 |
|
CyberSafe Centrax 2.4
Brief
product description
Centrax
is a comprehensive hybrid intrusion detection system offering host and
network-based intrusion detection and response for enterprise networks. Centrax
gives you the power to monitor hundreds of Microsoft Windows 2000, Microsoft
Windows NT, Sun SparcStation Solaris, IBM AIX, and Hewlett-Packard HP-UX targets
in your network for security assessment, misuse detection, and response.�
Architecture
� Host/network/network node-based and a brief description of the architectural
elements (management/reporting servers, etc)
The
Centrax product is comprised of a Command Console and one or more Target Agents.
A Target Agent may be either a
host-based Agent, which resides on each workstation or server you want to
monitor, a network Agent, which sits anywhere on a network segment you want to
monitor, or a network node agent which watches network packets destined to or
from a mission critical host.
At
what layer of the protocol stack is the product working
Centrax
works at the application layer for Host Based agents and at the network layer
for Network Based and Network Node agent
Documentation
� �Getting Started�? Admin/Reference Guide? On-line or hard copy?
Supplemental information available on-line?
The
Centrax Users Guide, available on-line, is a comprehensive guide to the product
which includes topics covering the areas mentioned above.�
What
are the minimum/recommended console OS and hardware requirements? Is a dedicated
machine required/recommended? Will it work on Windows 2000?
Software
Microsoft
Windows NT Server or Workstation Version 4.0, Service Pack 6A or later; or
Windows 2000�
Microsoft Data
Access Components (MDAC) version 2.5 (Windows NT only, provided during Centrax
installation process if not already installed)
Hardware
550
MHz Pentium processor computer�
800 x 600 (minimum) VGA display�
256 MB�
256 MB virtual memory�
20 MB available disk space plus additional space for collecting and storing
alerts in the log database�
CD-ROM drive�
Optional: SCSI hard disk (to provide faster disk access)�
We recommend that you install Centrax command console on a standalone Windows
NT/2000 server, not on a Primary Domain Controller (PDC) or Backup Domain
Controller (BDC). For larger enterprise deployments, the Centrax console
benefits from additional processing and memory power.�
What
are the minimum/recommended agent OS and hardware requirements? Is a dedicated
machine required/recommended? Will it work on Windows 2000?
OS
requirements for Windows 2000 and Windows NT agents
Microsoft
Windows NT Workstation or Server Version 4.0 Service Pack 3 or later; or Windows
2000�
Windows Packet Filter required for NID and NNID agents (included on the
installation CD)�
We recommend a dedicated machine be used for Network ID although this is not
required for Network Node ID
Hardware
requirements for Windows 2000 or NT agents
200
MHz Pentium processor computer (minimum)�
800 x 600 (minimum) VGA display (required when installing the target
service)�
64 MB RAM�
128 MB virtual memory�
32 MB available disk space (maximum Event Log size)�
CD-ROM drive (if the Target Service is to be installed via diskette)�
3�" disk drive (if the Target Service is to be installed via diskette
For desktop computers, PCI Ethernet or PCI Fast Ethernet card (NID and NNID)
For laptop computers, CardBus (32-bit) PCMCIA network interface card (NID and
NNID)
OS
requirements for Solaris agents
Solaris
2.51, 2.6, 7.0, or 8.0 with all current patches applied�
Hardware
requirements for Solaris agents
Sun Microsystems
SparcStation�
Display and memory suitable to run Solaris�
3 MB available disk space�
/var/audit set for 500 MB (estimated requirement based on collecting audit data
four times per day)�
OS
requirements for AIX agents
AIX
4.2.1 or 4.3.2 with all current patches applied�
Hardware
requirements for AIX targets
IBM RS/6000, or
equivalent�
Display and memory suitable to run AIX�
3 MB available disk space�
/var/audit set for 500 MB (estimated requirement based on collecting audit data
four times per day)�
OS
requirements for HP-UX targets
HP-UX
10.20 or 11.0 with all current patches applied�
Hardware
requirements for HP-UX targets
Hewlett-Packard
HP9000 workstation, or equivalent�
Display and memory suitable to run HP-UX�
3 MB available disk space�
/var/audit set for 500 MB (estimated requirement based on collecting audit data
four times per day)�
Tripwire
Requirements
What
components are installed on a detector
Services
running on the command console (Windows2000 or Windows NT):
Detection
Service
Scheduler Service
Target Service
Real-time Service (optional)
Network or Network Node Service� (optional)
The Network and Network Node Services also require the Windows Packet Filter
protocol be installed as a prerequisite which is included on the product CD.
Services
running on the agents (Windows 2000 or Windows NT):
Target
Service
Real-time Service (optional)
Network or Network Node Service (optional, requires WPF protocol as above)
Daemons
running on the agents (Sun Solaris, AIX, HP):
Target
daemon
Real-time daemon (optional)
Which
network types are supported
Centrax
network based IDS agents support 10/100 Ethernet, network node agents support
> 100 MB/s Ethernet networks
Any
specific recommendations for monitoring Gigabit networks with your
product?�
We
recommend installing network node agents for networks > 100 MB/s
Which
OS platforms are actively monitored?
Windows
2000, Windows NT, AIX, Sun Solaris and HP/UX.
Can
sensors/detectors be deployed and configured initially from a central console?
Target
installation images are built at the console for all agents.
Windows 2000 and Windows NT agents are usually deployed by connecting to a network share at the console and running the setup program.� For Unix agents, the installation directory needs to be copied to the host where the setup program is then executed.� Agents can also be deployed using SMS in Microsoft networks.
Once
deployed and configured, can sensors/detectors be managed from a central
console?
Yes.��
Authentication
between console and engines � Is it available? What algorithm/key lengths?
All
transmissions of audit policies, collection policies, and counter-measure
responses between the Management Console and Target Agents are encrypted.�
The authentication mechanism between the console and the agents occurs
through a shared key authentication encrypted with triple-DES at 128 bits by
default, though the quality of protection may be specified for lesser encryption
algorithms.��
Secure
logon for policy management?
This
capability is provided by a separate CyberSafe Secure Single Sign-on solution
called ActiveTRUST.��
How
are policies distributed to engines?
Policies
are distributed either by selecting one or more agents at the command console
GUI and right clicking on the apply policy button, or in a �hands-free�
automated fashion using the in-built scheduler for audit policy deployment.
How
are policy changes handled? Will the central console detect which agents are
using a changed policy and redeploy automatically, or does the administrator
have to do this manually?
All
target machines affected by the change are detected automatically by the central
command console where the option to deploy the new policy is given on a per
agent basis or for all affected agents.
How
many attack signatures?
Centrax
comes with a library of over 770 host-based signatures for Windows NT/2000,
Solaris, AIX, and HP-UX, and over 116 network-based signatures for TCP/IP
networks.� Each of these signatures is highly customisable based on files,
users, and individual computers to create a virtual library of infinite size.
Can
the administrator define custom attack signatures?
Centrax
provides the capability to define and customize detectable patterns of misuse
for detection.� In addition,
CyberSafe is always willing to design those attack signatures to the
specifications of a customer for their use.
How
are new attack signatures obtained and deployed? �
Centrax
Network Signature Update is available for updating network attack signatures
from the CyberSafe web site.
Frequency
of signature updates? Provide dates of all updates in the last year.
(Not
supplied)
What
infrastructure do you have behind the signature update process
Centrax
signatures are developed by CyberSafe�s Security Research Group (SRG).��
Can
one signature update file be downloaded to the local network and used to update
all IDS engines from a central location, or is it necessary to initiate a live
connection to the Internet download server for each engine?
Centrax
Network Signature Updates can be downloaded to the local network once and
deployed using the Centrax policy management capabilities.
Can
signature updates be scheduled and fully automated?
This
is in the Product Roadmap for future release.
What
network protocols are analysed?
The
TCP/IP protocol is analysed by Centrax.
What
application-level protocols are analysed?
Centrax
monitors application services such as HTTP, Telnet, FTP, SMTP, POP3, IMAP,
Rlogin, Shell, Portmapper, NIS, PCNFS, AdminD, Selection Service, Statd,
YPUpdateD, Rwho, Talkd, TFTP, Finger, DNS and dfstab files on Solaris.
Can
the product perform protocol decodes?
Centrax
is currently incapable of performing this function.
Can
the product perform session recording on suspect sessions?�
No.
Block/tear
down session?�
Yes.��
Ability
to monitor user-defined connections (i.e. report on an FTP connection to a
specific server?)
Yes.��
Monitor
changes in critical system files?
Yes.�
Monitor
changes in user-defined files?
Yes.�
Monitor
changes in Registry?
Yes.�
Monitor
unauthorised access to files?
Yes.�
Monitor
administrator activity (creation of new users, etc)?
Yes.
Monitor
excessive failed logins?
Yes.��
List
any other resources/locations that are monitored.
Centrax
strictly monitors operating systems audit logs with respect to host based
intrusion detection.� In addition,
TCP/IP traffic is monitored as a means of performing network based intrusion
detection.
Track
successful logins, monitoring subsequent file activity, etc?
Yes.�
Centrax hosts can monitor the authentication activities of all users.�
All user logon and logoff activity on a Centrax host can be recorded on a
per user basis.�
Detect
network-level packet based attacks?
Yes.��
Detect
all types of port scans (full connect, SYN stealth, FIN stealth, UDP)?
Yes.��
Detect
and report on nmap OS fingerprinting?
Yes.��
Perform
packet reassembly? Resistance to known IDS evasion techniques?
This
is part of the product roadmap for release in 2001.
Reconfigure
firewall? If so, which firewall(s) and how?
Through
the use of the custom response mechanism in Centrax, firewalls can be configured
using user-defined scripts which invoke responses particular to the
predetermined scenario.
Option
to record everything for �forensic� investigation? Where is this data
stored? How is it secured from tampering?
Yes.�
Centrax stores the information locally on the target until it is
transmitted to the Command Console.� As
previously mentioned, this transmission is secure.�
While the information is stored on the targets, it is secured by NT�s
inherent functionality as the event logs cannot be modified.�
Additionally, on UNIX machines the logs are all C2 logs, so they too
cannot be subverted.� Additionally,
Centrax monitors all of its agents to alert if they are being compromised or if
the audit data is under attack.
Reporting
from engine to console - range of action/alert options (detail these)
When
an activity signature is detected, notifications can be triggered automatically.��
Alerts - MAPI/SMTP mail, Pager (via TAPI), SNMP
Responses � logoff user, disable user account, shutdown machine, terminate connection, initiate Tripwire scan, custom responses
What
provision is made for temporary communications interruption between detector and
console? Where are alerts stored? Is the repository secure?
Communication
loss between detector and console is highlighted at the console. In the event of
a communications interruption, alerts are queued at the detector until
communications are re-established.� It
is also possible to establish a fail-over console should a primary console fail.
Can
alerts be reported to the central console in real time without the use of third
party software? How easy is it to filter and extract individual events?
Centrax
offers both batch and real-time alerting as part of the core components.
The alert filter built in to the product can be used to easily extract and filter alerts by agent/detector, user, priority, time period and by number of alerts�
Does
the software offer advice on preventative action to ensure the attack does not
happen again?
Yes,
each alert displayed at the console offers advice and actions for preventative
measures Centrax provides a natural language description and suggested
corrective actions for each security configuration element and signature that it
detects.�
Integration
with other scanning/IDS products?
Yes
� Tripwire 2.2.1.��
Log
file maintenance � automatic rotation, archiving, reporting from archived
logs, etc.
Centrax�s
Audit Policy Management provides the ability to define, deploy, and maintain
global enterprise-wide heterogeneous security through the use of native
operating system auditing.� The
management of audit policies, which includes the definition, deployment, and
subsequent maintenance of these policies, is governed from a central location,
the Centrax Command Console. All audit logs are collected and deposited to a
central point. Housekeeping utilities for automatic rotation and archiving of
raw audit trails are also provided on the product CD.� Centrax also provides database utilities for database
archival, compaction and archive reporting tools.
Management
reporting � range of reports/custom reports/how easy is it to filter and
extract detail? Different reports for technicians and management/end users?
Centrax
2.4 includes an extensive reporting capability that allows the user to perform
forensic analysis of evidentiary audit trails.�
Centrax software contains a built-in report generator for accessing
intrusion detection data and generating customized reports.�
These reports can be automatically edited through the use of our report
generator.�
Report
management � can they be scheduled for automatic production? Can they be
e-mailed to administrators or published straight to a Web site?
Reporting
can be fully automated using the Centrax scheduler.� Reports can be published straight to a Web site, sent to a
printer/file or formatted into many different formats including MS Word, Excel,
CSV amongst many others.
What
are the limitations and restrictions on enterprise-wide alerting and reporting?
Can reports consolidate output from every 1) server, 2) detector
The
reporting mechanism consolidates information from every server and detector,
regardless of operating system and configuration.��
Define
custom reports?
Centrax
publishes the database schema so that users can build their own custom reports
and queries.� Using
the GUI at the console , users can build their own customised reports by user(s),
host(s), activity(s) and event(s)� which
can then be saved as templates for either manual use or in an automated fashion
using the in-built scheduler.
How
is it licensed? How is the license enforced?
Centrax
is licensed at the console only.� It
is based on both time and the number of agents with which it communicates.�
Time is only enforced during demo periods.�
It is not necessary to reinstall any license keys on distributed target
agents.
End
user pricing information
Centrax
2.4 Command Console 1 License����
�2,500.00
Centrax 2.4 Command Console 2-4 License����
�1,495.00
Centrax 2.4 Command Console 5+ License����
�995.00
Centrax 2.4 Server Target 1-25����� �800.00
Centrax 2.4 Server Target 26-50����� �750.00
Centrax 2.4 Server Target 51-100�������
�700.00
Centrax 2.4 Server Target 101-250�������
�650.00
Centrax 2.4 Server Target 251-500�������
�600.00
Centrax 2.4 Server Target 501-1000����� �550.00
Centrax 2.4 Server Target 1000+�������
�500.00
Centrax Network Target����
�
Centrax 2.4 Class B Network
License����� �7,500.00
Centrax 2.4 Class C Network License����� �2,500.00
Ongoing
cost of maintenance/updates
Maintenance
is 20% / year and includes phone support and updates.
Click here
to return to the CyberSafe Centrax Review
Click here to return to the CyberSafe
Centrax results
Click here to return to the IDS Index Section
Send mail to webmaster
with questions or�
|