nSecure nPatrol IDS

Brief product description
nPatrol is a network based Intrusion Detection System that helps in protecting the misuse of assets from external as well as internal users. nPatrol applies multiple techniques to detect intrusions such as signature analysis, protocol analysis, network security policy based management and anomaly detection. It is designed to perform on high speed networks without packet loss.

Architecture
nPatrol is a network based IDS.

nPatrol consists of the Agents and Management Server. The agents can be Internal Agents to monitor the internal network segments, external agents to manage outside the Firewall and anomaly agents for anomaly detection on a network segment. If the Servers like Web Servers, Mail Servers etc. are installed in the DMZ zone then the Internal agent should be installed on that subnet

The nPatrol Management Server consists of two parts, the notification engine and the management console. The notification engine acts as a middle tier between the agents and the Management Console. This also has the alert logging facility (if the Management Console is down) and notification sub systems like Mailing, SMS and SNMP. Management console enables to view the alerts raised by the agents and also as a centralised configuration, monitoring and distribution tool. The notification engine and the management console can further reside on separate nodes.

At what layer of the protocol stack is the product working?
Network Layer

Documentation�
User Guide
Installation Guide
Quick Installation Steps
Signature Document
The above documents are available in the online format. Printed versions are planned shortly.
Appropriate help for the alert raised and short remedy with the CVE reference number (wherever available) is built within the application

What are the minimum/recommended console OS and hardware requirements? Is a dedicated machine required/recommended? Will it work on Windows 2000?
Linux Kernel 2.2 or 2.4

Minimum Configuration:
Pentium III 500 MHz, 128 MB RAM,�
1 GB space for Management Server Installation
1 NIC Card

Recommended Configuration:
Pentium III 866 MHz, 256 MB RAM,
4 GB space for Management Server Installation
1 NIC Card

The Management Server consists of the Management Console and Notification Engine. The Notification Engine (with interface to SNMP based Management Servers, Mail Management Systems etc. ) works on Linux. The Management Console will work on Windows 2000.�

It is recommended to have dedicated system depending on the network traffic

What are the minimum/recommended agent OS and hardware requirements? Is a dedicated machine required/recommended? Will it work on Windows 2000?
Linux Kernel 2.2 or 2.4

For the Network Agents
Minimum Configuration:
Pentium III 500 MHz, 128 MB RAM,�
10 MB space for Network Agent installation
1 NIC Card

Recommended Configuration:
Pentium III 866 MHz, 128 MB RAM,
10 MB space for Network Agent installation
2 NIC Cards

For Anomaly Agents
Minimum Configuration:
Pentium III 500 MHz, 128 MB RAM,�
100 MB space for Anomaly Agent installation
1 NIC Card

Recommended Configuration:
Pentium III 866 MHz, 128 MB RAM,
100 MB space for Anomaly Agent installation
2 NIC Cards

It is recommended to have dedicated system depending on the network traffic

What components are installed on a detector
It can work as a Linux daemon or as an application.

Which network types are supported (10/100 Ethernet, Gigabit Ethernet, Token Ring).
10/100 Mbps Ethernet

Any specific recommendations for monitoring Gigabit networks with your product?
Although nPatrol is designed for high speed support, it is not yet tested for Gigabit support.

Which OS platforms are actively monitored?
It is OS independent as it manages at the network layer.

Can sensors/detectors be deployed and configured initially from a central console?
Not possible

Once deployed and configured, can sensors/detectors be managed from a central console?
Yes

Authentication between console and engines � Is it available? What algorithm/key lengths?
Yes. Blowfish encryption 448 bit key length.

Secure logon for policy management?
Yes. nPatrol provides extensive user management facility whereby users can be given feature based access.

How are policies distributed to engines?
Automatically from the Management Server without having to shut down operations.

How are policy changes handled? Will the central console detect which agents are using a changed policy and redeploy automatically, or does the administrator have to do this manually?
The policies are deployed automatically by the Management Server

How many attack signatures?
nPatrol has support for 835 attack signatures. Apart from this it has support for many more backdoors and trojans through its network policy based detection module. It has the ability to detect new modes of attack based on the network policy based detection module and the anomaly agents.

Can the administrator define custom attack signatures?
Yes.

How are new attack signatures obtained and deployed?�
The signature update files are provided to the clients through mail or download from site. They are applied in the Management Server and distributed to the different Agents�

If the Signatures are downloaded from the web site, gets deployed to the agents automatically. If the Signatures are obtained through the Mail, currently Management Server needs to be restarted. Mechanism to upload the signature without bringing the Management Server down is currently under development

Frequency of signature updates? Provide dates of all updates in the last year.
Planned every 6 weeks or based on the vulnerabilities uncovered.

What infrastructure do you have behind the signature update process
A dedicated team of engineers who are part of the development team.

Can one signature update file be downloaded to the local network and used to update all IDS engines from a central location, or is it necessary to initiate a live connection to the Internet download server for each engine?
Only one signature file needs to be downloaded

Can signature updates be scheduled and fully automated?
Currently signature update is on demand by the user.

What network protocols are analysed?
The following protocols are analysed IP, TCP, UDP, ICMP

What application-level protocols are analysed?
�N/A

Can the product perform protocol decodes?
nPatrol performs extensive packet analysis and packet reassembly

Can the product perform session recording on suspect sessions?
No

Block/tear down session?
nPatrol can terminate the connection which violates the defined policy and also will be able to terminate the session if an exploit is detected. Users selectively terminate based on the services defined, be it on different systems or on the same one

Ability to monitor user-defined connections (i.e. report on an FTP connection to a specific server?)
This is managed using the nPatrol Policy Manager. The nPatrol Policy Manager implements the network security policy forming a virtual firewall within the internal network. It compliments the firewall and acts as a second layer of defence if the firewall is compromised, circumvented or misconfigured.

Monitor changes in critical system files?
N/A

Monitor changes in user-defined files?
N/A

Monitor changes in Registry?
N/A

Monitor unauthorised access to files?
Yes, over the network through custom signatures

Monitor administrator activity (creation of new users, etc)?
N/A

Monitor excessive failed logins?
N/A

List any other resources/locations that are monitored.
N/A

Track successful logins, monitoring subsequent file activity, etc?
N/A

Detect network-level packet based attacks?
Yes

Detect all types of port scans (full connect, SYN stealth, FIN stealth, UDP)?
Yes

Detect and report on nmap OS fingerprinting?
Yes but reports as port scan (Syn Scan)

Perform packet reassembly? Resistance to known IDS evasion techniques?
Yes. Conforms to all known IDS evasion techniques using tools such as fragrouter, whisker, and IDS DoS tools like stick, hailstorm etc.

Reconfigure firewall? If so, which firewall(s) and how?
N/A. The network policies are implemented within nPatrol acting as a second layer of defence for external traffic and as a virtual firewall within internal networks.

Option to record everything for �forensic� investigation? Where is this data stored? How is it secured from tampering?
Yes. The data can be stored in relational databases such as ORACLE, Sybase, SQL Server and mysql.

Reporting from engine to console - range of action/alert options
The actions can be in terms of reporting on the nPatrol Alert Console, sending SNMP Alerts to Network Management Systems, sending email and SMS based alerts.

The alerts are categorised as policy violations (internal and external), signature attacks, protocol misuse attacks, consolidated alerts (scans) and anomalies.

What provision is made for temporary communications interruption between detector and console? Where are alerts stored? Is the repository secure?
The agents (sensors) continue to function but the alerts are not stored locally.

Can alerts be reported to the central console in real time without the use of third party software? How easy is it to filter and extract individual events?
The alerts are reported on the Management Console in real-time without the use of any third party software. The nPatrol Query Manager and the nPatrol Report Manager can be used as filters to view in more detail.

Does the software offer advice on preventative action to ensure the attack does not happen again?
The online help on the alert gives direction to the user on the preventive measures to be taken to avoid such intrusions in future.

Integration with other scanning/IDS products?
No

Log file maintenance � automatic rotation, archiving, reporting from archived logs, etc.
If the database is not running/offline/not used, then the alerts are stored in the logfile. This can be synchronized with the database at any time by the mechanism built in within the Management Server. The reporting mechanism works only with the database. Logfiles are stored for the user configurable number of days, after this logfiles get deleted

Management reporting � range of reports/custom reports/how easy is it to filter and extract detail? Different reports for technicians and management/end users?
The nPatrol Report Manager will provide management reporting and the nPatrol Query Manager will provide for technical reports.

Each of them provide extensive parameter based reporting. The reports through the Report Manager can be viewed in brief or in detail.

Report management � can they be scheduled for automatic production? Can they be e-mailed to administrators or published straight to a Web site?
Not at present

What are the limitations and restrictions on enterprise-wide alerting and reporting? Can reports consolidate output from every 1) server, 2) detector
The alerting is centralised. The details of the sensor are available in the database for further analysis by the sensors.�

The reports can be taken for individual nodes, segments (based on sensors) or for the entire system.

Define custom reports?
The nPatrol Query Manager and the nPatrol Report Manager provide flexibility of reporting. It provides a framework for reporting using the nPatrol Report Manager and further flexibility to produce reports using the nPatrol Query Manager. Since the alerts are stored in the database, any reporting tools such as crystal report can be used for the custom reports.

How is it licensed? How is the license enforced?
The software is licensed based on the number of agents. The licensing is based on the IP Address and the number of agents purchased by the clients. There is however no restriction on the number of nodes within each network segment.

Any other unique selling points?
nPatrol is designed for high speed networks without packet loss.

nPatrol is designed for the Linux platform and to scale. The support for Linux on clusters, multi-processor systems, IBM, Sun and Compaq platform gives further processing power to scale for gigabit networks.

nPatrol employs multiple intrusion detection techniques such as signature analysis, protocol misuse, network policy based monitoring and anomaly detection.

The techniques employed by nPatrol enables it to detect and prevent new modes of attacks.

End user pricing information�
USD 7,500 for the base system (1 Agent and the Management Server)
USD 5,000 for additional internal Agents
(Discounts apply for purchase of more than 5 agents)

Ongoing cost of maintenance/updates
1 year warranty included as part of the cost
Maintenance Contract at 20% annually from year 2.

Click here to return to the nPatrol Review
Click here to return to nPatrol Results
Click here to return to the IDS Index Section