 |
|
Intrusion Inc SecureNet Pro 4.0
Brief product
description
Intrusion SecureNet Pro is a network intrusion detection system.
Architecture
Host/network/network node-based and a brief description of the
architectural elements (management/reporting servers, etc): Network intrusion
detection system starting with a sensor, which is usually sold as a bundled
appliance on Intrusion Inc. security appliances. The user may use the SecureNet
Pro Linux console which is included in the price of the sensor. For larger
deployments, Intrusion SecureNet Provider is a true three-tier, industry leading
NIDS data mining, monitoring, and reporting interface. The SecureNet Provider
middle tier manager runs on Windows 2000 server and uses Microsoft SQL2000 as
the database. The SecureNet Provider client runs on Windows 2000 professional.
At what layer of the
protocol stack is the product working?
The product implements a end-node-centric protocol stack from Layer 2
- Layer 7. The protocol stack can be configured to emulate the behaviour of any
given host on the network. In addition, the protocol stack also allows for
different types of hosts to be emulated simultaneously.
Documentation
Documentation includes a printed getting started guide with the CDs.
Additionally, there is a robust, indexed users guide included with the software.
The Intrusion Inc. web site also offers tech notes and white papers to support
the deployment and decision-making regarding the NIDS.
What are the
minimum/recommended console OS and hardware requirements?�
The software for Intrusion SecureNet Pro sensor and console has the
following system requirements.
Minimum 566 Celeron II
128MB RAM
10GB hard drive
Red Hat Linux 6.2
CD-ROM, keyboard, video and mouse for local management
Is a dedicated machine
required/recommended?�
Sensor and console may be placed on the same PC. For maximum
performance, sensor and console should be placed on separate PCs.
Will it work on
Windows 2000?�
Monitoring and reporting from Windows 2000 is a feature of the
Intrusion SecureNet Provider add-on to SecureNet Pro.
What are the
minimum/recommended agent OS and hardware requirements?�
The agent in this case in the network sensor for Intrusion SecureNet
Pro. The software for Intrusion SecureNet Pro sensor and console has the
following system requirements.
Minimum 566 Celeron II
128MB RAM
10GB hard drive
Red Hat Linux 6.2
CD-ROM, keyboard, video and mouse for local management
Is a dedicated machine
required/recommended?�
Sensor and console may be placed on the same PC. For maximum
performance, sensor and console should be placed on separate PCs.
Will it work on
Windows 2000?�
Monitoring and reporting from Windows 2000 is a feature of the
Intrusion SecureNet Provider add-on to SecureNet Pro.
What components are
installed on a detector�
The Intrusion SecureNet Pro sensor is a Linux daemon installed on the
Red Hat Linux 6.2 PC with the Turbo Packet kernel modification compiled into the
kernel proper.
Which network types
are supported
Intrusion SecureNet Pro is available as software for 10/100Mb/s
Ethernet. Intrusion SecureNet Pro is also available on a range of 100Mb/s
bundled appliances from Intrusion Inc. Intrusion Inc. also sells a Gigabit
network intrusion detection bundled solution, Intrusion SecureNet Gig.
Any specific
recommendations for monitoring Gigabit networks with your product?�
Intrusion SecureNet Gig is a single, 1U high, dual processor
appliance capable of monitoring Gigabit networks with all signatures enabled and
no global filtering required. For certain types of networks, tuning is required
to maintain optimal performance.�
Which OS platforms are
actively monitored?�
Both Windows and UNIX platforms are monitored simultaneously.
Can sensors/detectors
be deployed and configured initially from a central console?�
No
Once deployed and
configured, can sensors/detectors be managed from a central console?�
Yes, Intrusion SecureNet Pro sensors may be centrally managed on a
many-to-many basis from the SecureNet Pro Linux console.
Authentication between
console and engines? What algorithm/key lengths?�
Authentication between console and sensor uses shared secret user
authentication and allows DES, 3DES and Blowfish encryption with MD5 message
authentication. SecureNet Provider uses x.509 certificate based authentication
and Blowfish encryption.
Secure logon for
policy management?�
Yes, via SSH.
How are policies
distributed to engines?�
When software is used, policy updates are manually FTP'd to the PC
and installed using Linux standard RPMs or manually installed. Intrusion
SecureNet bundled appliances have a live update feature via APT-RPM architecture
which allows security professionals to set a cron-job to automatically check,
compare, install and reboot if necessary when new policy RPM files are
available.
How are policy changes
handled?�
With version 4.0 of SecureNet Pro, the signature pack version is
available in the Provider client to flag the security professional of
mismatches.�
How many attack
signatures?�
Intrusion SecureNet Pro currently includes 469 context analysis
signatures. An additional 900+ string matching signatures are available at the
Intrusion Inc. SecureNet OpenSource Signature Centre on the Intrusion Inc. web
site.
Can the administrator
define custom attack signatures?�
Yes, Intrusion SecureNet Pro allows the security professional to
create both string matching (network grep) as well as more accurate context
analysis, scripted signatures.
How are new attack
signatures obtained and deployed?�
Using Intrusion SecureNet Pro software, attack signatures are
downloaded from Intrusion Inc. as Linux RPM files. When Intrusion SecureNet
bundles appliances are used, the Intrusion Pilot management software provides
live update functions to automatically compare installed RPM files with those in
an enterprise local or the Intrusion Inc. APT directory, and if a newer RPM is
found it will automatically be installed.
Frequency of signature
updates?�
Intrusion Inc. provides context analysis signature RPM files on a
monthly basis,�
Provide dates of all
updates in the last year.�
A signature pack has been released on the last Friday of the month
for the last five-months. Signatures for emergent needs are posted to the
Intrusion Inc. signature centre at www.intrusion.com. Additionally, the
OpenSource signature centre accepts postings from the Intrusion Inc.
development, product management and security engineering teams, partners,
customers and enthusiasts.�
What infrastructure do
you have behind the signature update process
Intrusion Inc. has a dedicated signature team which is currently ten
people. The team does not have a unique brand.
Can one signature
update file be downloaded to the local network and used to update all IDS
engines from a central location, or is it necessary to initiate a live
connection to the Internet download server for each engine?�
Using the software version of Intrusion SecureNet Pro, signatures may
be downloaded individually to the sensors on a manual, one-to-one basis.
Intrusion SecureNet bundled solutions make it possible to create an internal,
central APT-RPM HTTP or FTP site which sensors may be set to check via a cron-job.
When new packages are added to the APT-RPM directory the sensors will
automatically install it if the package is newer than what is installed on the
appliance.
Can signature updates
be scheduled and fully automated?
Only on appliances (not SecureNet Pro 4.0 software-only)
What network protocols
are analysed?�
Ethernet, IP, TCP, UDP, ICMP.
What application-level
protocols are analysed?
HTTP 0.9/1.0/1.1, DNS TCP/UDP, Finger, FTP, IDENT, IRC, MSTREAM,
NetBIOS, NNTP, POP3, Portmapper TCP & UDP Client & Server, Rlogin, SMTP,
SSH 1 & 2, Telnet, BackOrifice, TFTP.
Can the product
perform protocol decodes?
Yes, Intrusion SecureNet Pro has extensive decodes for 26 modules
which include user-mode protocols, categorical protocols and attack types.
Can the product
perform session recording on suspect sessions?
Yes, Intrusion SecureNet Pro can automatically binary-record
sessions, providing VCR-playback including the element of time.
Block/tear down
session?�
Yes, Intrusion SecureNet Pro allows TCP-resets as an action for
signatures - sending resets to both attacker and victim, spoofing the other so
that SecureNet Pro stays invisible to the network.
Ability to monitor
user-defined connections (i.e. report on an FTP connection to a specific
server?)
Yes, Intrusion SecureNet Pro's extensive use of protocol decodes
makes it an especially powerful tool for monitoring network events and can track
connections under any protocol with a decode.
Monitor changes in
critical system files?
NA
Monitor changes in
user-defined files?�
NA
Monitor changes in
Registry?�
NA
Monitor unauthorised
access to files?�
NA
Monitor administrator
activity (creation of new users, etc)?�
Though this is typically a function on HIDS, Intrusion SecureNet Pro
allows the creation of signatures that could monitor the network traffic that
would indicate administrator activity that is suspicious.
Monitor excessive
failed logins?�
Yes, Intrusion SecureNet Pro has signatures which will flag excessive
failed logins as suspicious activity.
List any other
resources/locations that are monitored.
NA
Track successful
logins, monitoring subsequent file activity, etc?�
Though not recommended as an automated process, Intrusion SecureNet
Pro is capable of being configured to track all network traffic from a specific
IP pair after a network event, like a successful logins, triggers the action.
Detect network-level
packet based attacks?�
Yes. Since these types of signatures must inspect every packet,
system performance degrades when using these types of signatures.
Detect all types of
port scans (full connect, SYN stealth, FIN stealth, UDP)?�
Yes, Intrusion SecureNet Pro includes signatures for all of these
port scans and many more.
Detect and report on
nmap OS fingerprinting?�
Not currently supported.
Perform packet
reassembly? Resistance to known IDS evasion techniques?�
Yes, Intrusion SecureNet Pro does IP packet reassembly as well as TCP
session reconstruction. In addition, Intrusion SecureNet Pro goes further to do
multi-path reassembly: handling both Windows and UNIX simultaneously.�
Reconfigure firewall?
If so, which firewall(s) and how?�
No, Intrusion SecureNet Pro is currently being evaluated under the
Check Point OPSEC program for log-file compatibility.
Option to record
everything for "forensic" investigation? Where is this data stored?
How is it secured from tampering?�
Yes. Individual signatures can be configured to log entire packets
after the signature has been triggered. In addition, a generic "TCP
Session" signature can be used to record all sessions or sessions between
particular hosts.
Reporting from engine
to console - range of action/alert options
Intrusion SecureNet Pro allows alerts to be sent as customisable SMTP,
or SNMP. SMTP alerts use a template that can send any user defined or event
information to any email address for pager, telephone or email alert. SNMP v1
alerts are sent to any SNMP management system. Actions include logging,
recording or TCP reset when the event is triggered.
What provision is made
for temporary communications interruption between detector and console?�
Where are alerts stored?
Is the repository secure?�
When connectivity between the sensor and console is lost, the sensor
stores the data locally until the connection is re-established At which time the
data is then resynchronised.
Can alerts be reported
to the central console in real time without the use of third party
software?�
How easy is it to filter and extract individual events?�
Yes, Intrusion SecureNet Pro allows the real-time reporting of events
using the native console application. Filtering can store data in the database
but not display it in the console, and the console allows additional filtering
to show data by severity, or by sensor. Additional capabilities are available in
the Intrusion SecureNet Provider client that allows viewing of data via
configurable tree view - allowing the almost instantaneous drill down on
individual events from any event parameters. SecureNet Provider also allows data
to be sorted with the event view, with Microsoft Outlook like tools for data
presentation and ascending or descending sorting with just a click.
Does the software
offer advice on preventative action to ensure the attack does not happen
again?�
Yes, Intrusion SecureNet Pro signatures provide editable resolution
information along with bugtraq and CVE numbers, an event description, specific
trigger information, and potential causes for false positives.
Integration with other
scanning/IDS products?�
No
Log file maintenance -
automatic rotation, archiving, reporting from archived logs, etc.�
Yes. Local archiving on the sensor is aged out as new events are
found.
Management reporting -
range of reports/custom reports/how easy is it to filter and extract
detail?�
Different reports for technicians and management/end users?�
Yes, Intrusion SecureNet Pro provides a range of reports for
different levels of detail. Additional reporting capabilities are available with
Intrusion SecureNet Provider which uses Microsoft Access as the completely
extensible reporting engine, where there are templates for executive reports, IT
reports and security reports.
Report management -
can they be scheduled for automatic production? Can they be e-mailed to
administrators or published straight to a Web site?�
Yes, Intrusion SecureNet Pro can publish directly to RTF and HTML
format for scheduled emailing or web publishing.
What are the
limitations and restrictions on enterprise-wide alerting and reporting? Can
reports consolidate output from every 1) server, 2) detector�
Reports are filterable by sensor.
Define custom
reports?�
Yes. Custom reports written in MS Access integrate directly into the
Console.
How is it licensed?
How is the license enforced?�
License enforcement is by sensor. A License key file is obtained from
Intrusion Inc. and is placed on the sensor. The Linux Console and the Windows
based Provider Manager enforce sensor licensing.
End user pricing
information�
Intrusion SecureNet Pro software $6,995USD
Intrusion SecureNet 2345 $8,495USD
Intrusion SecureNet 5145 $8,495USD
Intrusion SecureNet 5345 $9,995USD
Intrusion SecureNet 5545 $11,995USD
Intrusion SecureNet Gig $39,995USD
Intrusion SecureNet Provider starting at $9,995USD
Ongoing cost of
maintenance/updates
Bronze maintenance 20% SRP
Silver maintenance 25% SRP
Gold maintenance 39% SRP
Click here
to return to the Intrusion Inc Review
Click here
to return to the Intrusion Inc Results
Click here to return to the IDS Index Section
Send mail to webmaster
with questions or�
|