 |
|
ISS RealSecure�
Brief
product description
RealSecure
provides a comprehensive intrusion detection solution by combining host- and
network-based intrusion detection into a single platform. RealSecure uses a
standards-based approach, comparing network traffic and host log entries to the
known and likely methods of attackers. Suspicious activities trigger
administrator alarms and other configurable responses.
Architecture
– Host/network/network node-based and a brief description of the architectural
elements (management/reporting servers, etc).
RealSecure
uses a distributed architecture.� Network
and host-based sensors perform filtering and monitoring functions on a given
network segment or host computer.� Consoles
display events passed from the sensors, manage the individual sensors, and
provide a centralized database for the collection of event information, and
reporting capabilities.
At
what layer of the protocol stack is the product working?
Network
Sensor: The Network Sensor works at the lowest layer, grabbing raw packets
directly off the card, making it completely independent of the TCP/IP stack of
the host system for interpretation of the packets being analysed.�
You can unbind TCP/IP from the card you are monitoring to run in
"stealth mode", and we recommend this for ultra-secure operation.
Server Sensor: The Server Sensor analyses some packets at the same low layer as the Network Sensor, right as they come off the network.� This is for malformed packet attacks and denial of service attacks.� However most of the signatures are done at a fairly high level up in the stack, after reassembly and such has gone on.� This has the advantage that we know the results of reassembly EXACTLY the way the target will interpret them.
Documentation�
RealSecure
comes with a Getting Started Guide, a User’s Guide, and a Signature Reference
Manual.� These are available on-line
and hard copy.
What
are the minimum/recommended console OS and hardware requirements? Is a dedicated
machine required/recommended? Will it work on Windows 2000?�
Minimum
Processor: Intel Pentium II 300 MHz.
Operating
System: Windows NT 4 Workstation with Sp6a recommended (SP3 – SP6a supported).
Memory:
256MB recommended (128MB minimum).
Disk
Space: 100MB per sensor managed from console.
Dedicated
system recommended.
The
console works on Windows 2000 and will be officially supported in Q4 of 2000.
What
are the minimum/recommended agent OS and hardware requirements? Is a dedicated
machine required/recommended? Will it work on Windows 2000?
System
Requirements for Windows NT Network Sensor
Minimum
Processor: Intel Pentium II 300 MHz.
Operating
System: Windows NT 4 Workstation with Sp6a recommended (SP3 – SP6a supported).
Memory:
128MB Minimum (256MB recommended)
Disk
Space: 150MB.
NIC:
PCI adapter capable of promiscuous mode.
Dedicated
system required.
The Network Sensor works on Windows 2000 and will be officially supported in Q4 of 2000.
System
Requirements for Solaris SPARC Network Sensor
Platform:
UltraSPARC 2.
Operating
System: Solaris SPARC 2.6 or Solaris SPARC 7.
Memory:
128MB Minimum (256MB recommended).
Disk
Space: 150MB.
NIC:
Sbus or PCI adapter capable of promiscuous mode.
Dedicated
System required.
System
Requirements for Server Sensor and OS Sensor for Windows NT
Operating
System: Microsoft Windows NT 4.0 SP3 (SP6a recommended)
Memory:
64MB
Disk
Space: 50MB
Dedicated
system not required.
Will
run on Windows 2000 and will be officially supported in Q4 of 2000.
System
Requirements for Server Sensor and OS Sensor for Solaris SPARC
Operating
System: Solaris SPARC 2.6 and Solaris SPARC 7
Disk
Space: 50MB
Dedicated
system not required.
System
Requirements for OS Sensor for IBM AIX
Operating
System: AIX 4.3.2 or AIX 4.3.3
Disk
Space: 50 MB
Dedicated
system not required.
System
Requirements for OS Sensor for HP-UX
Operating
System: HP-UX 11.x
Disk
Space: 50 MB
Dedicated
system not required.
What
components are installed on a detector?
The
Windows NT Network Sensor runs as a service and uses a Windows NT packet driver.
The Solaris Network Sensor runs as a daemon.
Which
network types are supported?
RealSecure
operates on Ethernet networks (10 Mbps), Fast Ethernet networks (100Base-T only,
100 Mbps), FDDI (100 Mbps), and Token Ring networks (4 Mbps to 16 Mbps on NT
only).
Any
specific recommendations for monitoring Gigabit networks with your product?
Multiple
RealSecure Network Sensors connected to a Top Layer AppSwitch will monitor a
Gigabit network.
Which
OS platforms are actively monitored?
The
host-based Server and OS Sensor have been ported to NT, Solaris, AIX and HPUX.�
Network Sensor runs on NT and Solaris but protects your entire network.
Can
sensors/detectors be deployed and configured initially from a central console?
Sensors
are deployed manually and initially configured from the central console.
Once
deployed and configured, can sensors/detectors be managed from a central
console?
Yes.�
RealSecure Sensors are controlled and managed from a central console.
Authentication
between console and engines – Is it available? What algorithm/key lengths?
Yes.�
Authentication is available between the console and sensors and is based
on public key exchange.� RealSecure
uses Certicom’s 239-bit elliptic curve public-key technology for UNIX and NT
Sensors.� Additionally on NT, you may also use encryption algorithms
called through Microsoft’s Cryptographic API, which will use whatever
encryption technology is available through that API. Microsoft’s default CSP
is based on RSA technology and provides 512-bit or 1024-bit public encryption
keys.
Secure
logon for policy management?
Yes.�
The RealSecure Console handles Policy Management.�
The management capabilities of the Console are only accessible to the
user who initially installed the Console.��
How
are policies distributed to engines?
Policies
are pushed from the Console to the individual sensors over a secure channel.
How
are policy changes handled? Will the central console detect which agents are
using a changed policy and redeploy automatically, or does the administrator
have to do this manually?
Policy
changes are enacted at the console and are manually pushed down to the
individual sensors.
How
many attack signatures?
RealSecure
has over 430 attack signatures.
Can
the administrator define custom attack signatures?
Yes.�
RealSecure provides the ability to define custom attack signatures.
How
are new attack signatures obtained and deployed?�
ISS
X-Press Updates provide new signature for RealSecure Sensors.�
These updates are downloaded from a secure web site and are deployed to
the sensors from the console.
Frequency
of signature updates? Provide dates of all updates in the last year.
ISS
has released three X-Press Updates since the capability was added to RealSecure
in June 2000.��
1.1 on July 7, 2000 added SubSeven_Scan���
1.2 on August 3, 2000 updated existing signatures only
1.3 on September 29, 2000 added 31 new signatures
What
infrastructure do you have behind the signature update process
The
ISS X-Force is a dedicated team of over 60 security experts researching and
coding new signatures for RealSecure.�
Can
one signature update file be downloaded to the local network and used to update
all IDS engines from a central location, or is it necessary to initiate a live
connection to the Internet download server for each engine?
Signature
update files are downloaded to the console machine and deployed to the sensors
from the console.
Can
signature updates be scheduled and fully automated?
No.�
What
network protocols are analysed?
The
Network Sensor can filter and monitor any TCP/IP protocol.
What
application-level protocols are analysed?
RealSecure
can interpret web, e-mail, file transfer, remote login, chat, talk and a host of
other network services. In addition, the Network Sensor can monitor and decode
Microsoft CIFS/SAMBA traffic for Windows networking environments.�
Can
the product perform protocol decodes?
Yes.
RealSecure performs decode based on UDP, TCP, and ICMP.
Can
the product perform session recording on suspect sessions?
Yes.�
RealSecure Network Sensors offer the ability to record the raw, binary
content of an entire network session. This data is stored in a log file and can
be replayed through the Workgroup Manager interface. It is played back exactly
as it was received, keystroke for keystroke, so that the administrator can see
how the attack or session unfolded.
Block/tear
down session?
Yes.�
The RealSecure Server Sensor will block/tear down sessions.��
Ability
to monitor user-defined connections (i.e. report on an FTP connection to a
specific server?)
RealSecure
provides the ability to define and monitor connection events based on protocol
(TCP, UDP, ICMP), source port, destination port, source IP address, and/or
destination IP address.
Monitor
changes in critical system files?
Yes,
RealSecure Server Sensor will monitor any file for changes.�
It also provides the capability of copying back the correct version of
the file from a safe place.� This
can be useful for monitoring web pages for hacks
Monitor
changes in user-defined files?
Yes,
RealSecure Server Sensor will monitor any file for changes.��
Monitor
changes in Registry?
Yes,
RealSecure Server Sensor will monitor the registry for changes.��
Monitor
unauthorised access to files?
Yes,
RealSecure Server Sensor will monitor access to any file.��
Monitor
administrator activity (creation of new users, etc)?
Yes,
Real Secure Server Sensor will monitor both usual and unusual administrator
activity.
Monitor
excessive failed logins?
Yes,
RealSecure Server Sensor will monitor excessive failed logins.
List
any other resources/locations that are monitored.
RealSecure
can also monitor Solaris BSM Logs, any arbitrary text log file, and syslogs
forwarded from another Unix box or other equipment (such as a Cisco routers).
Track
successful logins, monitoring subsequent file activity, etc?
Yes,
RealSecure Server Sensor will monitor successful login and will monitor some
file activity.
Detect
network-level packet based attacks?
Yes,
RealSecure Network Sensor will detect network-level packet based attacks.
Detect
all types of port scans (full connect, SYN stealth, FIN stealth, UDP)?
Yes,
RealSecure detects all types of port scans(full connect, SYN stealth, FIN
stealth, and UDP).
Detect
and report on nmap OS fingerprinting?
Yes,
RealSecure provides a signature for the nMap OS fingerprinting tool.
Perform
packet reassembly? Resistance to known IDS evasion techniques?
The
RealSecure Server Sensor monitors traffic from several layers of the IP stack
allowing it to see traffic before it goes up the stack as well as when it has
been reassembled.� This technique
allows Server Sensor to monitor traffic EXACTLY the way the target will
interpret them, so it cannot be fooled by any of the tricks outlined in the
infamous SNI Paper ("Insertion, Evasion, and Denial of Service: Eluding
Network Intrusion Detection"�
Reconfigure
firewall? If so, which firewall(s) and how?
The
RealSecure Network Sensor will send a message to the FireWall-1 management
server instructing it to prevent the attacking source address, port and/or
service from traversing the firewall boundary for a user-specified period of
time.� The communication between the
RealSecure Network Sensor and the FireWall-1 management server is done using
SAMP, Check Point's suspicious activity monitoring protocol, which is part of
the OPSEC framework. This communication can also be authenticated, if desired.
Option
to record everything for “forensic” investigation? Where is this data
stored? How is it secured from tampering?
Yes.�
RealSecure Network Sensors offer the ability to record the raw, binary
content of an entire network session. This data is stored in a log file in a
secured directory and can be replayed through the Workgroup Manager interface.
Reporting
from engine to console - range of action/alert options (detail these)
Send
the event to the RealSecure Console.
Terminate the attack automatically.
Terminate the user session.
Disable the user account.
Reconfigure a CheckPoint Firewall-1 to reject traffic from the attacking source address.
Send a secure real-time alarm to the Lucent Managed Firewall Security Management Server (SMS)
Send an alarm to the RealSecure Console indicating that the event occurred.
Send an SNMP trap to an off-the-shelf management platform.
Log the event, including date, time, source, destination, description, and data associated with the event.
View the raw content of the session in real-time (or record for later playback).
E-mail a notification to the administrator.
Execute a user-specified program.
What
provision is made for temporary communications interruption between detector and
console? Where are alerts stored? Is the repository secure?
The
RealSecure Sensors do not need to be connected to the console.�
Events are stored locally in a database and log files, stored in a
secured directory, and are synchronized with the console database on demand.
Can
alerts be reported to the central console in real time without the use of third
party software? How easy is it to filter and extract individual events?
Alerts
are reported to the console in real time without the need for any third party
software.� The events are displayed
in different views based on priority, type of event, or source or destination
addresses providing the ability to extract individual events.
Does
the software offer advice on preventative action to ensure the attack does not
happen again?
The RealSecure Help describes each signature, tells why it is important, and gives preventative measures.� RealSecure has context-sensitive help so information about a particular signature may be easily obtained when it shows up in an event window.
Integration
with other scanning/IDS products?
RealSecure
is part of the SAFEsuite family of products.�
Results from RealSecure sensors are gathered into the SAFEsuite Decisions
database where they are correlated with vulnerability assessment data from
Internet Scanner, Database Scanner, and System Scanner, providing an overall
view of the security of a network.
Log
file maintenance – automatic rotation, archiving, reporting from archived
logs, etc.
RealSecure
Sensor logs are a set length and are archived to a database at the console.
Management
reporting – range of reports/custom reports/how easy is it to filter and
extract detail? Different reports for technicians and management/end users?
RealSecure
provides 17 different reports with 5 graphical summaries.�
Reports are filtered by time and date and may be sorted by the
destination or source IP or type or priority of events.��
There are also reports for Login/logout history, admin activity, Log
monitoring, user activity, and suspect connections.
Report
management – can they be scheduled for automatic production? Can they be
e-mailed to administrators or published straight to a Web site?
RealSecure
reports cannot at this time be scheduled for automatic report production.
What
are the limitations and restrictions on enterprise-wide alerting and reporting?
Can reports consolidate output from every 1) server, 2) detector
RealSecure
consolidates the event data from all of the monitored sensors into a database at
the console.� RealSecure data may be
gathered into a SAFEsuite Decisions database for further consolidation and
correlation with vulnerability assessment data.
Define
custom reports?
Custom
reports may be created using Crystal Reports 7.0.
How
is it licensed? How is the license enforced?
RealSecure
is licensed on a per-sensor basis.� The
license is enforced through the use of a license key.
End
user pricing information
(Not
Supplied)
Ongoing
cost of maintenance/updates
(Not
Supplied)
Click here to
return to the ISS RealSecure Review
Click here to return to the ISS
RealSecure results
Click here to return to the IDS Index Section
Send mail to webmaster
with questions or�
|