Who's invading your turf?

Now that you're opening your systems to users outside the LAN, detecting security holes and preventing attacks are more important than ever. Security analysis, network monitoring and intrusion detection are a must.

While Centrax claims its eNTrax Security Suite 2.1 is all that you need and more, our testing showed that the product is really a high-priced NT log file analyzer application that focuses on internal intrusion. It suffers from several drawbacks: eNTrax requires a dedicated NT or Solaris server for a console because it's CPU-intensive to process security logs; it provides only rudimentary security assessment on servers; it lacks Windows 95 and 98 agents, making it impossible to log off users who are indulging in questionable behavior; and it does not distinguish between remote and local users.

On the plus side, the newly upgraded suite includes more security assessments, around-the-clock monitoring and notification of security threats, better activity detection and access to centralized event log data. It now runs on Windows NT and Solaris.

We began testing eNTrax by running a security assessment on our servers. From the Assessment Manager on the console, each server is rated in terms of overall security. eNTrax generates reports and shows a rating of poor, fair or good for the server's drive configuration, logon configuration, system configuration, password summary, screen savers and user accounts.

Unfortunately, we found that the security assessment furnished little useful information. The only redeeming features of the assessments were the suggested registry changes, which we would otherwise need to look up in a reference book.

The program comes with 100 predefined security audit policies for NT and 60 to 80 audit policies for Solaris. The policies can be customized to meet your needs using a simple graphical user interface. For instance, you can easily tell eNTrax to alert you if a specific file is accessed.

We created our own audit policy by making a decoy file. If anyone tried to access this file, the console pinpointed the user violating the policy - but only if the user was running a copy of NT Workstation with the eNTrax agent installed.

You can assign different audit policies for individual users or groups. Unfortunately, eNTrax can only monitor files stored on NT File System volumes, so you'll need another tool to monitor files stored on any File Allocation Table volumes at your site.

While eNTrax provides the tools to report on the ways your servers are being accessed, the audit policies cannot be enforced. Instead, after receiving an alert, you need to address the problem manually based on the suggestions eNTrax provides. For a product that is this expensive, we think you should be able to associate actions with alerts to enforce policies.

The second pillar upon which eNTrax is built is security monitoring. When a security violation is recorded, the software can send alert notifications via a pager or e-mail, or to your network management console via SNMP.

From the Alert Monitor screen on the console, we could see all the events for both servers on which we installed the agent. Events are collected from server logs on a schedule you can set: once, twice or four times per day, hourly or near real time. Events can be anything from a user logging on to the illegal access of a file. When you click on an event, eNTrax characterizes it as critical, concerned or cautious, indicating the level of importance eNTrax attaches to the event.

The software suggests ways to tighten security. As with the security assessment module, we found the suggestions to be fundamental at best.

eNTrax cannot distinguish among local, remote or File Transfer Protocol (FTP) logons, and it's not capable of reporting the port on which a remote user is trying to enter, which is a critical piece of information when trying to ward off intruders.

The best feature of eNTrax is its reporting capability. There are 12 canned reports that can be modified, generated and exported to a number of different formats, including HTML, Crystal Report Writer and Microsoft Excel. eNTrax collects so much data that these reports are helpful in pinpointing abuse.

Installation is easy. After we installed the software on the console server, we created a target diskette to install the agent software on the NT servers and the NT workstations we wanted to monitor. The installation of the agent on another NT 4.0 server and NT 4.0 workstation was equally easy. Once we rebooted the second server it was recognized by our console server.

We found that eNTrax is a useful tool for pointing out failed logons, irregular logons and attempted access to files and folders to which users don't have rights. But because eNTrax relies solely on NT log files, it cannot detect outside attacks.

While eNTrax Security Suite 2.1 shows improvement over Version 2.0, we'd like to see Centrax add network-based tools, which could act as packet detectors for the entire network, to track internal and external intrusions. The combination of host- and network-based tools provides a much stronger detection shield. We'd also like to see Windows 95 and 98 workstation support; a means to differentiate between remote and local users; the ability to log off FTP and other remote users; and the ability to automatically enforce security policies. Until these improvements are made, we can't recommend eNTrax as a complete security suite.

RELATED LINKS Sweet is vice president at Edgewood Consulting Group in Emerald Hills, Calif. She can be reached at lsweet@ edgewood-group.com.