 |
|
CA eTrust Intrusion Detection v1.4.5
Brief
product description
Network
Based Session Sniffer with wide range of capabilities. 3rd generation
firewall
Architecture
Single
engine. Enterprise management components also available.
At
what layer of the protocol stack is the product working?
Layer
2 / MAC
Documentation
Its
on the CD
What
are the minimum/recommended console OS and hardware requirements? Is a dedicated
machine required/recommended? Will it work on Windows 2000?
Win
NT, Win2000, PII500MHZ min. depending on size of network and traffic. Dedicated
machine always recommended.
What
are the minimum/recommended agent OS and hardware requirements? Is a dedicated
machine required/recommended? Will it work on Windows 2000?
Win
NT, Win2000, PII500MHZ min. depending on size of network and traffic. Dedicated
machine always recommended.
What components are installed on a detector (i.e. Windows NT packet driver, NT service, Linux daemon, etc)
EID, sw3servc service, Sandis.rv driver
Which
network types are supported�
TR,
10/100 Ethernet, FDDI
Any
specific recommendations for monitoring Gigabit networks with your product?
Spread
load across multiple agents and collectively manage through console manager
Which
OS platforms are actively monitored?
Any
that uses TCP/IP including MAC OS
Can
sensors/detectors be deployed and configured initially from a central console?
Must
be installed at collector manually or via remote control and can be configured
via Central.
Once
deployed and configured, can sensors/detectors be managed from a central
console?
Yes
Authentication
between console and engines – Is it available? What algorithm/key lengths?
Yes,
Blowfish 128 Bit
Secure
logon for policy management?
Yes
How
are policy changes handled? Will the central console detect which agents are
using a changed policy and redeploy automatically, or does the administrator
have to do this manually?
Manually
How
many attack signatures?
Over
300
Can
the administrator define custom attack signatures?
Yes
How
are new attack signatures obtained and deployed?�
Automatic
download from website. Usually over 10 per update
Frequency
of signature updates? Provide dates of all updates in the last year.
Minimum
once a month. No dates.
What
infrastructure do you have behind the signature update process (i.e. dedicated
team of engineers? How many? Does it have a name?)
CA,
CVE and Bugtraq�
Can
one signature update file be downloaded to the local network and used to update
all IDS engines from a central location, or is it necessary to initiate a live
connection to the Internet download server for each engine?
Yes.
Can
signature updates be scheduled and fully automated?
No.
What
network protocols are analysed?
TCP/IP
What
application-level protocols are analysed?
None,
unless it passes through a NIC over a TCP/IP port.
Can
the product perform protocol decodes?
No
Can
the product perform session recording on suspect sessions?
Yes
Block/tear
down session?
Yes
Ability
to monitor user-defined connections (i.e. report on an FTP connection to a
specific server?)
Yes
Monitor
changes in critical system files?
No
Monitor
changes in user-defined files?
No
Monitor
changes in Registry?
No
Monitor
unauthorised access to files?
No
Monitor
administrator activity (creation of new users, etc)?
No
Monitor
excessive failed logins?
No
List
any other resources/locations that are monitored.
Anything
that’s network based and using TCP/IP
Track
successful logins, monitoring subsequent file activity, etc?
No
Detect
network-level packet based attacks?
Yes
Detect
all types of port scans (full connect, SYN stealth, FIN stealth, UDP)?
Yes
Detect
and report on nmap OS fingerprinting?
Yes
Perform
packet reassembly? Resistance to known IDS evasion techniques?
Yes
Reconfigure
firewall? If so, which firewall(s) and how?
FW-1,
CA FW
Option
to record everything for “forensic” investigation? Where is this data
stored? How is it secured from tampering?
Yes,
SALOG, Proprietary Encryption
Reporting
from engine to console - range of action/alert options (detail these)
Unknown
What
provision is made for temporary communications interruption between detector and
console? Where are alerts stored? Is the repository secure?
Yes,
it’s secure. Auto-Reconnect�
Can
alerts be reported to the central console in real time without the use of third
party software? How easy is it to filter and extract individual events?
Yes,
relatively easy
Does
the software offer advice on preventative action to ensure the attack does not
happen again?
Very
good advice. CVE
Integration
with other scanning/IDS products?
No
Log
file maintenance – automatic rotation, archiving, reporting from archived
logs, etc.
Yes,
workspace switching
Management
reporting – range of reports/custom reports/how easy is it to filter and
extract detail? Different reports for technicians and management/end users?
Many
canned reports, easy to customize and add new reports. Yes.
Report
management – can they be scheduled for automatic production? Can they be
e-mailed to administrators or published straight to a Web site?
Yes,
via Report Scheduler
What
are the limitations and restrictions on enterprise-wide alerting and reporting?
Can reports consolidate output from every 1) server, 2) detector
Yes,
via LogView and LogView Browser
Define
custom reports?
Yes
How
is it licensed? How is the license enforced?
Concurrent
Sessions. It will not monitor any more sessions above model limit.
End
user pricing information�
(Not
supplied)
Ongoing
cost of maintenance/updates
(Not
supplied)
Click here to
return to the CA eTrust Review
Click here to return to the CA eTrust
results
Click here to return to the IDS Index Section
Send mail to webmaster
with questions or�
|