About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store
InfoWorld HomeNewsTest CenterOpinionsProduct GuideTechIndex
 
 
NEWS

 
NFR eases intrusion detection

By David Piscitello
November 1, 1999

ESTABLISHING a secure perimeter around an enterprise in today's lightning-fast business environment is formidable. The challenge of maintaining security is further exacerbated by the need to defend a network against intruders and malicious employees. You can't rely solely on a firewall for perimeter security and internal compartmentalization: You need to shore up your defenses with additional advanced security technologies, including intrusion detection (ID).

   ADVERTISEMENT
  

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Dell

Free IT resource

TechNet: More ways to know it, share it, and keep it running.

Sponsored by Microsoft

RELATED LINKS
»  IE 7 bug reopens debate over patch responsibilities
»  Woman ordered to pay for file-sharing will appeal
»  McAfee to buy SafeBoot for $350M
»  Security RSS feed 

IDG ENTERPRISE NETWORK
Research Reports  (CIO)
Ask the Expert  (CIO)

TOP NEWS 


IT SOLUTION SEARCH
Because a denial-of-service attack can render your servers and routers useless, you can measure the value of an ID system in lost revenue and the cost of downtime. Subtle attacks that would go undetected without ID could result in the loss, disclosure, or destruction of sensitive corporate data.

Network Flight Recorder (NFR) Intrusion Detection Appliance (IDA) 4.0 is a powerful network monitor. This ID system operates similar to a misuse-detection system in that it looks for traffic patterns that match a known attack and can be configured to look for policy breaches. You can write a filter to set off an alarm when NFR IDA detects an unusual number of Telnet log-in failures. It also performs anomaly detection and will issue alert messages if any unusual network traffic is encountered.

Several ID products are on the market, including Internet Security System's RealSecure, Network Associates' CyberCop Monitor, and Network ICE's BlackICE Pro and Sentry editions. Similar to virus-detection software, all good ID systems offer upgrades as capabilities of detecting attacks are developed. NFR IDA is as capable and extensible a network-monitoring product as any available.

Most ID systems run on Unix or Windows NT, but the NFR IDA software (boot code and program logic) is booted directly to an Intel PC-based monitoring appliance from the distribution CD-ROM, and the hard drive is used to store ID databases.

I liked the rack-mounted system's tamper-proof features, including removable drives and power and reset buttons protected by a lock and key. And the appliance offers some very desirable software security characteristics: There is no OS or file system for hackers to breach, and they can't install Unix, NT toolkits, or Trojan horses. Also, you won't have to harden the host on which the ID software runs.

I deployed a stand-alone configuration of NFR IDA on a LAN containing a proxy firewall, a Linux Web server, and PCs running Windows 95 and NT. Installing and configuring the NFR IDA software on the monitoring appliance and the administrative console on an NT workstation took 12 minutes.

To select administration and configuration, alert viewing, and package subwindows, there is a task bar on the GUI console. "Package" describes sets of back ends or event-monitoring and -recording engines, at which each back end's behavior is directed by filters. A pop-up window reports alerts in real time. From the package's subwindow, you can query the extensive data logged and recorded by individual back ends. Like all good monitoring systems, NFR IDA has many knobs to control the kinds of events to monitor.

I ran a series of scans and attacks using Network Associates' CyberCop Scanner and penetration testing tools, downloaded from www.securityfocus.com. Using only default settings, NFR IDA alerted me to all but two of the intrusions: a subtle BackOrifice PING and an SNMP-walk issued to my broadcast IP address using the PUBLIC community string.

You can write additional filters to detect these attacks and more in N-Code, the vendor's proprietary event-driven language. NFR also incorporates N-Code filters developed by L0pht Heavy Industries into packages and back ends. Eventually, NFR plans to offer more than 1,000 L0pht filters for upgrade and download. I tinkered with some early versions, including one that alerted me when a legitimate FTP user attempted to access restricted directories, files, and commands. Filters demonstrate ways to incorporate security policies into ID monitoring.

If I could ask for one improvement to NFR IDA 4.0, I would like the alert messages to provide more granularity through a combination of discerning message types and explanatory descriptions. Isolating the nature of some of the attacks may take some time. For instance, NFR IDA detected all of CyberCop Scanner's test scripts directed at port 80 of my system under siege but lumped them into a single Possible Attack URL alert message.

NFR IDA is simple to install, competitively priced, highly customizable, and offers a broad range of ID monitoring and reporting capabilities. If you're feeling underfortified and outgunned, NFR IDA is definitely worth a look.


David Piscitello is a principal consultant at Core Competence, in South Carolina.



  BOTTOM LINE
NFR Intrusion Detection Appliance 4.0
SUMMARY
Network Flight Recorder (NFR) introduces advanced intrusion detection (ID) in a security appliance. It has a clean, intuitive GUI, and NFR's scripting language lets you develop custom ID filters.

BUSINESS CASE
NFR adds ID to an enterprise security arsenal, with minimal overhead. This appliance is much easier to install, configure, and maintain than competing ID software for Unix or Windows NT host systems.

PROS

+ Easy to administer

+ Encrypted channel between console and PCs

+ Very good logging, reporting features

+ Scripting language for custom-filter development


CONS

- Cumbersome package installation

- Alert message not sufficiently granular


COST
$3,100 per appliance license; $3,100, central management station

PLATFORMS
Appliance console: Win32; central administration console: Sun Solaris 2.51, 2.6, 2.7

COMPANY
Network Flight Recorder Inc., Washington, D.C. (202) 662-1400; www.nfr.com


Caught in the act

NFR IDA 4.0 detected an impressive number of attacks. This list is partial.

  • Host, User Datagram Protocol, and TCP port scans; FTP Bounce port scan
  • Telnet failed log-in attempts
  • FTP command watch
  • FTP server hunt
  • UDP flood, SYN flood
  • Echo/chargen packet flood
  • PING denial of service
  • Linux inetd (Bad address DOS attack)
  • RPCINFO, Solaris RPCBind Kill DOS
  • TFTP attacks
  • Teardrop/Teardrop-2/BONK/BOINK
  • SunOS 4.1.3 UDP Reboot
  • PASV DOS attack
  • RWHO daemon buffer overflow
  • Windows NT Denial of Service Attacks: Messenger service, SMB, LAND, Fragment attack, LSASS.EXE, RPCSS.EXE, IIS attacks (..\.. and long URL)
  • IDS Testing Scripts: TCP Sequence # verification, IP fragmentation, IP checksum verification, TCP: 3-way handshake,TCP segment retransmission, Out of order segments, TCP 2nd SYN, TCP RESET


    RELATED SUBJECTS

    Security

    SPONSORED WHITE PAPERS
    EMC - Lower costs and improve reliability-Get the EMC CLARiiON white paper!
    Ciphertrust - Are you ready for Sobig.G? Learn how to protect your email systems.
    CDW - Personal attention. CDW. The Right Technology. Right Away.
    EMC - Explore key performance features and capabilities of EMC ControlCenter 5.1.1.
    Intel - Free Intel white paper shows you how to deploy a secure wireless LAN
    Cisco - FREE WHITE PAPER: BLUEPRINT to design and implement secure VPNs
    Verity, Inc. - "Mass Consolidation Hits the Web-Search Market"
    McDATA - Download a FREE storage consolidation white paper from McDATA(R).
    Lucent Technologies - Overcoming Common Firewall Limitations
    Lucent Technologies - Leverage Your Mobile High Speed Data Access. Download Free White Paper!
    Nokia - Get the scoop! Mobilizing business white papers & case studies.
    BMC Software - Maximize the Potential of Enterprise Data: Free white paper!
    Network Associates - Free white paper - Strategies for Optimizing Network Costs and Benefits
    Entrust - Manage identities across applications. Improve productivity.
    Stalker Software - CommuniGate Pro - Transform your Email and Calendaring
    Remedy - A NEW Gartner Research Note:Producing Quality IT Services

    Search the IDG White Paper Library:


    SPONSORED LINKS

    INFOWORLD MARKETPLACE


    » IT Compliance Conference: Nov. 5-7 in San Diego
    Best Practices, Peer Experiences, & Expert Advice for Building a Defensible IT Compliance Program
    » FREE Sophos Threat Detection Test
    Is your AV catching everything it should? Free virus, spyware and adware scan.
    » IT Audit Checklists
    Prepare for your next internal IT audit. Checklists cover security, risk management, PCI, and more.
    » FREE White Paper: Mitigating Rock Phish Attacks
    Standard anti-phishing methods cannot defeat complex Rock Phish attacks. Learn how to fight back...
    » Apply BPM and ITIL at your IT Help Desk
    ServiceWise brings BPM to complete IT service while eliminating integration cost. Learn more here.



    		•

     HOME  NEWS  TEST CENTER  OPINIONS  PRODUCT GUIDE  TECHINDEX   About : Advertise : Subscribe : Contact Us : Awards : Events 

    Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy

    All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services.

    Computerworld :: Network World :: CIO :: PC World :: Darwin :: CMO :: CSO
    IT Careers :: JavaWorld :: Macworld :: Mac Central :: Playlist :: GamePro :: GameStar :: Gamerhelp
    ITWorld Canada :: Computerwoche :: Techworld UK :: tecChannel :: IDG.se :: IDG.no