NFR NID-200 V1.1

Brief product description
The NFR Network Intrusion Detection-200 (NID-200) system is a flexible, easy-to-use tool for intrusion detection, network management, and network monitoring.� Information associated with activity that may be suspicious or malicious in nature is recorded and alerts raised as necessary.�

NFR NID-200 gathers information about some of the most common network traffic and watches for intrusions and attacks.

Architecture
The NFR NID-200 system including the following components:��

NID Sensor analyses the network for attacks.� This is delivered as a complete appliance with hardware, software and operating system included.

NFR Administration Interface (AI) is a Windows-based administration facility for configuring and managing NID Sensors and provides easy-to-use querying and reporting tools.� A UNIX command line interface is also available.

NFR Central Management Server (CMS) is used in large, distributed environments and allows an administrator to manage multiple, remote NID Sensors from a single location.

At what layer of the protocol stack is the product working?
Layers 2 (data link); 3 (network); 4 (transport); and 7 (application).

Documentation
Getting Started, User's Guide and N-Code programming Manual.

On-line; hard copy by request�

What are the minimum/recommended console OS and hardware requirements? Is a dedicated machine required/recommended?�
OS requirements are as follows:�

NFR NID-200 Sensor includes an embedded operating system.

NFR. Central Management Server (CMS) requires Solaris 2.6 or 7 (recommended); Linux Red Hat 6.0 or later is also supported.

The NFR Administration Interface requires one of the following operating systems:

Windows 95 (Release 2 or later)
Windows 98
Windows 2000
Windows NT Server 4.0
Windows NT Workstation 4.0

Hardware requirements are as follows:

NFR NID-200 Sensor:
NFR NID-200 Sensor is delivered as an appliance.
A keyboard and VGA monitor are required for installation, but can be removed during regular operation of the NFR NID-200 Sensor.
NFR Central Management Server (CMS):
Sparc Processor
128 MB RAM�
20 MB Disk Space for NFR Software
One network card
Sufficient Disk Space for data storage. The amount of disk space needed on the CMS depends on:

• Amount of disk space allocated to store data from each remote NFR NID-200

• Number of remote NFR NID-200s

• Level of network activity

What components are installed on a detector
The NID-200 is a custom appliance. It cannot be deployed as an additional daemon or service running on a general-purpose operating system installation.

Which network types are supported
10/100 Ethernet

Any specific recommendations for monitoring Gigabit networks with your product?
Gigabit networks can be monitored by NFR NID-200, using third-party load balancing products.

Which OS platforms are actively monitored?
N/A

Can sensors/detectors be deployed and configured initially from a central console?
No - but a configuration floppy can be used during initial installation.

Once deployed and configured, can sensors/detectors be managed from a central console?
Yes

Authentication between console and engines - Is it available? What algorithm/key lengths?
Based on password and symmetric 56-bit DES key

Secure logon for policy management?
Yes

How are policies distributed to engines?
Configuration policies can be distributed via the NFR Central Management Server or directly, using the NFR Administration Interface.

How are policy changes handled? Will the central console detect which agents are using a changed policy and redeploy automatically, or does the administrator have to do this manually?
Manually

How many attack signatures?
Over a thousand attack signatures are included.� We use a variety of standard signature techniques, such as string matching and lookup tables, for many of our signatures.� NID-200 also performs Stateful Protocol Analysis, allowing several traditional attack signatures to be replaced with a single anomaly check.� Stateful protocol analysis allows users to detect known and unknown attacks.

Can the administrator define custom attack signatures?
Yes, there are multiple ways for custom attack signatures to be defined.� Many existing packages allow users to add strings or values to variables in order to create additional signatures.� Complete custom attack signatures of nearly any type can be created using N-Code.

How are new attack signatures obtained and deployed?�
Updates to existing signature sets or new signature packages are announced through NFR mailing lists to customers.� The new signatures are made available for download via the NFR Package Updater feature on the AI via a secure connection to NFR's Package Server.

Frequency of signature updates? Provide dates of all updates in the last year.
The standard signature sets are updated as needed to reflect changes in the protocols that they monitor, new vulnerabilities and exploits, and advances in intrusion detection signature techniques.� When a new, high-risk vulnerability is discovered, the NFR Rapid Response Team may release a special signature specifically for that vulnerability.� Such signatures are often released within hours of the public notice of the vulnerability's existence.

What infrastructure do you have behind the signature update process
The NFR Rapid Response Team (RRT) is a dedicated team of security professionals who are experts in intrusion signature development New signatures are made available immediately and are deployed to customers via a secure connection to NFR's Package Server.��

Can one signature update file be downloaded to the local network and used to update all IDS engines from a central location, or is it necessary to initiate a live connection to the Internet download server for each engine?
New signatures are retrieved from the NFR Package Server and downloaded to the NFR Central Management Server (CMS).� Once updated signature packages are available on the CMS, they can be distributed to all NID Sensors.

associated with that CMS.� Also, those signatures can be distributed to each NID individually from the NFR AI.

Can signature updates be scheduled and fully automated?
The NFR AI can be programmed to look for new packages at the NFR Package Server on a periodic (daily, weekly or monthly) basis. The new signature packages can then be downloaded to the NFR CMS and programmed for automatic distribution to the NID Sensors.�

What network protocols are analysed?
IP and three IP protocols (TCP, UDP and ICMP) are analysed, as well as ARP.� However, it's possible to analyse other IP protocols by using N-Code to parse packet payloads

What application-level protocols are analysed?
Currently, application-level protocols that are analysed in our signature sets include DNS, finger, FTP, HTTP, IMAP, IRC, NFS, POP2, POP3, SMTP, SNMP, and telnet.� We are continually adding the analysis of more application-level protocols to our product.

Can the product perform protocol decodes?
Yes, our product performs full protocol decodes of certain network and application-level protocols, such as DNS, FTP, HTTP and SMTP.

Can the product perform session recording on suspect sessions?
Yes.

Block/tear down session?
Yes - TCP� reset.

Ability to monitor user-defined connections (i.e. report on an FTP connection to a specific server?)
A standard Network Policy Monitoring package is included with NFR-NID that allows an operator to configure a user-defined network security rule set including specifically allowed and specifically denied network activity and connections.

In addition, many packages also provide a user-configurable variable that lists IP addresses of hosts that are subject to a higher degree of activity logging.��

Monitor changes in critical system files?
N/A - not in this product (network-based)

Monitor changes in user-defined files?
N/A - not in this product (network-based)

Monitor changes in Registry?
N/A - not in this product (network-based)

Monitor unauthorised access to files?
N/A - not in this product (network-based)

Monitor administrator activity (creation of new users, etc)?
N/A - not in this product

Monitor excessive failed logins?
Yes, for many application-level protocols such as POP3, FTP, IMAP and Telnet, we generate an alert if too many failed logins occur.� This threshold value is user-configurable so that it can be tailored for each environment and application.

List any other resources/locations that are monitored.
N/A

Track successful logins, monitoring subsequent file activity, etc?
Yes - network-based logins

Detect network-level packet based attacks?
Yes

Detect all types of port scans (full connect, SYN stealth, FIN stealth, UDP)?
Yes

Detect and report on nmap OS fingerprinting?
Yes

Perform packet reassembly? Resistance to known IDS evasion techniques?
Yes. The NFR NID correctly re-assembles fragmented packets; it examines all individual fragments as well as the re-assembled packet. This enables attacks hidden across separated fragments to be detected in the re-assembled packet. NFR NID can also keep track of TCP stream re-assembly.

Reconfigure firewall? If so, which firewall(s) and how?
No

Option to record everything for "forensic" investigation? Where is this data stored? How is it secured from tampering?
Certain packages have the ability to record extensive amounts of data regarding a particular protocol.� This information is stored in binary format time-stamped files on a highly secured NFR NID or CMS.� It is nearly impossible for someone to tamper with this data.

Reporting from engine to console - range of action/alert options
NID-200 generates alerts at four possible severity levels: Informational, Warning, Error and Attack. Alerts are displayed by default in the NFR Administration Interface (AI). With minimal additional configuration, alerts can also be delivered via e-mail and SNMP traps or to IBM Tivoli SecureWay Risk Manage and HOP OpenView Operation consoles.

What provision is made for temporary communications interruption between detector and console? Where are alerts stored? Is the repository secure?
The internal disk of the NFR NID-200 is used to spool or buffer information in the event of a temporary communication interruption with the NFR Administration Interface (NFR AI) or Central Management Server (CMS). Both alerts and recorded data are stored on the internal disk. NFR Security offers the most secure IDS on the market today; there is no shell access and the operating system is embedded on a CD-ROM.

Can alerts be reported to the central console in real time without the use of third party software? How easy is it to filter and extract individual events?
Yes. The NFR AI provides inherent querying and filtering capabilities that facilitate the filtering and extraction of individual events.

Does the software offer advice on preventative action to ensure the attack does not happen again?
Yes, NFR offers extensive help and description files associated with backends, packages and alerts that give background on the attack and preventive measures. Many attack alert help files contain information about the nature of the exploit attempt and the underlying vulnerability, so that users know what is the likely cause of the alert.� The help files also contain references to the CVE entry for the vulnerability.�

Integration with other scanning/IDS products?
NFR Secure Log Repository (SLR)

Log file maintenance - automatic rotation, archiving, reporting from archived logs, etc.
Yes

Management reporting - range of reports/custom reports/how easy is it to filter and extract detail? Different reports for technicians and management/end users?
Querying and filtering functions allow for simple graphs and detailed tables, with one-click inclusion of additional information, as required by users. Technicians can get precise data and management information; end-users can get a quick overview of the situation.

Report management - can they be scheduled for automatic production? Can they be e-mailed to administrators or published straight to a Web site?
Administrators can place reports directly into an e-mail attachment.

What are the limitations and restrictions on enterprise-wide alerting and reporting? Can reports consolidate output from every 1) server, 2) detector
Reports can be generated at the NFR CMS, from as many NIDs as are configured, to get a complete picture of alert activity across the enterprise.

Define custom reports?
Reporting is flexible, across an y fields recorded by the backends.

How is it licensed? How is the license enforced?
A unique license key is generated for each NFR product purchased. The key is required for installation.

Any other unique selling points?

• Open source programming language.
• GUI-based NFR N-Code Workbench facilitates writing and editing of signatures.
• Integration with HP OpenView and IBM Tivoli.
• Extensive help features with mappings to Mitre's CVE database.
• Fast, easy deployment and maintenance.

Full end user pricing information in USD and GBP

NFR NID-200:� $ 12,500 list (includes hardware)

NFR NID-100:� $�� 4,500 list

NFR CMS:������ $�� 5,000 list

Ongoing cost of maintenance/updates

Annual maintenance is 20% of current initial license fee

Click here to return to the NFR NID-200 V1.1 Review
Click here to return to NFR NID-200 V1.1 Results
Click here to return to the IDS Index Section