Network detectives sniff for snoops

According to StillSecure’s tech support, the third crash was due to an incompatibility between the appliance’s Dell hardware and the Border Guard software. The bug inadvertently causes the hard drive to become read-only, which prevents Border Guard from logging data and thus crashes the system. This only happened once during a month of testing but could be a significant problem. StillSecure acknowledged the bug and claims it will have a fix in the next version.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft DOWNLOAD PDF Click here to download InfoWorld's special report Intrusion detection systems

Thanks to an excellent interface, simple setup, and easy rules maintenance, Border Guard is well-suited to either the novice or the seasoned administrator. It offers all the benefits of Snort and more, without all the headaches. 

ISS Proventia G200

The Proventia G200 appliance from ISS can be deployed passively as an IDS or in-line as an IPS. Although the Proventia does a decent job of detection, we discovered that it seems better suited as a network analysis or auditing tool.

We found installation cumbersome due to Proventia’s dependency on an external database for logging. We configured the Proventia as a passive network device, using a span port on our network to monitor all traffic flowing into and out of our test environment. In addition to IDS and IPS modes, the Proventia also offers an intermediate option called the “in-line simulation” mode. Here the sensor will just send alerts about things it would normally block in IPS mode, allowing you to test IPS policies before deployment.

In addition to setting up a separate Microsoft SQL Server database, which Proventia used as the primary repository for captured data, we had to install a Windows client -- the SiteProtector console -- on our management workstation in order to communicate with both the sensor and the database and to retrieve stored and correlated data. Unlike the other three competitors in this comparison, ISS does not provide a Web management interface.

We concede that the Windows client does enhance security because it creates a strict relationship between the appliance and the console. But it also restricts client platform options for administrators and limits the ability to distribute administrative duties, as each console requires the management client. We’d like to have the option of using a Web management interface.

SiteProtector was easy to configure, but it’s completely dependent on the Proventia appliance and SQL Server database for all functioning and authentication. As we found out, if the SQL Server connection is not established, the appliance simply does not respond to console requests -- not even with an error message. ISS should incorporate a pop-up message to inform the user when there is a problem.

Click for larger view.

This wasn’t the only usability hurdle we stumbled into. SiteProtector uses the database log-in and password combination established by the system administrator. If novice users attempt the log-in incorrectly, they are locked out without explanation.

On the plus side, the management console is designed to handle network vulnerability data from a variety of hardware and software sources, including ISS’ host-based distributed client, RealSecure Desktop, and its vulnerability management software, Internet Scanner, which we reviewed last fall. The SiteProtector console also supports several other information-gathering tools, including the SiteProtector SecurityFusion correlation engine. SecurityFusion helps you prioritize defenses against possible attacks based on other ISS product data. We came to think of SiteProtector as a Swiss army knife of sorts.

During setup, Proventia presented us with lots of options for various network configurations. For example, we could create a policy that was geared for specific router traffic or traffic coming from a specific subnet. But we also found creating and managing policies to be slightly confusing and counterintuitive. Policies we created often didn’t seem to justify the number of steps we were required to take -- or the variety of templates we had to wade through -- in order to get there.

Among all the products we reviewed, we found that Proventia put the strongest emphasis on network traffic auditing, thanks to deeper protocol analysis capabilities than its competitors’. For example, if you had a zero-tolerance policy for FTP traffic, Proventia could easily supply you with the information necessary to combat violations, even going as far as capturing user names and passwords that are sent in the clear. Of course, the same auditing policy approach works with other types of traffic such as HTTP and POP3.

Application-layer traffic filtering in Proventia is extensive out of the box. The application auditing it provides is nonexistent in StealthWatch and would require creating custom rules in Border Guard and Snort. For example, we could filter on POP3 traffic and inspect headers for source and destination, and we could view quite a substantial amount of information regarding the session transaction -- even when not viewing the actual payload.

Proventia also offers a plethora of options for reporting, including the ability to collect application-specific data such as successful FTP log-ons, Telnet users and passwords, or HTTP session information. A 3-D pie chart of current traffic activity gives the user a quick overview and the ability to drill down into the details.