Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Microsoft tops $60 billion in annual revenue
Estee Lauder revamps security in face of regulatory requirements
AMD appoints new CEO as losses continue
Hold off on WiMAX investments, Gartner cautions
EU levels new antitrust charges against Intel
Juniper airs zippier WAN app accelerators
IBM and Sun each claim to develop 'first' 1TB tape drive
Researchers trace structure of cybercrime gangs
Juniper switch proves to be credible choice
Citrix aims to simplify mixed virtual environments
Hunt for the elusive rootkit 'Rustock.C' revealed
One in four businesses block access to Facebook, social networking sites
Insider threat looms large as San Francisco's network crisis plays out
EMC merges home backup with cloud-based storage
Report: Microsoft in talks for a deal with AOL
Sprint, SK Telecom merger rumors flare up again
Security /

Reviews /

Scanning for weak links in server security

Today's breaking news
Send to a friendFeedback

Advertisement:

BindView's Network Security Suite is a World Class watchdog.

By TERE' PARNELL,
Network World, 08/30/99

Never underestimate the value of a second opinion, especially when it comes to network security. Sometimes it takes an objective outsider to see gaping security holes that you've overlooked for months; that's why network security consultants are in such demand. But consultants are expensive, and they're only around for a short while. Wouldn't it be great if you had 24-7 access to a consultant for security assessment and evaluation?

World Class winner

BindView Network Security Suite

You can count on its HackerShield and NOSAdmin duo for all-around security auditing.

Well, you can. Security monitoring and scanning software can give you the continuous security analysis you need at considerably less cost than a human security consultant. The programs start with a careful assessment of your network's security systems. They identify server vulnerabilities and suspicious user activities, then suggest corrective actions. Some even implement their suggestions for you.

Because their role is advisory, the value of these products lies as much in their reporting capabilities as in their analytical ingenuity. After all, what good is detecting a potential security breach if the product can't effectively communicate where that breach is and how to fix it? In addition, like all good consultants, the products need to be able to keep current with the most up to date security advancements and alerts.

The product that delivered the best combination of these features in our tests was BindView Development's Network Security Suite, which consists of two pieces: HackerShield and NOSadmin for Windows NT. HackerShield is the network scanning portion of BindView's suite, while NOSadmin concentrates on server security. Together the two products create a thorough, flexible and easy-to-use security monitoring and management package.

Right on Network Security Suite's heels was Computer Associates' eTrust Intrusion Protection, a product formerly known as SessionWall-3 when it was sold by Platinum Technologies and AbirNet. The newly christened eTrust delivers competitive monitoring and analysis features and strong reporting options. It's also much more than a security auditing product and includes a firewall, real-time intrusion-detection system and business policy analyst. (We didn't require products to include real-time intrusion-detection and alerting features, nor did we test them. Our tests focused on security assessment and prevention, and our ScoreCard rates analytical and reporting capabilities. Stay tuned for our Intrusion Detection Buyer's Guide this fall).

Close behind was WebTrends' Security Analyzer 2.1, Enterprise Edition, whose excellent analysis features and easy access to third-party security tests were tough to beat.

The final product we tested was TripWire Security Systems' TripWire 2.1 for Windows NT. While TripWire features bulletproof internal system security, it lacks a graphical user interface (GUI), and its reporting features were not as well developed as those of its competitors.

Monitoring hosts for trouble

We began by using each product to identify and record changes that might create vulnerabilities on our servers. At the very least, we ex-pected each of these programs to identify and report which protocols were used to access which host resources. This is one of the most basic functions of host security monitors.

All the products we reviewed performed this function admirably, but for thorough, hassle-free scanning, BindView's HackerShield module won highest marks. While it doesn't have some of the more exotic functionality of CA's eTrust Intrusion Protection, HackerShield provided the best all-around security management features. For example, HackerShield continuously scans for security violations and potential security threats throughout the network, rather than scanning only at fixed intervals as the others can. It was able to tell us about unauthorized accesses to a simulated payroll database on one of our hosts, including what ports and protocols were used to get to the host.

CA's eTrust Intrusion Protection went far beyond general monitoring. It didn't just decode network protocols and service traffic, it actually captured all packets and presented them in their original formats. This means network managers could use eTrust Intrusion Protection to read e-mail, see the content of Web pages viewed by users and identify the documents accessed by users - legal and ethical implications notwithstanding.

We liked being able to configure eTrust Intrusion Protection to monitor only selected traffic types, so you can watch Web traffic and ignore e-mail traffic, for example.

We really liked the monitoring and scanning capabilities of WebTrends' Security Analyzer. This product quickly and easily lets you select what host or hosts you want to monitor, as well as specify precise types of changes you want to monitor. For example, Security Analyzer will let you check your Web servers twice a day for potential holes in Common Gateway Interface scripts.

TripWire 2.1 took a standard approach to host monitoring. It initially created a baseline database that recorded the condition of the host. It then monitored the host for deviations from that baseline.

What makes TripWire unique is its bulletproof internal security. A secure monitoring system is just as important as the external security it aims to provide. While all took adequate steps to protect themselves, TripWire 2.1 exhibited outstanding internal security, guarding its critical files with El Gamal asymmetric cryptography.

Analysis is key

If monitoring capabilities are the feet on which these security auditing packages stand, then their analysis aptitude is their brain. We expected each product to be able to identify system changes, such as a change in user access authorization, network address or protocol, and determine whether the changes were suspicious in nature. This involves letting network managers establish, edit and refine a set of security policies governing access to network resources. For example, you may want to regularly scan the well-known ports of your hosts for signs of possible attack, such as an abnormally high number of attempted accesses from restricted IP addresses.

While each product offers such a capability, we found that implementations varied. WebTrends' Security Analyzer offered the most advanced policy management. Its Security Test Policies evaluate different types of server vulnerabilities. In addition to a fine suite of canned security tests, which includes such detailed items as "Most Occurring Medium Risk Vulnerabilities," Security Analyzer lets you write your own tests and add them to the suite, or download tests prepared by third-party developers.

At the other extreme, straight out of the box BindView's Network Security Suite offers only the most basic type of policy management, such as event logging. However, it also provides a developer's kit that lets you customize your policies.

True to its Unix roots, TripWire 2.1 has a solid policy file that checks for any changes in the host system. How-ever, if you find any violations, you must manually update the policy database using a painstaking editing procedure.

And while WebTrends impressed us with its policy management capabilities and tools, the overall winner in the analysis category is CA's eTrust Intrusion Protection, for its ability to reach so far into the (supposedly) private workings of each and every user on the network.

Report and resolve

If analysis is the brains, then reporting is the heart of these products.

For easy, in-depth reporting, BindView's NOSadmin stands out, offering an array of predefined, detailed security reports. Although you can customize these reports, you may find that you won't need to.

We also liked the report generator in CA's eTrust Intrusion Protection, which exhibited fine flexibility. For example, you can view network usage by just about any type of user, including protocol, client and server. eTrust offers a variety of report formats, with information well organized to aid in finding overwhelmed servers and "problem children" among the user community.

For straightforward reporting, we were again impressed with WebTrends' Security Analyzer. Its easy-to-use, predefined reports are thorough, and WebTrends includes some sophisticated custom reporting and formatting capabilities, such as allowing you to easily create foreign-language versions of your reports.

Finally, while the reports provided by TripWire 2.1 were good, we found that formatting and working with them was often awkward. Part of this awkwardness is due to the product's command-line interface, though some of the reports themselves were difficult to interpret.

Once a security problem has been detected, the ideal product doesn't simply tell you about it. Rather than rely on a network manager's ability to interpret the data, the most useful products can recommend and, with permission, implement a solution.

The most impressive day-to-day corrective action capabilities are those of BindView's HackerShield. We found its Auto-Fix feature, which automatically fixes the security problems uncovered, to be a reliable way to quickly close security holes. For example, HackerShield immediately recognized and fixed a misconfigured NetBIOS server that was letting the world enter our network.

CA's eTrust Intrusion Protection instantly notifies you of security problems and even makes some recommendations on how to fix them. By configuring eTrust to monitor certain network events - such as accessing a particular Web site - you can keep track of who is visiting forbidden Web sites, and how often. And eTrust can reveal much more than traffic to unauthorized Web locations. ETrust can, for example, alert network managers when it finds unauthorized language in e-mails, though the product doesn't block offending traffic.

Our only real problem with WebTrends' Security Analyzer surfaced when we evaluated its notification features. Security Analyzer doesn't make much of an effort to point out potential security threats or violations and doesn't really offer any recommendations for fixing them, much less correcting problems automatically. Its reports are so good, however, that it's easy to surmise problems at a glance. We'd prefer to see problems highlighted, nonetheless.

TripWire 2.1 employs fairly pedestrian notification. It simply sends an e-mail when it encounters a security policy violation.

Usability, installation and documentation

WebTrends' Security Analyzer was extremely simple to navigate. With a straightforward user interface and direct means of scanning IP addresses, it's a no-brainer to conduct a quick scan over a subnet or a sweeping scan over the entire network. Security Analyzer also lets you choose if you want to scan only the most critical security aspects of a server or conduct a full analysis of the server's vulnerability.

BindView's Network Security Suite also had an intuitive and easy-to-navigate GUI. Furthermore, to keep its product current, BindView offers the RapidFire update module, which can automatically update HackerShield through BindView's Web site. This can prevent lag time between the discovery of a new type of security threat and the implementation of a fix.

Security Analyzer's AutoSync feature lets you download security tests developed by third parties from the Security Test Library on WebTrends' Web site.

We were disappointed in TripWire 2.1's basic command-line interface. Originally a Unix-only security system, TripWire was first released as a Windows NT product in April before a GUI was completed. However, the company promises a GUI in the next release, which is due before year-end.

We had no trouble installing any of the products. TripWire 2.1 received the lowest marks because its convoluted installation program kept stalling out on us before it finally decided, for no apparent reason, to work.

Similarly, documentation for all the products was encouragingly detailed and instructive; among the four sets of documentation, BindView's stood out for its ample and well-written manuals.

In the final analysis, BindView's Network Security Suite can provide all the monitoring, analysis and corrective help you need. It is easy to install and use and its functionality is more than adequate.

But the competition is close. For those who must know everything that goes on in their networks, there's nothing better than eTrust Intrusion Protection. WebTrends' Security Analyzer allows incredible flexibility in setting and managing security policies, as well as in monitoring and analyzing the policies' effects. And the NT newcomer, TripWire 2.1, provides fine, thorough security.

How we did it We set up a test network consisting of three Windows NT 4.0 servers, five NT Workstation clients and 10 Windows 95 and 98 clients. After installing each of the products and using each to establish a baseline profile of our sample network, we ran scripts that simulated normal network activity: accessing documents, databases and Web sites, as well as sending and receiving e-mail. We then committed two types of security violations on each of the servers: unauthorized resource access and failed or irregular logons, including a brute force attack to gain access to a network resource. After committing these transgressions, we scanned the network again and ran the prepared security reports that each product offered. If the product recommended a correction or fix, we implemented it, then repeated the process. We evaluated each product's management program for alerting and enforcement features, reporting capability and ease of use.

Scorecard

  Ana-
lysis 25%		 Mon-
itor-
ing 25%		 Re-
port-
ing 15%		 Alert-
ing and cor-
rec-
tive ac-
tion 15%		 Us-
abil-
ity 10%		 In-
stall-
ation 5%		 Doc. 5% T
O
T
A
L
Bind-
View Network Secur-
ity Suite		 9 10 8 9 9 10 8 9.10
CA eTrust Intru-
sion Pro-
tec-
tion		 10 9 8 8 9 9 8 8.90
Web-
Trends Secur-
ity Ana-
lyzer 2.1		 8 9 8 7 8 9 8 8.15
Trip-
Wire 2.1		 7 8 7 6 5 7 8 6.95

Note:Individual category scores are based on a scale of 1-10. Percentages are the weight given each category in determining the total score. The World Class Award goes to products that earn 9.0 or above on our scorecard.

Net Results

Network Security Suite
BindView Development
(800) 749-8439
Web site
NOSadmin and HackerShield pricing starts at $695 per server. NOSadmin requires BindView EMS Enterprise Console, which starts at $1,995 per nonconcurrent user
Pros: Excellent scanning and monitoring; Easy to use; Outstanding update capability
Cons: Relatively basic policy management capabilities

eTrust Intrusion Protection
Computer Associates
(800) 225-5224
Web site
Pricing ranges from $1,945 for 125 concurrent sessions to $19,435 for an unlimited number of concurrent sessions
Pros: Real-time alerting; Excellent business and security policy management
Cons: None significant

WebTrends Security Analyzer 2.1, Enterprise Edition
WebTrends
(503)294-7025
Web site
An unlimited number of IP addresses costs $4,999.
Pros: Excellent analysis function; Easy access to third-party security tests
Cons: Limited notification

TripWire 2.1
TripWire Security Systems
(503) 223-0280
Web site
$495 for one to four seats
Pros: Bulletproof internal system security
Cons: No GUI; Report format somewhat cumbersome

RELATED LINKS

Parnell is a telecom consultant and author with more than 18 years of experience in the telecom and data network industries. She has written many articles, columns and product reviews and is the author of four books on telecommunications, telephony and data networking. She can be reached at redreviews @aol.com.

How we did it
A look at our methodology.

Scorecard and NetResults
Key findings, vendor contact info and pricing.

Centrax
We can't recommend this NT-based security app, which was called eNTrax when we reviewed it. Network World, 3/22/99.

Security quiz
Take it and see how well you know security.

Network World Security Alert
Daily bulletins from the security front, plus a database of security resources.

Network World Fusion Focus on Security
Archive of our free, twice-weekly newsletter.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.