Establishing a secure perimeter around an enterprise in today's lightning-fast business environment is formidable.
The challenge of maintaining security is further exacerbated by the need to defend a network against intruders and malicious employees. You can't rely solely on a firewall for perimeter security and internal compartmentalisation: You need to shore up your defenses with additional advanced security technologies, including intrusion detection (ID).
Because a denial-of-service attack can render your servers and routers useless, you can measure the value of an ID system in lost revenue and the cost of downtime. Subtle attacks that would go undetected without ID could result in the loss, disclosure, or destruction of sensitive corporate data.
Network Flight Recorder (NFR) Intrusion Detection Appliance (IDA) 4.0 is a powerful network monitor. This ID system operates similar to a misuse-detection system in that it looks for traffic patterns that match a known attack and can be configured to look for policy breaches. You can write a filter to set off an alarm when NFR IDA detects an unusual number of Telnet log-in failures. It also performs anomaly detection and will issue alert messages if any unusual network traffic is encountered.
Several ID products are on the market, including Internet Security System's RealSecure, Network Associates' CyberCop Monitor, and Network ICE's BlackICE Pro and Sentry editions. Similar to virus-detection software, all good ID systems offer upgrades as capabilities of detecting attacks are developed. NFR IDA is as capable and extensible a network-monitoring product as any available.
Most ID systems run on Unix or Windows NT, but the NFR IDA software (boot code and program logic) is booted directly to an Intel PC-based monitoring appliance from the distribution CD-ROM, and the hard drive is used to store ID databases.
I liked the rack-mounted system's tamper-proof features, including removable drives and power and reset buttons protected by a lock and key. And the appliance offers some very desirable software security characteristics: There is no OS or file system for hackers to breach, and they can't install Unix, NT toolkits, or Trojan horses. Also, you won't have to harden the host on which the ID software runs.
I deployed a stand-alone configuration of NFR IDA on a LAN containing a proxy firewall, a Linux Web server, and PCs running Windows 95 and NT. Installing and configuring the NFR IDA software on the monitoring appliance and the administrative console on an NT workstation took 12 minutes.
To select administration and configuration, alert viewing, and package subwindows, there is a task bar on the GUI console. "Package" describes sets of back ends or event-monitoring and -recording engines, at which each back end's behavior is directed by filters. A pop-up window reports alerts in real time. From the package's subwindow, you can query the extensive data logged and recorded by individual back ends. Like all good monitoring systems, NFR IDA has many knobs to control the kinds of events to monitor.
I ran a series of scans and attacks using Network Associates' CyberCop Scanner and penetration testing tools, downloaded from www.securityfocus.com. Using only default settings, NFR IDA alerted me to all but two of the intrusions: a subtle BackOrifice PING and an SNMP-walk issued to my broadcast IP address using the PUBLIC community string.
You can write additional filters to detect these attacks and more in N-Code, the vendor's proprietary event-driven language. NFR also incorporates N-Code filters developed by L0pht Heavy Industries into packages and back ends. Eventually, NFR plans to offer more than 1,000 L0pht filters for upgrade and download. I tinkered with some early versions, including one that alerted me when a legitimate FTP user attempted to access restricted directories, files, and commands. Filters demonstrate ways to incorporate security policies into ID monitoring.
If I could ask for one improvement to NFR IDA 4.0, I would like the alert messages to provide more granularity through a combination of discerning message types and explanatory descriptions. Isolating the nature of some of the attacks may take some time. For instance, NFR IDA detected all of CyberCop Scanner's test scripts directed at port 80 of my system under siege but lumped them into a single Possible Attack URL alert message.
NFR IDA is simple to install, competitively priced, highly customisable, and offers a broad range of ID monitoring and reporting capabilities. If you're feeling underfortified and outgunned, NFR IDA is definitely worth a look.
Caught in the Act
NFR IDA 4.0 detected an impressive number of attacks. This list is partial.
Host, User Datagram Protocol, and TCP port scans; FTP Bounce port scanTelnet failed log-in attemptsFTP command watchFTP server huntUDP flood, SYN floodEcho/chargen packet floodPING denial of serviceLinux inetd (Bad address DOS attack)RPCINFO, Solaris RPCBind Kill DOSTFTP attacksTeardrop/Teardrop-2/BONK/BOINKSunOS 4.1.3 UDP RebootPASV DOS attackRWHO daemon buffer overflowWindows NT Denial of Service Attacks: Messenger service, SMB, LAND, Fragment attack, LSASS.EXE, RPCSS.EXE, IIS attacks (..\.. and long URL)IDS Testing Scripts: TCP Sequence # verification, IP fragmentation, IP checksum verification, TCP: 3-way handshake,TCP segment retransmission, Out of order segments, TCP 2nd SYN, TCP RESETThe Bottom Line: ExcellentNFR Intrusion Detection Appliance 4.0Summary: Network Flight Recorder (NFR) introduces advanced intrusion detection (ID) in a security appliance. It has a clean, intuitive GUI, and NFR's scripting language lets you develop custom ID filters.
Business Case: NFR adds ID to an enterprise security arsenal, with minimal overhead. This appliance is much easier to install, configure and maintain than competing ID software for Unix or Windows NT host systems.
Easy to administer
Encrypted channel between console and PCsVery good logging, reporting featuresScripting language for custom-filter developmentCons:
Cumbersome package installation
Alert message not sufficiently granular
Cost: $US3,100 per appliance license; $3,100, central management stationPlatform(s): Appliance console: Win32; central administration console: Sun Solaris 2.51, 2.6, 2.7