Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Proctor & Gamble outsources security to IBM, but keeping security staff
Updated management appliance corrals Apple iPhone
Critics question Comcast broadband caps
Privacy feature in IE8 leaks private data
Wireless LANs face huge scaling challenges
Banks mining cash from their computer gear
Industry mourns slain Cisco exec
IBM flash memory breaks 1 million IOPS barrier
Microsoft virtualization tools reinforce user's data center plans
Novell revenue up, net income loss at $15 million
Watch Out! Firing IT Workers Can Cost You
Microsoft buys European comparison shopping site for $486M
Steve Jobs' death greatly exaggerated; obit a mistake
Sprint brings more partners aboard for WiMAX rollout
Samsung stained by ink cartridge suit
/

Reviews /

Returning fire with ice

Today's breaking news
Send to a friendFeedback

Advertisement:

Intrusion-detection systems can disable attackers before they do damage - Network ICE does it best.

By Tere Parnell
Network World, 10/04/99

You're under fire from network intruders trying to steal information or wreak havoc. Your priorities are clear:

  • Alert: Detect the intrusion immediately.
  • Contain collateral damage and repel attack: Stop the attack by ceasing all communication with the intruder.
  • Launch counteroffensive: Find the identity of the intruder and prosecute.

We used these battle plans to evaluate four of the hottest intrusion-detection systems available. BlackICE and ICEcap from Network ICE win the Silver Star for valor in combat and a World Class Award for their excellent tracking and alerting capabilities. BlackICE is a specialized detection product - an agent-based system that does one thing and one thing only: detect intruders. When BlackICE finds uninvited guests, it reports the intrusion to ICEcap, a management module that analyzes intrusion information gathered from all agents and uses it to spot widescale attacks on the network.

The other products we tested were no slouches, either. Intruder Alert from Axent Technologies is like a toolbox for security experts, with great flexibility in designing network security policies. Centrax from CyberSafe is one-stop shopping: It includes security auditing, monitoring, intrusion detection and alerting all in one. By contrast, while eTrust Intrusion Detection from Computer Associates offers real-time alerts, its strong suit is security monitoring and policy management, though it does some intricate decoding and detective work.

Sounding the alert

Hackers rarely approach your network with weapon in hand. Instead, they test backdoors and forgotten windows. They quietly record traffic patterns and IP addresses and make seemingly innocuous inquiries of devices and users.

To identify these slippery foes, you must employ an intrusion-detection system with sophisticated sensibilities. The product must be able to alert you not only to obvious break-ins, but also to suspicious events that may seem innocent, but could hide a hacker.

For example, discovering a password-cracking program hard at work is definitely cause for alarm. But suppose a machine receives a pcAnywhere ping. The event could just be an honest remote pcAnywhere user - or it could be a hacker looking to connect to unprotected pcAnywhere clients. Either way, the situation merits an alert for further investigation.

The alerts issued by BlackICE are very specific, even straight out of the box. For example, it displays messages such as "BackOrifice attack," "pcAnywhere ping" and "Unix scan." When you see an alert like that, there's no doubt in your mind what event has occurred and - in most cases - no doubt as to its significance. If you want to custom configure alerts for other situations, you can, but you probably won't need to.

A nice feature of the Network ICE products and Axent's Intruder Alert is the online downloads for the latest attack signatures by which intruders can be identified. We had trouble finding specific attack signatures on the Intruder Alert site, but we found it easy to find exactly what we wanted on the Network ICE site.

Intruder Alert and CyberSafe's Centrax have great alert capabilities, but they're effective only after you've set security policies, configured alerts and written alert messages properly. In other words, the products provide the tools for you to build your own intrusion-detection system.

Definition

A SYN attack is a fairly common - and pernicious -type of denial-of-service attack.

The attacker generates thousands of SYN, or "start connection," requests to the network server under attack. Each request is spoofed from a fake origination address, which makes a SYN attack difficult to identify and trace. When the server receives these requests, it assumes a valid session is beginning and waits for a data transmission.

Although no data transmission follows, the server still waits up to 45 seconds before clearing the connection.

When a server receives thousands of these invalid connection requests within a few minutes, it becomes overburdened servicing them and cannot handle legitimate service requests, in effect, denying service to legitimate users.

Whether you have the talent in-house to build such a system - or the budget to hire consultants for the job - is another issue. Intruder Alert's Users Manual states: "Rules can be linked together to detect sophisticated attacks such as a network probe or SYN attack." We questioned why you should have to design and build a mousetrap from scratch for such common pests.

While all the products were fairly easy to install, we found Intruder Alert and Centrax somewhat cumbersome to manage. For example, if Centrax sends you an unknown or unclear alert message, as happened to us in our tests, you may have trouble figuring out what's going on - especially if you must turn to its audit logs for clarification, as we did. Although its audit logs are excruciatingly thorough, the product tends to assume that mere humans can spot illicit activity with very few hints. In Centrax's logs, an alert is described but not identified. So you see what is happening in terms of ports queried or other actions, but not what this means. This function compromises the value of its real-time alerts because it takes considerable savvy to know whether the event description constitutes a true security crisis or just a bit of extra scrutiny. This is bad news if you don't have trained security staff. Though, for a price, CyberSafe - as well as Axent and Network ICE- offer professional security consulting services.

CA's eTrust Intrusion Detection is more than a monitoring system and provides something other than full-fledged intrusion detection. For example, the product does more than decode network protocols and service traffic; it actually captures all packets and presents them in their original formats. ETrust monitors all TCP/IP traffic and alerts the network administrator to violations of established policies. However, eTrust doesn't support the very finely grained policy crafting of Axent's Intruder Alert.

But don't dismiss eTrust. Because it presents captured packets in their original formats, network managers could use eTrust to read e-mail, see the content of Web pages that users viewed or identify documents accessed by users. These abilities make for easy surveillance of suspicious characters on your network. Though for garden variety intrusion detection, it means you need to spend a good deal of time upfront developing bulletproof security policies and entering them into eTrust.

In the heat of battle

We launched a variety of nasty attacks on each of the systems to assess their ability to detect and defend against hostile forces. The only products that caught every attack we made and sent the appropriate alerts were Network ICE BlackICE and ICEcap. All other products missed some intrusions due to our poor crafting of the policies. In a BackOrifice attack, for example, CyberSafe's Centrax and Axent's Intruder Alert never knew what hit them because we had not adequately configured policies to detect this type of attack. In fact, the two products were extremely cumbersome to configure. BlackICE and ICEcap however, caught the attack and alerted us immediately.

We admit that all missed attacks were due to our lack of expertise in using these complicated systems correctly, and after a few attempts, we were always able to mend our software shields. But in the real world you don't have the luxury of getting it right on the second or third try, especially when you're dealing with a new type of deadly attack. That's why we were so pleased with Network ICE's product; it was ready for battle from the moment it was installed.

In the throes of battle, it's easy to become preoccupied with the safety of the enterprise proper. However, you can't afford to forget about the safety of your scouting parties. That's why we loved the personal firewall afforded by BlackICE for remote dial-up users. Remote access presents an increasingly large security hole, and BlackICE is unique in providing thorough intrusion detection for remote and mobile users.

The product displays alerts on a remote client's screen rather than attempting to send the alerts back to an enterprise management console. This allows a remote user to respond to the attack directly. In future releases, we would like to see a reporting feature that sends information about a remote attack back to a central management console as well, so information about the attack can be analyzed to prevent future attacks.

Detecting an intrusion and alerting the network manager to the fact is only half the battle. You have to stop the attack and launch a counteroffensive.

The most impressive defensive work we observed was accomplished by Axent's Intruder Alert and CyberSafe's Centrax. While Network ICE's products and CA's eTrust Intrusion Detection immediately terminate offending sessions, Intruder Alert and Centrax do that and more. For example, you can configure Intruder Alert to issue strings of commands based on the type of attack - to reboot a system experiencing a denial-of-service attack, for instance.

Once you've repelled an attack, how do you launch a counterattack? BlackICE and Centrax turn the tables on hackers by tracking them back to their lairs and identifying them. Network ICE was particularly good at tracking attacks despite our evasive maneuvers. We especially liked the ability of Network ICE to track hackers inside or outside the network. Furthermore, we liked eTrust for its ability to reach so far into the (supposedly) private workings of each and every user on the network. It provided the most thorough (and perhaps legally delicate) information on intruders and their workings.

In fact, we suggest using BlackICE to track the alleged hackers inside your network, then using eTrust to trap them.

Finally, speaking of trapping, CyberSafe can employ a "decoy file" method that leaves a dummy file with a tantalizing title, such as "PAYROLL.DAT" lying around unprotected in the open. We found this a bit obvious, but it could be useful for entrapping users who are just browsing the network for sensitive information.

Each program produces reports noting questionable activity. The two standouts for excellent and easy-to-use reports were Network ICE's ICEcap and CA's eTrust Intrusion Detection. The latter was particularly flexible, probably due to its origins as a protocol decoder. For example, you can view network usage by just about any type of resource you want, including protocol, client and server.

ETrust offers a variety of canned report formats, with well-organized information to aid in finding and prosecuting abusive users.

Post mortem

Each of the tested products has its strengths and weaknesses, and we recommend them accordingly. For switched networks, we recommend the agent-based systems from Network ICE, Axent and CyberSafe. CA's eTrust Intrusion Detection is a product ideally used for alerting you of violations of business practices, such as the use of forbidden terminology in an e-mail. Axent's Intruder Alert and Centrax's CyberSafe are excellent tools for security consultants and shops with large, highly-trained, up-to-date security staffs. But for shops that don't have, and can't afford, resident security experts, we recommend Network ICE's BlackICE and ICEcap. They're as close to a security consultant in a box as we've seen.

RELATED LINKS

Parnell is a telecom consultant and writer in Dallas. She can be reached at redreviews@ aol.com.

Scorecard and NetResults
How we ranked them in key areas, vendor contact info and a look at how the tested products differ.

How we did it
Our test methodology.

Intrusion detection buyer's guide
Use it to compare the specs for 11 different models or download all the specs to perform your own analysis.

Getting the drop on network intruders
A look at trends in intrusion detection and what you should think about before installing a system. Network World, 10/4/99.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.