Jump to the reviews
Attacks against networks have rapidly increased with the growth of the internet. Attack tools are easier to come by and your systems are more visible than ever before.
It?s important in this environment to identify and react
to attacks, whether they come from inside or outside the
network.
Intrusion Detection Systems (IDS) provide a method of doing this. In this test we looked at network-based sensors, which monitor traffic looking for attacks. When one is found, they alert the administrator so the trouble can be dealt with.
Also on the market are host-based systems, which sit on a local machine and deal with attacks specifically directed at it.
Testing network IDS was interesting, as there were really three main parts to look at: detection quality, packet capture speed, and management.
We devised several tests to get a good overall view of the software. First, we used Blade Software?s (www.blade-
software.com) IDS Informer product. This put attacks out on the wire with the specific purpose of triggering the IDS to make sure they were configured properly.
Each packet was sterilised so it couldn?t actually harm a real computer on the network, although to an IDS it showed what actually looked like an attack.
Using this we could ensure an IDS would correctly identify the attacks that we threw against it. We could also use the system to pelt out attacks in rapid succession. This showed what happens to an IDS under sustained pressure. A common hacker tool is to flood an IDS with fake attacks so it falls over when logs get full.
Next, we wanted to test the systems under network load. We picked five common attacks from IDS Informer and ran them at different levels of network load ? 25, 50, and 100 per cent. The network load was generated by playing back real captured data at different speeds using Ethereal.
Finally, we used the ProCheckNet scanner from ProCheckUp (www.procheckup.com), running over our Tachyon Satellite connection (www.tachyon.com). The scanner has a mode where it uses different encoding techniques to bypass IDS scanners.
For management issues we were looking for a centralised console that would display threats in an intuitive way. It?s no use being flooded by thousands of messages if one will do.
Of course, involved in this are the sensor settings. The IDS needs to be fine-tuned when installed on a network, so we were looking for ways to do this.
Reviews
Cisco Netranger
Enterasys Dragon
ISS RealSecure
Objectronix
Symantec NetProwler
The business case
IDS systems, although a fairly new technology, can offer serious financial benefits to a system. By detecting attacks and warning the administrator it enables you to see exactly what is going on in the network.
More importantly, it brings attention to threats so that they can be dealt with. It?s a continuous process of investigating breaches and tuning the security to block out further attacks.
From a financial point of view this can help reduce cost associated with break-ins. This isn?t just a matter of the amount of data stolen, or the cost of rebuilding machines, but also from a user confidence view. If you?re constantly getting broken into, it reduces your reputation.
The other side to this argument is that IDS sensors can spot a breach you may not have noticed. All of the buffer overflow attacks in IIS could breeze through a firewall, and not show up in log files either.
With IDS sensors in place you are warned and can stop the attack from causing further damage.
More than this, IDS systems allow you to continuously see what?s going on so network security can evolve with the growth of the network. It?s important to see what?s going on and adapt with the times. The cost savings of preventing an attack can be high.
These systems also have the advantage that they?re not area specific such as firewalls. Traditionally these devices have only looked at traffic coming into the network, leaving internal users to do what they want.
An IDS sensor will look at all traffic, so you can stop internal hackers and deal with them appropriately.
The general awareness this kind of software delivers helps plan and maintain the network, while ensuring your data is safe.
Editor?s choice
Using the systems, we were looking for intelligent detection and good management. The results from the ProCheckUP system were quite distressing.
When run in standard mode all of the sensors spotted something funny going on and started generating a lot of alerts. However, switching the device to IDS bypass dramatically cut down the number of alerts.
Cisco managed double decodes and a couple of attacks in this mode, but still missed a lot of the probes.
With all of this in mind we?ve managed to pick two products for out Editor?s Choice and Recommended awards.
Editor?s Choice goes to Cisco and its NetRanger system. The integration with Cisco Policy Manager means that security is dealt with at a global level. This powerful package makes distribution and management of sensors easy, even on large networks.
The new web-based management brings the system within the reach of smaller companies who don?t need all of the functions of Policy Manager.
The detection rates are good and by default the console reporting aggregates attacks into one entry. The signature fine-tuning makes the results even better.
Our Recommended award goes to Objectronix. The company can provide a fully-functional IDS without the hassle of having to manage it. The price isn?t too restrictive and the box makes sense in an environment where there isn?t a dedicated security expert.
Objectronix tune and maintain the system, make sure you are up to date, and provide hands-on help when a problem occurs.
The web interface takes a while to update, but gives all of the information you need to know. Once they get the online help working the system will be easier to get to grips with.
Comment on this article
