree Window, you can decide whether the log should include the contents of the session and whether the contents should be encrypted or signed. If you choose to include the contents of the session, you will be able to see these details in the View window when you select the session in the Tree Window.
In addition to the high-level Intrusion Detection rules, there are also a number of lower-level predefined security violations, covered by the Suspicious Network Activity Detection rule set. These cover such activities as IP spoofing, SYN flooding, ping attacks, port scanning, WinNuke, Land, Teardrop, Smurf, distributed DoS attacks, and so on. When eTrust Intrusion Detection detects one of these violations, the Show Security Violations button in the toolbar blinks and clicking this button displays a window with details of the violation. There are less than thirty of these Security Violations currently defined in the product, and this is an area that needs improvement if eTrust is to be brought in line with the IDS market leaders. eTrust Intrusion Detection offers a number of other useful features that are not normally found in “traditional” IDS’, and these are covered by a number of other rule sets. Content Inspection Rules are used to check for active HTML components and viruses in e-mail attachments, news group postings , FTP downloads and HTTP pages and binaries. In the Content Inspection Rules grid, the administrator can choose which components eTrust will search for, and the action that will be taken when one of these components is detected. eTrust Intrusion Detection also uses the InoculateIT scanning engine to detect and block network traffic containing computer viruses.
One of the more advanced features in this section of the product is the ability to monitor e-mail traffic, right down to the point of being able to read the messages themselves or compare message content against a list of key words and phrases. This may send shivers down the collective spines of many corporate Directors, who may not like the idea that the network administrator can simply lift any message – incoming or outgoing – off the wire.� Of course, Director’s e-mail could always be serviced by a separate segment not monitored by SessionWall or encapsulated within a VPN. Once you have set aside such fears, however, this capability can help to ensure that there are no corporate secrets, offensive material or mass mailing of CV’s going out of the organisation. URL Access Monitoring And Control Rules monitor and log access to sites that are deemed “unproductive” and have a specific rating. The administrator chooses which categories (i.e. games, dating services, gambling, sport) are not work-related and which sites eTrust Intrusion Detection will monitor based on their ratings. Four levels of extremity can be selected for sites categorised as violence, sex, nudity and language. Finally, Monitor/Block/Alert Rules are used to log activity for all the protocols and to allow blocking of specific Web sites. eTrust can even be configured to block network games such as Doom and Quake automatically – a real killjoy package, this one! The administrator can view the logged and blocked events in the Tree Window. The GUI interface is divided into three windows.� The top left window is called the Tree Window, and displays a hierarchical tree of the logged or blocked sessions. Tabs along the bottom of this window allow the view to be sorted by services, clients, servers, rules or active sessions. Clicking on a session in the Tree Window brings up the details of that session in the View Window on the right-hand side of the screen.
While session details are being displayed, right-clicking the mouse button switches between viewing the data in the formatted and unformatted form (ASCII, EBCDIC and hexadecimal). In the View Window it is also possible to� view a real-time network activity graph, enable/disable a rule, and create a blocking rule on the fly based on the contents of that particular event. The final window at the bottom of the screen is called the Statistics Window. It displays statistics on the usage of protocols by clients and servers on the network, a log of the first time a station was detected using a specific protocol, a log of recent network activity, details of NT workstation users and a separate log of other services not included in the Tree Window.� Toolbar buttons for Security Violations and Alert Messages will flash if any alerts have been received and not yet displayed. Clicking on the buttons brings up the appropriate windows, and all the alerts are in plain English and are very easy to understand (some other IDS vendors should take note). In the Alert Messages window, right-clicking on an alert allows it to be cleared manually or for a wonderfully detailed description of the alert condition to be displayed. In the Security Violations window, right-clicking on a violation allows it to be cleared, or it can be marked to ignore that violation in future. With all these windows and different views onto the same set of data, eTrust provides one of the best real-time monitoring systems of any IDS we have seen.� Although reports are obviously useful for detailed analysis, if you should ever come under attack it is essential to have a good real-time indication of what is happening. Very few IDS systems provide this at all, and none are as comprehensive as eTrust. It is just as well that the monitoring is excellent, because the reporting is barely adequate – at least as far as intrusion detection is concerned. There are, in fact, a large number of pre-defined reports, but they betray the history of the product inasmuch as the majority of them relate to the general network and session monitoring and URL blocking capabilities. There is an extensive set of reports covering such subjects as characterisation of protocols used, identification of services being used (i.e. specific Web sites, e-mail, FTP, Telnet, etc.) and a list of blocking situations which have occurred. However, only three reports relate directly to intrusion detection covering Suspicious Network Activity, Suspicious Network Activity Over Time, and Detected Intrusions Per Server. A report scheduler provides the means to have key reports run automatically at regular intervals, and reports can be run against the current live data set or “snapshots” of archived data. In typical Crystal Reports fashion the finished reports can be exported in a variety of data formats, including plain text, Word documents, HTML and so on. Data can also be exported for use in third-party reporting tools such as WebTrends or Telemate. A certain amount of customisation can be carried out on each report, but the basic content cannot be changed within eTrust, meaning we are limited to the three IDS basic reports until CA updates the product (although Crystal Reports would allow extensive customisation).�
In most cases, however, those three – along with the excellent real-time monitoring – will get you by. You are unlikely to be able to perform much forensic analysis after the fact using eTrust, however. eTrust Intrusion Detection has a hard time of it in the IDS market place. It’s not that it isn’t a good product – it is – but it started life as a content analyser and URL blocker, and sort of drifted into intrusion detection because at its heart was a promiscuous mode engine that was adept at sniffing packets off the wire, comparing their contents with a database of rules and signatures, and taking appropriate action depending on what it found there. True, it does work at a different layer of the protocol stack than some of its IDS competition, but its main fault, to be honest, is that as a pure IDS product it lacks some of the advanced features and refinements of its �thoroughbred� rivals. One thing that has improved in the past 12 months since we first looked at this product is the centralised management and reporting functionality. Version 1.5 (which will be reviewed fully in Edition 3 of our IDS Group Test report) provides the ability to manage the systems, distribute security policies, and monitor and respond to enterprise-wide events via a central console. It also includes a central event database repository, additional reports, and a distributable content viewer. Where the current version excels is in the user interface and real-time monitoring and alerting capabilities that put many of the competition to shame. The on-screen displays of alerts and attacks are clear and well laid out, and a single click provides detailed descriptions. Where an on-screen display is not required, eTrust provides the widest range of remote alerting options we have seen in a product of its type. The rules definition interface cannot be faulted, and is probably one of the best known in the security industry thanks to the code base shared with FireWall-1. Adding your own custom signatures is also fairly straightforward.Many organisations will buy eTrust IDS for its powerful content analysis and blocking capabilities, at which it excels, and accept the IDS functionality as a bonus. If you don’t think you need the power of the high-end IDS products, then eTrust will serve you well. If you do need a full-blown IDS, you might still want to evaluate eTrust to run alongside it to perform all the functions that a “traditional” IDS cannot. Product name:
eTrust Intrusion Detection V1.4.5 (Build 10) Address: UK Address: Click here
to return to the CA eTrust� questionnaire
|
 |
Send mail to webmaster
with questions or�
|
