 |
|
|
Symantec Intruder Alert 3.5 Intruder Alert (ITA) is the host-based IDS part of Symantec’s security suite that also includes network IDS (NetProwler, with which it integrates closely), vulnerability assessment (NetRecon), and security policy auditing and enforcement (Enterprise Security Manager). As with NetProwler, Intruder Alert utilises a multi-tiered distributed management and configuration infrastructure that allows it to scale in the largest network environments. The ITA architecture is made up of four components:
Intruder Alert is Symantec’s host-based IDS which complements NetProwler. The two can be configured to integrate closely, and there is now a central management console that lets users monitor both network-and host-based IDS systems enterprise-wide via a multi-tiered distributed architecture. An SNMP-Collector utility must be installed within Intruder Alert in order for it to respond to NetProwler events.� From within Intruder Alert’s management interface, administrators can view multiple NetProwler events and hundreds of Intruder Alert agents, enabling them to react to either network- or host-based violations from a single console. Installation is straightforward enough for Windows users. For Unix platforms, there are a number of different install programs on the CD depending on the version of Unix – these are to install the Manager and Agents (either can be installed individually, or both can be installed on the same machine). The Event Viewer and Administrator are also available for both Windows and Unix platforms. Note that none of the components will work under Windows 2000 at the time of writing – the test platform for this evaluation was therefore Windows NT4 Service Pack 6a. Documentation is excellent, and is provided as hard copy manuals in the box as well as electronically. The Installation Guide provides plenty of information on installing the components of ITA on various platforms, whilst the User Guide provides detailed reference and tutorial material on all aspects of configuring, managing and running ITA. Graphical interfaces are provided for both the ITA Event Viewer and the Administrator. The Administrator is used to define and deploy security policies throughout a distributed ITA system, and employs a dual-pane approach – the left containing a hierarchical tree display containing Managers, Agents, Domains and Policies, whilst the right hand pane contains the configuration details of each object selected.
When first launching the Administrator program, it is necessary to connect to a specific Manager by providing a user name and password – all available Managers are listed in the tree view in the left-hand pane. Once connected, the configuration details for that Manager are retrieved and displayed, allowing you to view the Domains, Policies and registered Agents for that Manager. Each Manager is capable of controlling up to 100 Agents. As with NetProwler, it is not immediately apparent what is going on in the Administrator interface – Policies seem to be duplicated far too many times, for example. However, with a bit of thought, it all comes together quite well, and is actually easier to master than the NetProwler interface. Security Policies are available in the main Policy Library, which serves as the repository for all policies shipped with Intruder Alert as well as any new ones that are developed by the administrator. The library is divided into three sections – Configure To Detect, Drop & Detect (Install) and Drop & Detect (Miscellaneous). Think about them, and they are self explanatory. Configure To Detect policies require some custom configuration by the administrator before they can be deployed. Drop and Detect, on the other hand, are ready to go as they stand, and those in the “Install” section cover a range of common vulnerabilities on various OS platforms. These are deployed and activated automatically at install time, thus providing instant protection as soon as ITA has been installed. As an example, intruders will often attempt to replace critical system files with “Trojan Horses”, or alter those files to create “back doors” into the host system. ITA is pre-configured to detect changes to mission-critical files on Unix and NT systems via the built-in File Tampering Policies, and these Policies are automatically activated during Agent installation. It is quite a simple matter, however, to add your own files to these Policies (or create your own custom Policies based on them) in order for ITA to monitor in-house application and data files. Intruder Alert has different event sources for each supported operating system. The event sources on Unix include syslog, wtmp, process accounting and, where available, btmp and C2 audit logs. Event sources for NT include System, Application and Security logs, whilst for NetWare the event source stems from a number of event types registered with the NetWare operating system. Of course, every system is different so, unlike network IDS, host-based systems need to be customised frequently to provide optimum cover for the host on which they reside. This customisation is not always straightforward, but it has been made as easy as possible with ITA whilst retaining a high degree of flexibility. Existing Policies can be changed or new Policies can be defined from scratch, and these are made up of a number of rules that detect and respond to events. In turn, these rules are comprised of three parts – a select clause (determining which events are to be included), an ignore clause (to exclude certain events) and an action clause (to perform if the select and ignore clauses yield a positive result). Select clauses can be used to match search strings against ITS Status messages, SNMP traps (including alerts from NetProwler) or events stored in the system logs of whichever OS is installed on the host. So, for instance, you can create a select clause that looks for all messages that contain the phrase “Failed Admin login”. The ignore clause provides power and flexibility, since it is possible to set timers or raise flags in response to a particular select clause and subsequently ignore events that have a flag raised or which have occurred within a particular time frame. So, for instance, you could look for all failed login events, but only perform an action if you get more than thirty in a one minute period. This ability to raise flags and perform selective actions based on the state of those flags is known as Event Context Capturing, and provides the ability for ITA to distinguish between different events of the same type, perhaps sorting out five failed administrator logins out of the thirty failed logins that occurred in the last minute. Finally, the action clause provides the means for ITA to act on what it considers to be a positive alert. The following options are available:
Any number of rules and clauses can be combined to make a Policy, and rules can even be chained together, subsequent rules depending on the output of preceding ones. This makes Intruder Alert one of the most flexible scanners we have seen to date. Once a new Policy has been created in the Policy Library, it can be deployed to a particular Manager by simply dragging it from the Library into the Policies branch of the tree view under the appropriate Manager (actually, Policies can be created directly in the Manager section of the tree hierarchy, which may be appropriate in certain circumstances, such as when a Policy will only ever apply to a single Manager). The Manager branch lists previously connected Managers, and the ITA Administrator allows you to connect to multiple Managers at the same time. Listed under the Manager branch of the configuration tree are the Policies (dragged from the Policy Library or created from scratch), Registered Agents (listing each of the Agents controlled by a particular Manager), and Domains that apply to that Manager. A Domain is simply a logical grouping of machines on your network and ITA creates default ones according to platform – NT, NetWare, Unix and All Agents. It is a simple matter to rearrange these or to create your own – perhaps by department (finance, sales, etc.) or server function (FTP, Web, mail, etc) – depending on how you have designed your policies. Hosts can belong to more than one domain if required. Once a Policy has been placed in the Policy folder of a particular Manager, it can be quickly deployed to every Agent in one or more Domains by right clicking on the Policy and selecting the Domains to which you want to deploy it. Once a Policy has been applied to a Domain, it is automatically deployed to all the Agents within that Domain and monitoring begins immediately. At any point, it is a simple matter to expand the tree hierarchy and see which Agents are in which Domains, and which Policies apply to which Domains. The Shared Actions Policy provides a number of Actions which can be used from within any Policy on the system, allowing all actions to be administered from a central location. For instance, there will probably be only one way to e-mail the administrator, so it only needs defining once in the Shared Actions Policy, and can be re-used over and over from any other Policy.
Bandwidth is always an issue in a distributed hierarchy such as that employed by ITA, where multiple Agents have to communicate with Managers, and Managers have to communicate with central consoles. However, ITA provides the means to throttle back traffic generated as a result of Agents recording events to the Manager database, and Agents sending e-mail alerts. Two vehicles for reporting and analysis are provided in Intruder Alert: the Event Viewer and the Report Generator. Intruder Alert Event Viewer is a separate graphical utility (on Unix and Windows platforms) that is used to query and view event data captured by Agents. Event Viewer gathers its data from events recorded by Agents in the event database located on a Manager system. Event Viewer has advanced data filtering capabilities allowing you to select and display specific data of interest in several formats, including bar chart, line graph, pie chart, text view and report view. Using ITA Event Viewer it is possible to query the database and view selected events as they happen (or take historical snapshots of the data). The Query Builder wizard guides the administrator through the process of defining a query and generating a view. The events can then be filtered by Agent, user, Policy, rules, rule value, date, time or specified text, and the results displayed using one of a number of pre-defined views, or via a custom view (which can be saved and re-used). The Event Viewer can also be used to send internal commands to Agents. As part of the Event Viewer, ITA also offers a report generator. ITA reporting provides considerable scope for creating user-defined reports if required. It is capable of consolidating security data from hundreds of systems (host IDS) as well as NetProwler (network IDS) systems and securely displaying this data according to risk priority (high, medium and low), by a variety of charts as well as data tables for drill-down analysis.�
Data can even be filtered using user-defined queries for conducting post event analysis on historical data, and it is possible to identify security trends and repeat offenders. A number of different reports categorise and document attacks by system, by user and by time, and organise this data for various levels of target audience. Out of the box, the following reports are available:
As with the Event Viewer, reports are generated through the Query Builder Wizard, where the administrator selects the report view type, and defines the parameters of the query. The body of the report contains various report elements, including charts, graphs, and listings of individual events, and these are presented in the Crystal Reports Viewer for on-screen browsing. Custom reports can be produced via the usual Crystal Reports templates (if you have the Crystal Reports Designer software), and reports can be exported in a variety of formats, including CSV, Excel and Word, amongst others. Intruder Alert provides the means to monitor a range of hosts and operating system platforms throughout a large organisation. Anything that can be monitored and reported by your host operating system (via event logs or syslog) is fodder for Intruder Alert, and the multi-tiered architecture allows it to scale well. Given the fact that it is not a simple matter to define your own policies from scratch, it is nice to see that Symantec has included a number of useful policies that are deployed out of the box with no configuration or intervention required. This means that ITA can be deployed, and be immediately productive, with a minimum of security knowledge. To get the most out of it, however, you need to get to grips with Policy definition. Although this can require almost a “programmer’s mentality” to produce the most effective Policies, the user interface is actually quite logical and straightforward, and plenty of help is provided both on-line and via the excellent documentation. Despite being initially complex and perhaps a little daunting, Intruder Alert will prove to be extremely flexible and powerful once you get used to it. The combination of Intruder Alert and NetProwler together is a potent one. Contact DetailsCompany name:
Symantec Technologies, Inc. Tel:
+1 (301) 258-5043 Click here
to return to the Symantec Intruder Alert questionnaire
|
 |
Send mail to webmaster
with questions or�
|
