 |
|
|
Symantec NetProwler 3.51 NetProwler is the network IDS part of Symantec’s security suite that also includes host-based IDS (Intruder Alert), vulnerability assessment (NetRecon), and security policy auditing and enforcement (Enterprise Security Manager). NetProwler implements a three-tier architecture to provide maximum scalability across large networks. The three components are:
It is possible to integrate NetProwler with Intruder Alert via an SNMP collection agent which takes alerts generated by NetProwler and passes them on to Intruder Alert for further processing. Intruder Alert supplements NetProwler by providing additional response actions and host-based protection for the NetProwler Agent. NetProwler employs SDSI technology which separates the session processing and analysis from the signature database.� This enables NetProwler to dynamically load new updates, whether from the Symantec Information Security SWAT team (via the automated Web update capability) or custom attack signatures created by the administrator, without the need to take the system off-line. Installation is reasonably straightforward, though more long winded than most thanks to the multi-tier architecture. Although all three components can technically be installed on the same host if required (perhaps for a test environment or for very low volume monitoring purposes) a dedicated machine is recommended for each Agent and Manager. The Console can reside on a shared host. A password is normally required to access the Manager and Agent, though these components can be set to automatically logon providing they are kept in a secure location. All the components installed quickly and easily from CD using the standard Windows InstallShield. Note that none of the components will work under Windows 2000 at the time of writing – the test platform for this evaluation was therefore Windows NT4 Service Pack 6a. The documentation – which is provided as hard copy as well as electronically – is excellent, and offers a wealth of advice on installation and deployment in a range of environments, including switched networks. A number of sample “case studies” provide practical advice on deployment issues, including how to install the Agents in “stealth mode”. The NetProwler Console is divided into two panes – Configure and Monitor. The Configure pane provides the means to configure Managers, add and manage Agents, define security policies and alert actions, and create and view reports. Unfortunately, it is also a rather daunting and occasionally confusing user interface, and certainly takes some getting used to initially. This potential for confusion arises out of the modularity of the system, which also provides tremendous power and flexibility, however.
There is no automated remote installation of Agents, which could make large-scale deployment a painful process. Once installed on the remote host, Agents are defined to the Console by entering a name, IP address and password, as well as a range of IP addresses to monitor. This is the first hint of major differences to other IDS products, since the NetProwler engine does not automatically monitor everything that passes on the wire. Instead, each Agent has one or more IP addresses associated with it for monitoring purposes, and each of the addresses monitored has an appropriate range of attack signatures associated with it (depending on the host operating system). Although this provides tremendous flexibility (for instance, the monitoring on heavily loaded segments can be split between several agents), it does at first sound like a horrendous configuration task. It isn’t, however, thanks to an automated configuration tool called the “Profiler”. This tool scans the network for live systems and determines the host operating system and services running on them. From this information, it determines which attack signatures from the database should be associated with which hosts and performs the association automatically. Naturally, the scanned properties of each host can be examined and additional services and attack signatures can be associated and saved against them if required.
The process of manually associating specific attack signatures with multiple hosts is made easier by the concept of Domains. The Administrator can create as many Domains as required (for instance, one domain for FTP servers, one for SMTP servers, one for Web servers, and so on) and each one can be populated with any number of hosts and attack signatures. Domain associations are then applied over and above the automatic Profiler associations. All attack signatures are applied cumulatively, so that if you add specific signatures or services to a particular host then re-profiling that host at a later date does not remove them. However, if you should remove signatures that NetProwler has associated automatically, then the next time the profiler runs those signatures will be re-applied. This combination of Agents monitoring certain hosts and applying a subset of the complete attack signature database should provide the means to handle larger and more heavily loaded networks more effectively. However, it is also the most confusing aspect of NetProwler configuration, since associating signatures is not particularly intuitive and it is never immediately apparent which set of attack signatures are associated with which hosts. This means the administrator has to place an extraordinary amount of trust in NetProwler getting this right, or spend a lot of time checking each host individually to make sure (the NetProwler documentation does provide some help here). Of course, the make-up of any network can change on a daily basis causing such “fixed” configurations to become quickly outdated. To combat this, Profiler jobs can be scheduled to run at regular intervals to keep things up to date and ensure that the latest configuration settings and signatures are always applied to the most appropriate machines. NetProwler is thus designed to have a “fluid” configuration, and the concept of fixed “security policies” which are applied to IDS sensors around the network in other products on the market simply does not apply here. As you would expect, new attack signatures are provided at regular intervals by the Symantec SWAT team, and can be incorporated into NetProwler via the Web-based Signature Sync capability. It is also possible to create custom attack signatures from scratch via a GUI interface in the Console, although a fairly detailed knowledge of your network protocols is required before undertaking this. It is nice to see the facility included, however. Any new signatures – whether custom built or provided by Symantec - are automatically applied to the appropriate systems the next time the Profiler is run.
Once a particular set of Agents, hosts to be monitored and attack signature associations has been saved, the configuration data is transmitted via the Manager to the appropriate Agents and they begin monitoring accordingly. Each Agent has a graphical screen displayed on the host PC which shows details of packets monitored, packets dropped (a useful indication of how busy the network is and how overloaded the Agent is), attacks detected, and so on. This information can be displayed in graphical or text format, but it is not possible to make any changes to the configuration from this interface. The same information is passed to the Manager responsible for each Agent, where it is stored before being reported back to the central Console. The Monitor pane in the Console provides the means for the administrator to see a real-time view of network attacks and intrusions. Individual Agent status can be determined, and alerts are flagged using red, yellow or green “spinning lights” to indicate high, medium or low risk. The administrator can choose to see every instance of an alert reported, or can employ “repetitive alert suppression”, whereby multiple alerts within a specified time frame are reported as a single instance. A list of alerts can be displayed, and detailed information on each type of attack is available at the click of a mouse. In addition to the real-time notification to the Console, NetProwler can be configured to provide a number of other automated responses including e-mail, paging, SNMP trap, session termination, session capture, spawn an external command and firewall hardening (Symantec Raptor and CheckPoint Firewall-1). SNMP traps can be processed by a local SNMP collection agent that integrates with Intruder Alert, which can then provide additional reporting and alerting capabilities if required. Session capture records details of suspect sessions which can be replayed later via the Console or Agent interfaces. This capability can be extended to provide live session monitoring, which provides the same session monitor and capture capability for all TCP/IP session types (not just suspect sessions) such as FTP, Telnet and HTTP as they occur in real time. Full protocol decode is provided, and sessions can be captured to file for review later – this is a very powerful feature, and one that is not particularly common in the IDS market place.
NetProwler allows the administrator to define most response actions by individual attack signature and by priority level. The growing number of attack signatures, however, can make configuring actions for individual attacks quite time consuming, and so the simpler approach is to configure responses by priority level. Thus, for High priority attacks, you may e-mail, and page the administrator and harden the firewall; Medium priority may trigger only an e-mail; Low priority attacks may simply be logged for later reporting. Unfortunately, the Terminate Session, Capture to end of session and Spawn Command response actions cannot be configured by priority level.� Finally, NetProwler can also be used to restrict traffic on one or more TCP/IP-based applications on a monitored system by time of day or day of the week. This can be used to restrict FTP access to an internal server to certain times of the day (working hours only, perhaps) or to certain workstations, providing an element of access control in addition to intrusion detection. In addition to the excellent real-time statistics, NetProwler provides a range of reports via the ubiquitous Crystal Reports engine. Unfortunately, this is probably the weakest part of the package.� The first thing that hits you is that it is only possible to schedule reports for regular runs – there is no ad hoc reporting capability. This means that if you need a report quickly, you have to schedule it to run in one minute’s time – this is unnecessary hassle.
We also came across severe limitation in NetProwler’s reporting. As part of our testing we were launching in excess of 20,000 attacks against each IDS engine per test, and when it came time to report on the activity during the testing the report came back with “Too many records to be retrieved”. The slowest period of activity produced around 15,000 records whilst the highest was in the region of 47,000 records. We don’t consider these to be excessively large numbers, and feel that NetProwler reporting should be able to handle them.� The Report Wizard provides three general report categories: Quick Reports – the content and format of each report is fixed. Quick reports include information from all Agents associated with a single Manager and only in HTML format. Pre-Formatted Reports – provide a more flexible layout. Pre-formatted reports let you choose which Agents you want to gather information from, what kind of alerts you want reported, and what kind of export file format is required (HTML, Excel, Word, plain text or Crystal Reports). Custom Crystal Report – allows you to schedule a custom report designed using Crystal Reports Designer The types of reports available within these categories include Alert Summary, Attack Signatures Alert Summary, Daily/Weekly/Monthly Executive Summary, Attack Details, Unauthorised Access, Session Start/End, and Cost Analysis. Each report contains a graph followed by a simple list of the attacks or sessions. Unfortunately, it is not possible to access further information on attacks mentioned in the report via hyperlinks – a feature which is common in other products. One analysis feature that we did like is the Find Alerts capability. This allows the administrator to query the database of stored alerts for all alerts of a particular type, for a particular target, or in a particular time range, and have these displayed instantly in the Monitor pane. Overall, however, reporting needs to be improved. NetProwler is a complex product that initially takes some getting used to. The administration interface is not particularly intuitive and you can spend some time trying to figure out how to do certain operations, such as the best way to associate attack signatures with hosts. Certain aspects of the reporting also need to be improved. That said, the complexity is there because Symantec has spent some time designing an architecture that is flexible and scalable, with a multi-tiered control structure and the ability to selectively apply signatures to hosts, and selectively associate hosts with Agents. This provides an extremely granular approach to configuration, meaning that you could have a single agent monitoring a single host for a small subset of attacks if you felt so inclined. Multiple Agents installed on the same subnet monitoring different hosts for different attacks are thus one way around IDS performance problems on heavily loaded network segments. The only thing that is missing here is the Network Node IDS method of operation (currently in development) where the Agent resides on the host to be monitored – NetProwler Agents currently operate in promiscuous mode only.� Once you have mastered the initial complexity, NetProwler offers a powerful and flexible IDS system that is extensively customisable – right down to the ability to add your own attack signatures. The real-time monitoring capabilities are also excellent, with a very useful GUI interface on the Agent itself as well as excellent monitoring via the central Console. Company name:
Symantec Technologies, Inc. Tel:
+1 (301) 258-5043 Click here
to return to the Symantec NetProwler questionnaire
|
 |
Send mail to webmaster
with questions or�
|
