All of nmaps port scans were immediately detected and generated pop-up and audible alerts pager and e-mail alerts are also available. The testbed consisted of three more computers: one running Windows 2000 Server Edition, another running Windows NT 4.0 and the third running Red Hat Inc.s Red Hat Linux 7.0.įrom the Linux box we used nmap, a Unix security-scanning utility, to probe the network for open ports and operating system signatures. All other interaction with the appliance is made at this console. We installed the NFR console on a computer running Windows 2000 Professional. For larger installations where this may be a problem, the NFR appliance has distributed scanning and management capabilities, but their implementation requires the purchase of more appliances. Although this did not cause problems on the test network, we believe that as the number of aggregated ports increases, performance will suffer. This minor workaround let us program the switch to transfer traffic to the destination port and also to the port where the NFR appliance was, allowing port analysis in a switched environment. We modified the Cisco 3524 Catalyst Switch on the test network to use the Switched Port Analyzer feature. Version 5.0 of NID, which began shipping in December, and a hardened version of the BSD Unix operating system for the appliance cost $4,500 the appliance costs $2,700. RealSecure takes a different approach than Cisco and NFR, running intrusion detection on each host. The intrusion detection market ranges from free open-source offerings like Snort (available from to Cisco Systems Inc.s Secure Intrusion Detection System, which starts at $6,120, and Internet Security Systems Inc.s RealSecure 5.0, priced at $8,995 for the central unit and $750 per server. We were able to perform ad hoc queries, produce graphs and create custom reports. Upon completion of eWeek Labs tests, we were impressed with the ability of the NFR appliance to make sense of a lot of data. NFR officials said they have specialists who identify new attack signatures and make updates available for download, generally within 24 hours.Īnalyzing attack and probe trends over time is almost as important as catching them as they happen. Changes in Version 5.0 of NID include an expanded library of attack signatures, remote administration, advanced query capabilities and ability to manage the appliance from a Unix workstation. Although this is limiting, NFRs Network Intrusion Detection software will catch the majority of hackers who use known exploits. Like a virus scanner, an intrusion detection system can recognize only known attack signatures. Although using the appliance requires a minor workaround in a switched network environment, most system administrators should not find this problematic. NFR Security Inc.s updated NID software and Network Flight Recorder Intrusion Detection Appliance caught virtually all the attacks eWeek Labs threw at it, proving to be a great combo for IT managers who need to know when their network is under attack.
0 Comments
Leave a Reply. |