 |
|
Brief
product description
NetProwler
is a network-based IDS. It protects e-business by continuously watching IP based
network segments for patterns of misuse or abuse.�
If these systems are threatened, NetProwler can notify you and even take
precautionary actions to prevent information theft or loss.
Architecture
NetProwler
is designed using a 3-tier architecture with Agents, Manager and the GUI console
At
what layer of the protocol stack is the product working?
NetProwler
is not bound to the NT Operating system stack. The NetProwler Agent driver uses
an IP stack that has been specially developed to conceal the Agents presence
from the network. NetProwler can monitor the entire IP packet from the Network
layer on up.
Documentation
The
NetProwler product is shipped with a hard copy set of Release Notes,
Installation Manual and User Guide.� The documentation is also available on
the CD-ROM media in Acrobat PDF format.�
What
are the minimum/recommended console OS and hardware requirements? Is a dedicated
machine required/recommended? Will it work on Windows 2000?
Supported
Manager Platforms
Windows NT� 4.0�
Requires: PII 300mhz 128 MB RAM,
70 MB Disk Storage + 50 to 500MB Additional Storage to hold NetProwler events
and configuration information
Supported
Agent Platforms
Windows NT� 4.0
Requires: PII 300mhz 128MB RAM, 50-100 MB Disk Storage + 50 to 500MB Additional
Storage to hold NetProwler events and configuration information�
Supported
Console Platforms
Windows
NT� 4.0 - 2000+
Requires: PII 300mhz 128 MB Ram,
10MB Disk Storage�
A dedicated machine is recommended for each Agent and Manager Component. The
Console can be installed on any workstation.�
What
are the minimum/recommended agent OS and hardware requirements? Is a dedicated
machine required/recommended? Will it work on Windows 2000?
As
above
What
components are installed on a detector
NetProwler
installs a packet level driver and accompanying files for the SDSI attack
detection engine, logging, authentication, encryption and a GUI.
Which
network types are supported
NetProwler
Supports 10 and 100mb Ethernet
Any
specific recommendations for monitoring Gigabit networks with your product?
Symantec recommends evaluating the network environment and placing multiple
agents in critical areas to provide coverage. Symantec is currently teaming with
3rd party vendors to bring a complete Gigabit solution to market.
Which
OS platforms are actively monitored?
NetProwler
monitors network traffic and identifies common attempts to exploit known
vulnerabilities on numerous operating systems and applications, including Unix,
Linux and VMS.� It can also identify
company-specific applications through its attack signature definition interface.
While the Network IDS solution is not tied to any specific OS, it monitors all
network based traffic, NetProwler will detect and apply OS specific signatures
to the following types of operating systems:
Windows 95/98/NT/2000, Macintosh, Linux, AIX, HP-UX, Solaris, SUN-OS, BSDI BSD/OS, OSF 1, Free BSD, IRIX, NET BSD, OpenBSD, SCO UnixWare, Ultrix, VAX/VMS, SCO OpenServer, Netware�
Can
sensors/detectors be deployed and configured initially from a central
console?�
Sensors
(Agents) can be configured from a central console. Agents must be directly
installed on the intended host machine.
Once
deployed and configured, can sensors/detectors be managed from a central
console?
Sensors
(Agents) can be managed from a central console.
Authentication
between console and engines � Is it available? What algorithm/key lengths?
All
communications between the Agent, Manager, and Console are secure via an
authenticated Diffie-Hellman handshake, 56 bit Blowfish encryption and digital
signatures using MD5.��
Secure
logon for policy management?
NetProwler
supports password authenticated
administrative consoles so that only privileged administrators can control the
system.��
How
are policies distributed to engines?
The
NetProwler Manager is responsible for automatically� pushing all configuration and policy changes to each Agent
via secure transports.
How
are policy changes handled? Will the central console detect which agents are
using a changed policy and redeploy automatically, or does the administrator
have to do this manually?
The Manager is a centralized repository which contains event and configuration
data. The Manager is also responsible for automatically directing and deploying
the configuration policies to the Agents. In addition, the Manager collects and
compiles the event and alert information and makes this available for review on
the Console. Any changes to policy are automatically deployed to the Agent which
is responsible for implementation.
How
many attack signatures?
Currently
NetProwler has over 200 attack signatures.
Can
the administrator define custom attack signatures?
Yes.�
Administrators can extend NetProwler�s
capabilities by utilising its custom attack signature definition (ASD) user
interface and its attack definition wizard help. The interface supports drag and
drop key words, reserved keywords(related directly to the IP protocol),
arithmetic operators and strings to build immediately deployable definitions
without requiring programming. This tool allows for complex and sequential based
attack signatures to be created and automatically deployed, not just simple
string searches.
How
are new attack signatures obtained and deployed?�
NetProwler�s
signature update feature is called Signature Sync. This feature provides
automatic web-download services. The signatures are intelligently distributed to
ALL of the NetProwler Agents, and assigned to all of the proper systems. This of
course all happens real-time for the Agents which never stop protecting the
network to which they are assigned
Frequency
of signature updates? Provide dates of all updates in the last year.
Symantec�s
signature update team, SWAT has released 7 signature updates this year.
Security Update 13 08/09/2000�
Security Update 12 05/08/2000�
Security Update 11 04/26/2000�
Security Update 10 03/29/2000�
Security Update 9 03/10/2000�
Security Update 8 02/11/2000�
Security Update 7 02/10/2000
What
infrastructure do you have behind the signature update process
The
Symantec SWAT team, dedicated and separate from the product development team,
researches security issues and vulnerabilities and creates new signatures for
all of Symantec�s signature related products.�
Can
one signature update file be downloaded to the local network and used to update
all IDS engines from a central location, or is it necessary to initiate a live
connection to the Internet download server for each engine?
The
update files can be placed upon and then downloaded from a local web server. The
update only needs to be imported once into the centralized Manager, which then
automatically deploys the new signatures to all of the Agents.
Can
signature updates be scheduled and fully automated?
While
the signature update process is fully automated (see question above) currently
the initial download is manual.
What
network protocols are analysed?
NetProwler
supports TCP/IP on 10 and 100mb Ethernet networks
What
application-level protocols are analysed?
NetProwler
is not dependent on application level protocols, it can look at all IP based
traffic including all application level protocols.�
Can
the product perform protocol decodes?
NetProwler
can decode FTP, TELNET, SMTP, POP3, chat, rshell, and rlogin for session
display.
Can
the product perform session recording on suspect sessions?
Yes
Block/tear
down session?
NetProwler�s
proprietary TCP/IP driver/stack, can create, on the fly, all necessary packets
to stealthily send TCP/IP resets to any server. These packets contain only the
information that the client would normally send when it would stop the session.
Upon he receipt of the RST packet, the sever will shut the session down.
Ability
to monitor user-defined connections (i.e. report on an FTP connection to a
specific server?)
NetProwler
has the ability to monitor any user-defined session, including custom
applications.
Monitor
changes in critical system files?
This
is a host based function. Symantec�s host based product ITA ,covers this area.
Monitor
changes in user-defined files?
This
is a host based function. Symantec�s host based product ITA ,covers this area.
Monitor
changes in Registry?
This
is a host based function. Symantec�s host based product ITA ,covers this area.
Monitor
unauthorised access to files?
This
is a host based function. Symantec�s host based product ITA ,covers this area.
Monitor
administrator activity (creation of new users, etc)?
This
is a host based function. Symantec�s host based product ITA ,covers this area.
Monitor
excessive failed logins?
Yes.
NetProwler has signature designed to monitor failed logins.
List
any other resources/locations that are monitored.
NetProwler
monitors entire network segments for all traffic.
Track
successful logins, monitoring subsequent file activity, etc?
This
is a host based function. Symantec�s host based product ITA ,covers this area.
Detect
network-level packet based attacks?
Yes.
Detect
all types of port scans (full connect, SYN stealth, FIN stealth, UDP)?
NetProwler
currently detects syn, udp, and full connect based scans.
Detect
and report on nmap OS fingerprinting?
Yes.
Perform
packet reassembly? Resistance to known IDS evasion techniques?
NetProwler
does not currently perform reassembly. Future releases will address this
feature.
Reconfigure
firewall? If so, which firewall(s) and how?
The
NetProwler Agent has built in functionality to harden Raptor and Checkpoint FW-1
firewalls. For Raptor, NetProwler uses the Raptor designated methodology for
firewall hardening, including authenticating to the Raptor, and sending the
information by encrypted mean. For Checkpoint, NetProwler uses the OPSEC
compliant SAMP protocol to send the hardening commands. NetProwler is OPSEC 4.0
compatible.
Option
to record everything for �forensic� investigation? Where is this data
stored? How is it secured from tampering?
Yes.
Recorded data can be used for potential litigation or to facilitate the design
of new, custom attack signature definitions. It is stored on the Agent. File
based security is recommended for securing the data since encrypting the data or
otherwise modifying the data may render it inadmissible as evidence.
Reporting
from engine to console - range of action/alert options (detail these)
When
NetProwler identifies an attack, it can log
the event, terminate the session, harden a Firewall, and notify an administrator
via pager, SNMP or email. It can also start another program, record the session,
forward event notification to the Symantec Intruder Alert manager and console to
update its dynamic summary, and graph reports.� In addition, it can update SNMP management consoles through
the Intruder Alert Manger.� All of
these response configurations are fully determined by the administrator.�
What
provision is made for temporary communications interruption between detector and
console? Where are alerts stored? Is the repository secure?
NetProwler
Agents are self contained units. If at any time communication links between the
Manager and Agents are severed(detected via heartbeat monitoring) , the Agent
will continue to provide IDS services.� Thus,
any events being collected by an Agent will be reported to the Manager
immediately upon resumption of Agent to Manager connectivity.
Can
alerts be reported to the central console in real time without the use of third
party software? How easy is it to filter and extract individual events?
Agents
respond to events in real-time and pass alerts of the events to the Manager
directly, through secure transport. NetProwler includes a find alerts option
which allows the database to be queried. Criteria includes alert type, specific
signature names, agent names, priority, attacked system, attacking system, port
number, date and time.
Does
the software offer advice on preventative action to ensure the attack does not
happen again?
Yes.
Attack signatures include detailed information about the attack and direct
signature specific links to the SWAT website. That site includes references to
CERT, BugTraq, CVE, SANS and other sources as well as counter measures directly
related to the attack.
Integration
with other scanning/IDS products?
NetProwler
includes event level integration with Intruder Alert.
Log
file maintenance � automatic rotation, archiving, reporting from archived
logs, etc.
NetProwler
provides the facility to purge the SQL database. Other database maintenance
functionality can be� achieved
through the included SQL database tools.
Management
reporting � range of reports/custom reports/how easy is it to filter and
extract detail? Different reports for technicians and management/end users?
NetProwler
has extensive reporting capability. Included out of the box are many
preformatted reports that cover a wide variety of system aspects. There are
pre-formatted reports designed for system administrators, accountants, and
executives. In addition, the customers can use their own Crystal Report
templates directly from the NetProwler Report Wizard. This allows the customer
to extract exactly the information they desire, and format it to their own
specifications.
Report
management � can they be scheduled for automatic production? Can they be
e-mailed to administrators or published straight to a Web site?
NetProwler
supports the scheduling of reports from interval (minutes/hours) to daily to
monthly. Reports can be emailed to administrators. A command can be spawned upon
the generation of the Report, and that command could include the publishing of
files to a website. The reports are placed with the centralized manager and are
available to all of the authorized NetProwler consoles.
What
are the limitations and restrictions on enterprise-wide alerting and reporting?
Can reports consolidate output from every 1) server, 2) detector
NetProwler
can consolidate information from each detector into a single report, which
includes information about attacked servers.
Define
custom reports?
Customers
can use their own Crystal Report templates directly from the NetProwler Report
Wizard. Standard SQL tools can be also be used to extract the exact dataset
required.
How
is it licensed? How is the license enforced?
The
following license types are available:
Evaluation licenses that incorporate expiration dates. This is included in the product. The applications can be run unhindered for 45 days from the time of installation.
Permanent licenses that are applied to a specific manager and agent systems. Each license represents installing the application on a single host machine.��
NetProwler consists of the following components: NetProwler Agent, NetProwler Manager, and NetProwler Console. The Windows NT Console and Manger are �Free� � Symantec does not charge for the NT console or manager and the customer can install and run as many consoles as they wish.��
The Customer can purchase a version of the product called NetProwler Enterprise, available in three licensed tiers based on the number of nodes monitored by the Agent . In the Enterprise version all three components are delivered on the same CD.� In addition, each Enterprise CD also contains an Intruder Alert Manager and Agent.�
End
user pricing information�
The
NetProwler Enterprise versions� are
$2,995- $8995US depending on the number of nodes monitored by the Agent..�
Console and Manager are� free.
International pricing is available as a conversion from US dollars at the time
of purchase.
Ongoing
cost of maintenance/updates
Basic
Maintenance: 15% of purchase price � Includes all product updates and 5x8
phone support
Extended Maintenance: 22.5% of
purchase price � Includes updates and 7x24 phone support.
Click here
to return to the Symantec NetProwler Review
Click here to return to the Symantec NetProwler
Results
Click here to return to the IDS Index Section
Send mail to webmaster
with questions or�
|