Network ICE BlackICE Sentry

Brief product description
BlackICE Sentry is an intrusion detection system developed to detect malicious activity on high speed networks.

Architecture
BlackICE Sentry is a network based IDS solution.� It has the ability to work as a stand-alone system or work in a “manager” to “agent” relationship.

At what layer of the protocol stack is the product working?
The device driver used for BlackICE can be described as a Microsoft intermediary driver.� BlackICE Sentry intercepts packets directly from the NDIS drivers.

Documentation
All documentation for the BlackICE Sentry can be found on-line at www.networkice.com.� Supplemental information regarding security can also be searched on the www.advice.networkice.com site.

What are the minimum/recommended console OS and hardware requirements?�
Hardware:��
200 MHz Pentium class processor
64 MB RAM
3 MB of Disk Space

Operating System:
Windows NT Workstation 4.0
Windows NT Server 4.0
Windows NT 2000

Database:
Microsoft SQL Server 6.5 or higher
Microsoft SQL Workstation 6.5�����

Is a dedicated machine required/recommended?�
It is recommended, but not required.� It depends on the number of total “agents” or “Sentry” machines reporting into it.

Will it work on Windows 2000?
Yes.

What are the minimum/recommended agent OS and hardware requirements?�
Hardware:�400 MHz Pentium class processor, 3Com 3C905 Ethernet card

Operating System: Microsoft NT Server 4.0 or Workstation 4.0

Is a dedicated machine required/recommended?
Yes.

Will it work on Windows 2000?
No.

What components are installed on a detector
BlackICE Driver and NT Service

Which network types are supported�
10/100 Ethernet, and Gigabit Ethernet (not shipping, but announced)

Any specific recommendations for monitoring Gigabit networks with your product?
BlackICE Sentry can be used with a TopLayer switch to provide Gigabit IDS.� BlackICE Gigabit Sentry is an appliance that will be able to hook directly into a switch to perform Gigabit IDS.

Which OS platforms are actively monitored?��
BlackICE Sentry monitors protocols verses OS platforms.

Can sensors/detectors be deployed and configured initially from a central console?��
Yes.� Utilizing the ICEcap Manager, a BlackICE Sentry build can be deployed over the network to a pre-configured Windows machine.

Once deployed and configured, can sensors/detectors be managed from a central console?
Yes.��

Authentication between console and engines – Is it available?�
Yes.��

What algorithm/key lengths?
Blowfish for encryption using 56-bit key and Diffie-Hellman for key exchange.��

Secure logon for policy management?�
Yes, username and password.

How are policies distributed to engines?��
By using ICEcap, BlackICE Sentry updates can be made remotely.

How are policy changes handled? Will the central console detect which agents are using a changed policy and redeploy automatically, or does the administrator have to do this manually?��
N/A

How many attack signatures?�
500 +

Can the administrator define custom attack signatures?
No

How are new attack signatures obtained and deployed?�
New attacks are updated with frequent software upgrades.

Frequency of signature updates? Provide dates of all updates in the last year.
There has been one major signature upgrade every quarter this year.� Dates of the 2000 updates are March 2000, September 2000, November 2000, and one for December 2000 (coming out of Beta).

What infrastructure do you have behind the signature update process
Internal engineers provide the update process for attack signatures.��

Can one signature update file be downloaded to the local network and used to update all IDS engines from a central location, or is it necessary to initiate a live connection to the Internet download server for each engine?
A file can be downloaded to the ICEcap Manager and pushed out to multiple BlackICE Sentries.

Can signature updates be scheduled and fully automated?
No.

What network protocols are analysed?
HTTP, FTP, IMAP4, POP3, BOOTP/DHCP, ARP, AOL IM, Finger, Gopher, ICMP, ICQ, Identd, MIME, MS RPC, NNTP, PCAnywhere, RealAudio, Rsh/rlogin/rexec, SMB, SMTP, SNMP, S/NTP, SOCKS, MS SQL , Telnet, TFTP, Numerous Sun RPC protocols: portmapper, nfs, mount, lockd, statd, cmsd, bootparam, admin, sadmin, automount, ToolTalk, NIS/YP, and a couple of rarer ones

What application-level protocols are analysed?��
See list above.

Can the product perform protocol decodes?
No (the detection engine uses protocol decodes to detect attacks, but session decodes are not made available to the user)

Can the product perform session recording on suspect sessions?
Yes.

Block/tear down session?
No.

Ability to monitor user-defined connections
N/A

Monitor changes in critical system files?�
N/A

Monitor changes in user-defined files?�
N/A

Monitor changes in Registry?�
N/A

Monitor unauthorised access to files?�
N/A

Monitor administrator activity (creation of new users, etc)?
N/A

Monitor excessive failed logins?
Yes

List any other resources/locations that are monitored.
N/A

Track successful logins, monitoring subsequent file activity, etc?
N/A

Detect network-level packet based attacks?
Yes.

Detect all types of port scans (full connect, SYN stealth, FIN stealth, UDP)?
Yes.

Detect and report on nmap OS fingerprinting?
Yes.

Perform packet reassembly?
Yes.

Resistance to known IDS evasion techniques?
Yes.

Reconfigure firewall? If so, which firewall(s) and how?
No.

Option to record everything for “forensic” investigation? Where is this data stored? How is it secured from tampering?
Yes.� Sniffer trace files are stored on the BlackICE Sentry for forensic use.� It uses the default Windows NT security to provide authentication and data integrity.

Reporting from engine to console - range of action/alert options (detail these)
The ICEcap manager is capable of sending e-mail, a visual alert via http, and snmp traps.

What provision is made for temporary communications interruption between detector and console? Where are alerts stored? Is the repository secure?
If there is an interruption between the console and detector, the “events” are stored locally on the sensor until they can be forwarded to the manager.

Can alerts be reported to the central console in real time without the use of third party software? How easy is it to filter and extract individual events?
Yes.� Alerts are sent to the console in real time.� Multiple filtering reports can be used to sort through the event data.

Does the software offer advice on preventative action to ensure the attack does not happen again?
Network ICE provides AdvICE web pages as support documentation to answer and aid in the prevention of many know attacks.� Also,� BlackICE Agents will block attacks in real-time or be manually upgraded to block certain attacks as they are detected.

Integration with other scanning/IDS products?
None at this time.

Log file maintenance – automatic rotation, archiving, reporting from archived logs, etc.
The log file is kept on a SQL database.� Any NT rotation or archiving tool can be used to back up the database and sort through the data.

Management reporting – range of reports/custom reports/how easy is it to filter and extract detail? Different reports for technicians and management/end users?
There is over 10 different management reporting “views”.� Technicians and management can select through different levels of reporting for granular details regarding attacks, IP information, attack type, and attack victim.

Report management – can they be scheduled for automatic production?
Yes.��

Can they be e-mailed to administrators or published straight to a Web site?
No.

What are the limitations and restrictions on enterprise-wide alerting and reporting? Can reports consolidate output from every 1) server, 2) detector
Each detector (Sentry) has the capability to display alert information.� The ICEcap manager can display alert information as well as generate custom reporting.

Define custom reports?�
Users can define different parameters in creating reports with ICEcap.� Users are not restricted by a one template report.

How is it licensed?
Per device.��

How is the license enforced?
End user license agreement.

End user pricing information
US. Pricing - BlackICE Sentry with ICEcap Manager:� $7995.00

GBP Pricing - BlackICE Sentry with ICEcap Manager:� �5,586.00

Ongoing cost of maintenance/updates
Maintenance:� First year is included, 16% of MSRP thereafter.

Click here to return to the Network ICE Review
Click here to return to the Network ICE Results
Click here to return to the IDS Index Section