Intrusion Detection Systems
Intrusion Detection Systems
Intrusion Detection Systems
Distribution Statement A
S E R VICE
I NF
O R MA T
IO
EX
C E L L E NC E
Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Department of Defense, Washington Headquarters Services, Directorate for Information Operations and Reports (0704-0188), 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS.
1. REPORT DATE
2. REPORT TYPE
25-09-2009
Report
25-09-2009
Information Assurance Technology Analysis Center (IATAC) Information Assurance Tools Report Intrusion Detection Systems. Sixth Edition.
SPO700-98-D-4002
5b. GRANT NUMBER
5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER
N/A
5f. WORK UNIT NUMBER 8. PERFORMING ORGANIZATION REPORT NUMBER
Defense Technical Information Center 8725 John J. Kingman Road, Suite 0944 Fort Belvoir, VA 22060-6218
12. DISTRIBUTION / AVAILABILITY STATEMENT
IATAC is operated by Booz Allen Hamilton, 8283 Greensboro Drive, McLean, VA 22102.
14. ABSTRACT
This Information Assurance Technology Analysis Center (IATAC) report provides an index of Intrusion Detection System (IDS) tools. It summarizes pertinent information, providing users a brief description of available IDS tools and contact information for each. IATAC does not endorse, recommend, or evaluate the effectiveness of any specific tool. The written descriptions are based solely on vendors claims and are intended only to highlight the capabilities and features of each firewall product. The report does identify sources of product evaluations when available.
15. SUBJECT TERMS
Tyler, Gene
19b. TELEPHONE NUMBER
(include area code)
a. REPORT
b. ABSTRACT
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
None
93
703-984-0775
Standard Form 298 (Rev. 8-98)
Prescribed by ANSI Std. Z39.18
Table of Contents
SECTION 1 SECTION 2
u
1.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
u
2.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2.2 Technologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2.2.1 Network-Based . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2.2.2 Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2.2.3 Network Behavior Anomaly Detection . . . . . . .3 2.2.4 Host-Based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2.3 Detection Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 2.3.1 Signature-Based Detection . . . . . . . . . . . . . . . . .3 2.3.2 Anomaly-Based Detection . . . . . . . . . . . . . . . . . .4 2.3.3 Stateful Protocol Inspection . . . . . . . . . . . . . . . .4 2.4 False Positives and Negatives . . . . . . . . . . . . . . . . . . . .4 2.5 System Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
5.1.2 Social Engineering . . . . . . . . . . . . . . . . . . . . . . . .13 5.2 Challenges in IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 5.2.1 IDS Scalability in Large Networks . . . . . . . . . .14 5.2.2 Vulnerabilities in Operating Systems . . . . . . . .14 5.2.3 Limits in Network Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . .14 5.2.4 Signature-Based Detection . . . . . . . . . . . . . . . .14 5.2.5 Challenges with Wireless Technologies . . . . .14 5.2.6 Over-Reliance on IDS . . . . . . . . . . . . . . . . . . . . .15
SECTION 6 SECTION 7
u u
SECTION 3
Technologies . . . . . . . . . . 5
3.1 Network Intrusion Detection System . . . . . . . . . . . . . . .5 3.1.1 An Overview of the Open Systems Interconnection Model . . . . . . . . . . . . . . . . . . . . .5 3.1.2 Component Types . . . . . . . . . . . . . . . . . . . . . . . . . .5 3.1.3 NIDS Sensor Placement . . . . . . . . . . . . . . . . . . . .6 3.1.4 Types of Events . . . . . . . . . . . . . . . . . . . . . . . . . . .6 . 3.1.5 Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 3.2 Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 3.2.1 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 3.2.2 Types of Events . . . . . . . . . . . . . . . . . . . . . . . . . . .8 . 3.3 Network Behavior Anomaly Detection . . . . . . . . . . . . .8 3.4 Host-Based Intrusion Detection System . . . . . . . . . . . .8 3.4.1 Types of Events . . . . . . . . . . . . . . . . . . . . . . . . . . .9 . 3.4.2 Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
SECTION 4
IDS Management . . . . . 11 .
4.1 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 4.2 Tuning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 4.3 Detection Accuracy . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
SECTION 5
IDS Challenges . . . . . . . . 13
Host-Based Intrusion Detection Systems AIDEAdvanced Intrusion Detection Environment . . . . .21 CSP Alert-Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 eEye Retina . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 eEye SecureIIS Web Server Protection . . . . . . . . . . . . . . .24 GFI EventsManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Hewlett Packard-Unix (HP-UX) 11i Host Intrusion Detection System (HIDS) . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 IBM RealSecure Server Sensor . . . . . . . . . . . . . . . . . .27 integrit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 Lumension Application Control . . . . . . . . . . . . . . . . . . . . .29 McAfee Host Intrusion Prevention . . . . . . . . . . . . . . . . . .30 NetIQ Security Manager iSeries . . . . . . . . . . . . . . . . . .31 Osiris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 OSSEC HIDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 PivX preEmpt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Samhain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Tripwire Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Tripwire for Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Network Intrusion Detection Systems Arbor Networks Peakflow X . . . . . . . . . . . . . . . . . . . . . . .39 . ArcSight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 Bro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 Check Point IPS Software Blade . . . . . . . . . . . . . . . . . . . . .42 Check Point VPN-1 Power . . . . . . . . . . . . . . . . . . . . . . . . . . .43 Check Point VPN-1 Power VSX . . . . . . . . . . . . . . . . . . . . . . .44 Cisco ASA 5500 Series IPS Edition . . . . . . . . . . . . . . . . .45 Cisco Catalyst 6500 Series Intrusion Detection System Services Module (IDSM-2) . . . . . . . . . . . . . . . . . . .46
IA Tools Report
Cisco Guard XT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Cisco Intrusion Detection System Appliance IDS-4200 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Cisco IOS IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Cisco Security Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Enterasys Dragon Network Defense . . . . . . . . . . . . . . . . . .51 ForeScout CounterAct Edge . . . . . . . . . . . . . . . . . . . . . . . .52 IBM Proventia SiteProtector . . . . . . . . . . . . . . . . . . . . . . .53 Imperva SecureSphere . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 Intrusion SecureNet IDS/IPS . . . . . . . . . . . . . . . . . . . . . . . . .55 iPolicy Intrusion Prevention Firewall Family . . . . . . . . . .56 Juniper Networks IDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Lancope StealthWatch . . . . . . . . . . . . . . . . . . . . . . . . . .58 McAfee IntruShield Network IPS Appliances . . . . . . .59 NIKSUN NetDetector . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 NitroSecurity NitroGuard Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 PreludeIDS Technologies . . . . . . . . . . . . . . . . . . . . . . . . . .62 Q1 Labs QRadar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Radware DefensePro . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64 SecurityMetrics Appliance . . . . . . . . . . . . . . . . . . . . . . . . . .65 Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66 snort_inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67 Sourcefire 3D Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 Sourcefire Intrusion Prevention System . . . . . . . . . . . . .69 StillSecure Strata Guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70 Symantec Critical System Protection . . . . . . . . . . . . . . . .71 TippingPoint Intrusion Prevention System . . . . . . . . . . . .72 Top Layer IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 Webscreen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 Wireless Intrusion Detection Systems AirMagnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 AirSnare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76 AirTight Networks SpectraGuard Enterprise . . . . . . . .77 Aruba Wireless Intrusion Detection & Prevention (WIDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78 Kismet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Motorola AirDefense Enterprise . . . . . . . . . . . . . . . . . .80 Newbury Networks WiFi Watchdog . . . . . . . . . . . . . . . . .81
Section 8 Section 9
u u
ii
IA Tools Report
SECTION 1
Introduction
The Information Assurance Technology Analysis Center (IATAC) provides the Department of Defense (DoD) with emerging scientific and technical information to support Information Assurance (IA) and defensive information operations. IATAC is one of 10 Information Analysis Centers (IAC) sponsored by DoD and managed by the Defense Technical Information Center (DTIC). IACs are formal organizations chartered by DoD to facilitate the use of existing scientific and technical information. Scientists, engineers, and information specialists staff each IAC. IACs establish and maintain comprehensive knowledge bases that include historical, technical, scientific, and other data and information, which are collected worldwide. Information collections span a wide range of unclassified, limited-distribution, and classified information appropriate to the requirements of sponsoring technical communities. IACs also collect, maintain, and develop analytical tools and techniques, including databases, models, and simulations.
IATACs mission is to provide DoD with a central point of access for information on emerging technologies in IA and cyber security. These include technologies, tools, and associated techniques for detection of, protection against, reaction to, and recovery from information warfare and cyber attacks that target information, information-based processes, information systems, and information technology. Specific areas of study include IA and cyber security threats and vulnerabilities, scientific and technological research and development, and technologies, standards, methods, and tools through which IA and cyber security objectives are being or may be accomplished. As an IAC, IATACs basic services include collecting, analyzing, and disseminating IA scientific and technical information; responding to user inquiries; database operations; current awareness activities (e.g., the IAnewsletter, IA Digest, IA/IO Events Scheduler, and IA Research Update); and publishing State-of-the-Art Reports, Critical Review and Technology Assessments reports, and Tools Reports. The IA Tools Database is one of the knowledge bases maintained by IATAC. This knowledge base contains information on a wide range of intrusion detection, vulnerability analysis, firewall applications, and anti-malware tools. Information for the IA Tools Database is obtained via open-source methods, including direct interface with various agencies, organizations, and vendors. Periodically, IATAC publishes a Tools Report to summarize and elucidate a particular subset of the tools information in the IATAC IA Tools Database that addresses a specific IA or cyber security challenge. To ensure applicability to Warfighter and Research and Development Community (Program Executive Officer/Program Manager) needs, the topic areas for Tools Reports are solicited from the DoD IA community or based on IATACs careful ongoing observation and analysis of the IA and cyber security tools and technologies about which that community expresses a high level of interest.
IA Tools Report
Section 1 Introduction
Inquiries about IATAC capabilities, products, and services may be addressed to: Gene Tyler, Director 13200 Woodland Park Road, Suite 6031 Herndon, VA 20171 Phone: 703/984-0775 Fax: 703/984-0773 Email: [email protected] URL: http://iac.dtic.mil/iatac SIPRNET: https://iatac.dtic.mil
1.1
Purpose
This report provides a brief explanation of why intrusion detection (ID) and intrusion prevention tools are necessary, and an index of various available tools. For this report, an Intrusion Detection System (IDS) is a device that attempts to detect intrusion into a computer or network by observation or audit. An Intrusion Prevention System (IPS) goes one step further and not only detects attacks but attempts to prevent them as well. This report provides a summary of the characteristics and capabilities of publicly available IDS and IPS tools. IATAC does not endorse, recommend, or evaluate the effectiveness of any specific tools. The written descriptions are based solely on the suppliers claims and are intended only to highlight the capabilities and features of each tool. These descriptions do not reflect the opinion of IATAC. It is up to the readers of this document to assess which product, if any, might best meet their needs. Technical questions concerning this report may be addressed to [email protected].
IA Tools Report
SECTION 2
2.1
Definition
Intrusion detection is the act of detecting unwanted traffic on a network or a device. An IDS can be a piece of installed software or a physical appliance that monitors network traffic in order to detect unwanted activity and events such as illegal and malicious traffic, traffic that violates security policy, and traffic that violates acceptable use policies. Many IDS tools will also store a detected event in a log to be reviewed at a later date or will combine events with other data to make decisions regarding policies or damage control. An IPS is a type of IDS that can prevent or stop unwanted traffic. The IPS usually logs such events and related information.
2.2.3
2.2
Technologies
Several types of IDS technologies exist due to the variance of network configurations. Each type has advantages and disadvantage in detection, configuration, and cost. Specific categories will be discussed in detail in Section 3, Technologies.
Network behavior anomaly detection (NBAD) views traffic on network segments to determine if anomalies exist in the amount or type of traffic. Segments that usually see very little traffic or segments that see only a particular type of traffic may transform the amount or type of traffic if an unwanted event occurs. NBAD requires several sensors to create a good snapshot of a network and requires benchmarking and baselining to determine the nominal amount of a segments traffic.
2.2.4
Host-Based
2.2.1
Network-Based
A Network Intrusion Detection System (NIDS) is one common type of IDS that analyzes network traffic at all layers of the Open Systems Interconnection (OSI) model and makes decisions about the purpose of the traffic, analyzing for suspicious activity. Most NIDSs are easy to deploy on a network and can often view traffic from many systems at once. A term becoming more widely used by vendors is Wireless Intrusion Prevention System (WIPS) to describe a network device that monitors and analyzes the wireless radio spectrum in a network for intrusions and performs countermeasures.
Host-based intrusion detection systems (HIDS) analyze network traffic and system-specific settings such as software calls, local security policy, local log audits, and more. A HIDS must be installed on each machine and requires configuration specific to that operating system and software.
2.3
2.3.1
Detection Types
Signature-Based Detection
2.2.2
Wireless
An IDS can use signature-based detection, relying on known traffic data to analyze potentially unwanted traffic. This type of detection is very fast and easy to configure. However, an attacker can slightly modify an attack to render it undetectable by a signaturebased IDS. Still, signature-based detection, although limited in its detection capability, can be very accurate.
A wireless local area network (WLAN) IDS is similar to NIDS in that it can analyze network traffic. However, it will also analyze wireless-specific traffic, including scanning for external users trying to
IA Tools Report
2.3.2
Anomaly-Based Detection
An IDS that looks at network traffic and detects data that is incorrect, not valid, or generally abnormal is called anomaly-based detection. This method is useful for detecting unwanted traffic that is not specifically known. For instance, an anomaly-based IDS will detect that an Internet protocol (IP) packet is malformed. It does not detect that it is malformed in a specific way, but indicates that it is anomalous.
2.3.3
Stateful protocol inspection is similar to anomalybased detection, but it can also analyze traffic at the network and transport layer and vender-specific traffic at the application layer, which anomaly-based detection cannot do.
2.4
It is impossible for an IDS to be perfect, primarily because network traffic is so complicated. The erroneous results in an IDS are divided into two types: false positives and false negatives. False positives occur when the IDS erroneously detects a problem with benign traffic. False negatives occur when unwanted traffic is undetected by the IDS. Both create problems for security administrators and may require that the system be calibrated. A greater number of false positives are generally more acceptable but can burden a security administrator with cumbersome amounts of data to sift through. However, because it is undetected, false negatives do not afford a security administrator an opportunity to review the data.
analyzers should include evidence supporting the intrusion report. The analyzers may also provide recommendations and guidance on mitigation steps. uXUser interfaceThe user interface of the IDS provides the end user a view and way to interact with the system. Through the interface the user can control and configure the system. Many user interfaces can generate reports as well. uXHoneypotIn a fully deployed IDS, some administrators may choose to install a honeypot, essentially a system component set up as bait or decoy for intruders. Honeypots can be used as early warning systems of an attack, decoys from critical systems, and data collection sources for attack analyses. Many IDS vendors maintain honeypots for research purposes, and to develop new intrusion signatures. Note that a honeypot should only be deployed when the organization has the resources to maintain it. A honeypot left unmanaged may become a significant liability because attackers may use a compromised honeypot to attack other systems.
2.5
System Components
device to collect data. They take input from various sources, including network packets, log files, and system call traces. Input is collected, organized, and then forwarded to one or more analyzers. uXAnalyzersAnalyzers in an IDS collect data forwarded by sensors and then determine if an intrusion has actually occurred. Output from the
IA Tools Report
SECTION 3
3.1
3.1.1
Technologies
protocol (FTP), email, etc. Most NIDSs detect unwanted traffic at each layer, but concentrate mostly on the application layer.
A NIDS is placed on a network to analyze traffic in search of unwanted or malicious events. Network traffic is built on various layers; each layer delivers data from one point to another.
Application Application
3.1.2
Component Types
Presentation
Application
Session
Transport
Transport
Two main component types comprise a NIDS: appliance and software only. A NIDS appliance is a piece of dedicated hardware: its only function is to be an IDS. The operating system (OS), software, and the network interface cards (NIC) are included in the appliance. The second component type, software only, contains all the IDS software and sometimes the OS; however, the user provides the hardware. Software-only NIDSs are often less expensive than appliance-based NIDS because they do not provide the hardware; however, more configuration is required, and hardware compatibility issues may arise. With an IDS, the system component is vital to efficiency. Often a NIDS is not comprised of one device but of several physically separated components. Even in a less complicated NIDS, all components may be present but may be contained in one device. The NIDS is usually made of components identified in Section 2.1.1, but more specifically, the physical components usually include the sensor, management sever, database server, and console
uXSensorThe sensor or agent is the NIDS
Network
Internet
TCP/IP Model
The OSI model and transmission control protocol (TCP)/IP model show how each layer stacks up. (See Figure 1.) Within the TCP/IP model, the lowest link layer controls how data flows on the wire, such as controlling voltages and the physical addresses of hardware, like mandatory access control (MAC) addresses. The Internet layer controls address routing and contains the IP stack. The transport layer controls data flow and checks data integrity. It includes the TCP and user datagram protocol (UDP). Lastly, the most complicated but most familiar level is the application layer, which contains the traffic used by programs. Application layer traffic includes the Web (hypertext transfer protocol [HTTP]), file transfer
component that sees network traffic and can make decisions regarding whether the traffic is malicious. Multiple sensors are usually placed at specific points around a network, and the location of the sensors is important. Connections to the network could be at firewalls, switches, routers, or other places at which the network divides. uXManagement serverAs the analyzer, a management server is a central location for all sensors to send their results. Management servers often connect to sensors via a management network; for security reasons, they often separate from the remainder of the network. The
IA Tools Report
Section 3 Technologies
management server will make decisions based on what the sensor reports. It can also correlate information from several sensors and make decisions based on specific traffic in different locations on the network. uXDatabase serverDatabase servers are the storage components of the NIDS. From these servers, events from sensors and correlated data from management servers can be logged. Databases are used because of their large storage space and performance qualities. uXConsoleAs the user interface of the NIDS, the console is the portion of the NIDS at which the administrator can log into and configure the NIDS or to monitor its status. The console can be installed as either a local program on the administrators computer or a secure Web application portal. Traffic between the components must be secure and should travel between each component unchanged and unviewed. Intercepted traffic could allow a hacker to change the way in which a network views an intrusion.
been copied from the network versus traffic that passes through it. The copied traffic can come from numerous places uXSpanning portSwitches often allow all traffic on the switch to be copied to one port, called a spanning port. During times of low network load, this is an easy way to view all traffic on a switch; however, as the load increases, the switch may not be able to copy all traffic. Also, if the switch deems the traffic malformed, it may not copy the traffic at all; the malformed traffic that may be the type the NIDS sensor must analyze. uXNetwork tapA network tap copies traffic at the physical layer. Network taps are commonly used in fiber-optic cables in which the network tap is inline and copies the signal without lowering the amount of light to an unusable level. Because network taps connect directly to the media, problems with a network tap can disable an entire connection.
3.1.4
Types of Events
3.1.3
Because a sensor is the portion of the NIDS that views network traffic, its placement is important for detecting proper traffic. Figure 2 offers an example of how to place a NIDS sensor and other components. There are several ways to connect a NIDS sensor to the network
uXInlineAn inline NIDS sensor is placed between
two network devices, such as a router and a firewall. This means that all traffic between the two devices must travel through the sensor, guaranteeing that the sensor can analyze the traffic. An inline sensor of an IDS can be used to disallow traffic through the sensor that has been deemed malicious. Inline sensors are often placed between the secure side of the firewall and the remainder of the internal network so that it has less traffic to analyze.
A NIDS can detect many types of events, from benign to malicious. Reconnaissance events alone are not dangerous, but can lead to dangerous attacks. Reconnaissance events can originate at the TCP layer, such as a port scan. Running services have open ports to allow legitimate connections. During a port scan, an attacker tries to open connections on every port of a server to determine which services are running. Reconnaissance attacks also include opening connections of known applications, such as Web servers, to gather information about the servers OS and version. NIDS can also detect attacks at the network, transport, or application layers. These attacks include malicious code that could be used for denial of service (DoS) attacks and for theft of information. Lastly, NIDS can be used to detected less dangerous but nonetheless unwanted traffic, such as unexpected services (i.e., backdoors) and policy violations.
IA Tools Report
Section 3 Technologies
3.2
Wireless
Because wireless technologies have become so popular, and with the nature of wireless communication blurring the borders between networks, special consideration is required. A wireless IDS is similar to an NIDS because the same types of network-based attacks can occur on wireless networks. However, because WLANs have other functionality and vulnerabilities, a WLAN IDS must monitor for network-based attacks as well as wirelessspecific attacks. For WLANs, Wireless sensors may be standalone devices that are used to monitor all wireless traffic but without forwarding the traffic. Sensors may also be built into wireless APs to monitor traffic as it connects to the wired network. The location of a WLAN sensor is important because its physical location affects what a sensor can monitor. A sensor should be able to monitor traffic from devices that can connect to the wireless network. (See Figure 3.) This could involve having several sensors that extend past the normal field of operations. WLAN devices operate on one channel at a time, but can choose from several. Consequently, a WLAN sensor can listen on only one channel at a time. Sensors can listen to either one channel or to several channels by changing them periodically, as one would change channels on a television. Several sensors may be used for listening to several channels at once.
IDS Console
Figure 2
NIDS placement
3.1.5
Prevention
Although the detection portion of an IDS is the most complicated, the IDS goal is to make the network more secure, and the prevention portion of the IDS must accomplish that effort. After malicious or unwanted traffic is identified, using prevention techniques can stop it. When an IDS is placed in an inline configuration, all traffic must travel through an IDS sensor. When traffic is determined to be unwanted, the IDS does not forward the traffic to the remainder of the network. To be effective, however, this effort requires that all traffic pass through the sensor. When an IDS is not configured in an inline configuration, it must end the malicious session by sending a reset packet to the network. Sometimes the attack can happen before the IDS can reset the connection. In addition, the action of ending connections works only on TCP, not on UDP or internet control message protocol (ICMP) connections. A more sophisticated approach to IPS is to reconfigure network devices (e.g., firewalls, switches, and routers) to react to the traffic. Virtual local area networks (VLAN) can be configured to quarantine traffic and limit its connections to other resources.
3.2.1
Components
A wireless IDS contains several components, such as sensors, management logging databases, and consoles, as does a NIDS. Wireless IDSs are unique in that they can be run centralized or decentralized. In centralized systems, the data is correlated at a central location and decisions and actions are made based on that data. In decentralized systems, decisions are made at the sensor.
IA Tools Report
Section 3 Technologies
Access Point
NBAD systems work best at determining when traffic deviates from the baseline. This is particularly useful for detecting DoS attacks and worms. As with other IDSs, NBADs can be used to prevent malicious traffic by stopping the traffic from passing through. If a network segment has been determined to be experiencing a DoS attack, the segment can be shut down or rerouted. NBADs do have a limitation in that the traffic causing the alert could also be the traffic that prevents a defensive mechanism. A DoS attack could prevent the NBAD system from reconfiguring a firewall or router, and the attack could then continue.
3.4
Rogue Access Point Figure 3 WLAN IDS placement WLAN IDS Sensor
3.2.2
Types of Events
HIDS comprises sensors that are located on servers or workstations to prevent attacks on a specific machine. A HIDS can see more than just network traffic and can make decisions based on local settings, settings specific to an OS, and log data. Like other IDS configurations, HIDS have various device types. The sensor, or agent, is located on or near a host, such as a server, workstation, or application service. The event data is sent to logging services to record the events and possibly correlate them with other events. HIDS agents can be placed on numerous host types. HIDS sensors can monitor servers, client hosts, and application servers. A server is typically a computer dedicated to running services in which clients connect to, send, or receive data, such as Web, email, or FTP servers. A client host is the workstation, such as a desktop or laptop, in which a user can connect to other machines. An application service is software that runs on a server, such as a Web service or database application. Because each host operates a different OS or service, the types of attacks that will affect the machines are specific to these machines. Because the HIDS sensor monitors the machine, not solely the network traffic, the agent must be placed on the host as a piece of software. Logically, it is placed in a similar manner to that of a NIDS sensor, between the asset and outside network. However, instead of
WLAN IDS sensors can monitor several types of events, such as those monitored on wired networks, and wireless specific events. WLAN sensors can detect anomalies such as unauthorized WLANs and wireless devices, poorly secured WLAN devices, unusual usage patterns, wireless scanners war driving tools, DoS attacks, and man in the middle (MITM) attacks. The limited scope of these events means that WLAN IDS results are usually more accurate than wired IDS results.
3.3
NBAD is an IDS technology in which the shape or statistics of traffic, not individual packets, determines if the traffic is malicious. NBAD sensors are placed around a network in key places, such as at switches, at demilitarized zones (DMZ), and at locations at which traffic splits to different segments. Sensors then report on what type and amount of traffic is passing through. By viewing the shape of the traffic, an NBAD can detect DoS attacks, scanning across the network, worms, unexpected application services, and policy violations. NIDS and NBAD systems share some of the same components, such as sensors and management consoles; however, unlike NIDS, NBAD systems usually do not have database servers.
IA Tools Report
Section 3 Technologies
being a network device, the HIDS sensor is a software layer through which the traffic must pass to get to the service. This layer is called a shim. (See Figure 4.)
HIDS Management
HID S
code is not executed because of the buffer overflow. Also, when unexpected access to a file system occurs, the HIDS sensor can deny access. Because a HIDS sensor does not have to rely on network traffic to make decisions on malicious traffic or to stop network traffic, the HIDS IPS tactics can be performed very quickly and successfully.
File System
Network Traffic
Network Interface
CPU
3.4.1
Types of Events
A host-based IDS, such as a NIDS sensor, can monitor a system for network-based attacks and can also detect host-specific events. These host-specific events include code analysis, such as malicious code executes and buffer overflows; file system monitoring, including integrity and access; log analysis, during which host logs are reviewed; and lastly, network configuration monitor, during which the configuration of network settings (e.g., wireless, VPN, and modem configurations) are reviewed for changes or improper settings.
3.4.2
Prevention
A HIDS monitors several host-specific events and, in turn, can defend a system from attacks of this type. When a malicious code event is detected, such as a buffer overflow, a HIDS can ensure that malicious
IA Tools Report
SECTION 4
4.1
IDS Management
Maintenance
IDS maintenance is required for all IDS technologies. Because threats and prevention technologies are always changing, patches, signatures, and configurations must be updated to ensure that the latest malicious traffic is being detected and prevented. Usually a graphical user interface (GUI), application, or secure Web-based interface performs maintenance from a console. From the console, administrators can monitor IDS components to ensure they are operational, verify they are working properly, and perform vulnerability assessments (VA) and updates.
4.2
Tuning
To be effective, an IDS must be tuned accurately. Tuning requires changing settings to be in compliance with the security policies and goals of the IDS administrator. Scanning techniques, thresholds, and focus can be tuned to ensure that an IDS is identifying relevant data without overloading the administrator with warnings or too many false positives. Tuning is time-consuming, but it must be performed to ensure an efficient IDS configuration. Note that tuning is specific to the IDS product.
4.3
Detection Accuracy
The accuracy of an IDS depends on the way in which it detects, such as by the rule set. Signature-based detection detects only simple and well-known attacks, whereas anomaly-based detection can detect more types of attacks, but has a higher number of false positives. Tuning is required to minimize the number of false positives and to make the data more useful.
IA Tools Report
11
SECTION 5
IDS Challenges
It is important to remember that an IDS is only one of many tools in the security professionals arsenal against attacks and intrusions. As with any tool, all IDS have their own limitations and challenges. Much depends on how they are deployed and used, but in general, IDS should be integrated with other tools to comprehensively protect a system. Even more importantly security should be planned and managed. Personnel must be trained to have healthy security habits and to be wary of social engineering.
IDS technologies continue to evolve. As limitations are realized, new detection tools are being developed. Forensic technology has been a promising new source of detection strategies. Host Based Security Systems (HBSS) are also rising in popularity. The focus of HBSS-based systems security is migrating from strictly perimeter management to security management at the hosts. systems devices from a remote location. However, the same tools can be used by attackers to similarly take control of target devices, sometimes covertly. Additionally, attackers have been creating various types of malware to carry out attacks. Malware can include trojan horses, Rootkits, Backdoors, spyware, keystroke loggers, and botnets.
5.1
5.1.1
Attacks
Tools Used in Attacks
5.1.2
Social Engineering
As the world becomes more connected to the cyberworld, attackers and hackers are becoming increasingly sophisticated, especially in the use of automated tools to penetrate systems. At the same time, cybercriminals are becoming more organized and can engineer highly coordinated and intricate attacks. The following are general types of tools that attackers utilize
uXScanning ToolsThese tools allow attacks to
survey and analyze system characteristics. These tools can determine the OS used by network devices, and then identify vulnerabilities and potential network ports to use for an attack. Some tools can also perform slowly timed surveys of a target system in order to not trigger an IDS. uXRemote Management ToolsRemote management tools are used often by systems administrators to manage a network by managing and controlling
Despite the existence of sophisticated technical tools, social engineering remains one of the most effective methods of attacks to infiltrate systems. The most carefully secured system in the world using the latest technologies can be broken when employees are tricked into revealing passwords and other sensitive information. Besides physically securing systems, security professionals must ensure that staff and personnel are trained to recognize social engineering techniques such as phishing attacks. Personnel should also develop safe habits such as locking computer screens when idle, being careful when discarding notes that have sensitive information, and heeding warnings given by browsers when perusing Web sites. However, the problem is exacerbated when organizations using different networks must share potentially sensitive information. Trust between the organizations not to reveal one anothers data can become a large issue.
IA Tools Report
13
5.2
5.2.1
Challenges in IDS
IDS Scalability in Large Networks
Many networks are large and can even contain a heterogeneous collection of thousands of devices. Sub-components in a large network may communicate using different technologies and protocols. One challenge for IDS devices deployed over a large network is for IDS components to be able to communicate across sub-networks, sometimes through firewalls and gateways. On different parts of the network, network devices may use different data formats and different protocols for communication. The IDS must be able to recognize the different formats. The matter is further complicated if there are different trust relationships being enforced within parts of the network. Finally, the IDS devices must be able to communicate across barriers between parts of the network. However, opening up lines of communication can create more vulnerabilities in network boundaries that attackers can exploit. Another challenge in a large network is for the IDS to be able to effectively monitor traffic. NIDS components are scattered throughout a network, but if not placed strategically, many attacks can altogether bypass NIDS sensors by traversing alternate paths in a network. Moreover, although many IDS products in the market are updated to recognize attack signature of single attacks, they may fail to recognize attacks that use many attack sources. Many IDS cannot intelligently correlate data from multiple sources. Newer IDS technologies must leverage integrated systems to gain an overview of distributed intrusive activity.
be designed to better support security policies pertaining to authentication, access control, and encryption.
5.2.3
NIDS analyze traffic traversing network segments at the network layer. At that level, attacks can be observed when it may be difficult if only observing at an application level. However, there may be traffic passing within the network that may not be fully visible to the NIDS. This happens especially when secure encrypted tunnels and VPNs are deployed. Unless it knows how to decrypt and re-encrypt data, such traffic remains fully opaque to the NIDS. Secure sockets layer (SSL) traffic over hypertext transfer protocol secure (HTTPS) connections can be used by attackers to mask intrusions. Another limitation to NIDS manifests as bandwidth rates increase in a network. Especially when the amount of traffic also increases, it becomes a challenge for NIDS to be able to keep up with the rate of traffic and analyze data quickly and sufficiently. Finally, in a large network with many paths of communication, intrusions can bypass NIDS sensors.
5.2.4
Signature-Based Detection
A common strategy for IDS in detecting intrusions is to memorize signatures of known attacks. The inherent weakness in relying on signatures is that the signature patterns must be known first. New attacks are often unrecognizable by popular IDS. Signatures can be masked as well. The ongoing race between new attacks and detection systems has been a challenge.
5.2.2
Many common operating systems are simply not designed to operate securely. Thus, malware often is written to exploit discovered vulnerabilities in popular operating systems. Depending on the nature of the attack, many times if an operating is compromised, it can be difficult for an IDS to recognize that the operating system is no longer legitimate. Moving forward, operating systems must
14
IA Tools Report
One of the challenges with wireless is that the new technology come with its own set of protocols for communication that break the traditional OSI layer model. IDS must learn new communication patterns. Also, as open as wireless communication is, devices on such networks rely on established trust relationships between identified systems; however, if one system is already compromised before rejoining a network, it may be difficult for the IDS to detect intrusive activity from a trusted source.
5.2.6
Over-Reliance on IDS
IDS themselves may be used improperly within an organization. In general, an IDS is an important tool for security administrators to detect intrusions and attacks on a system. It is even more important for administrators to properly secure the system in the first place. When administrators focus too much on relying on IDS to catch intrusions, they can overly focus on symptoms of networks vulnerabilities rather than fixing the root causes of the security issue. Over-reliance on IDS can become a problem especially when commercial IDS vendors overhype features in the race to sell products on the market. Sometimes IDS capabilities claims are overexaggerated and should be tested with skepticism. Administrators should thoroughly check IDS output and use competent judgment when analyzing reports. It is important to recognize that the IDS is only one tool in an administrators arsenal in properly securing a network. Using an integrated approach to security, administrators should come up with an overall plan, properly lock down systems, and leverage multiple types of tools such as firewalls, vulnerabilities scanners, and more.
IA Tools Report
15
SECTION 6
Conclusion
Intrusion detection and prevention systems are important parts of a well-rounded security infrastructure. IDSs are used in conjunction with other technologies (e.g., firewalls and routers), are part of procedures (e.g., log reviews), and help enforce policies. Each of the IDS technologiesNIDS, WLAN IDS, NBAD, and HIDSare used together, correlating data from each device and making decisions based on what each type of IDS can monitor. Although IDSs should be used as part of defense in depth (DiD), they should not be used alone. Other techniques, procedures, and policies should be used to protect the network. IDSs have made significant improvements in the past decade, but some concerns still plague our security administrators. These problems will continue to be addressed as IDS technologies improve.
IA Tools Report
17
SECTION 7
IDS Tools
This section summarizes pertinent information, providing users a brief description of available IDS tools and vendor contact information. Again, IATAC does not endorse, recommend, or evaluate the effectiveness of these tools. The written descriptions are drawn from vendors information such as brochures and Web sites, and are intended only to highlight the capabilities or features of each product. It is up to the reader to assess which product, if any, may best suit his or her security needs. Trademark Disclaimer
The authors have made a best effort to indicate registered trademarks where they apply, based on searches in the U.S. Patent and Trademark Office Trademark Electronic Search System (TESS) for live registered trademarks for all company, product, and technology names. There is a possibility, however, that due to the large quantity of such names in this report, some trademarks may have been overlooked in our research. We apologize in advance for any trademarks that may have been inadvertently excluded, and invite the trademark registrants to contact the IATAC to inform us of their trademark status so we can appropriately indicate these trademarks in our next revision. Note that we have not indicated non-registered and non-U.S. registered trademarks due to the inability to research these effectively.
Type Operating System The type of tool, or category in which this tool belongs, e.g., Web Application Scanning The operating system(s) on which the tool runs. If the tool is an appliance, this field will contain a not applicable symbol (N/A) because the operating system is embedded in the tool. The third-party hardware platform(s) on which the tool runs, plus any significant additional hardware requirements, such as minimum amount of random access memory or free disk space. If the tool is an appliance, this field will contain a not applicable symbol (N/A) because the hardware is incorporated into the tool. The type of license under which the tool is distributed, e.g., Commercial, Freeware, GNU Public License An indication of whether the product has received a validation by the National Information Assurance Partnership (NIAP) under the Common Criteria, Federal Information Processing Standard 140, or another certification standard for which NIAP performs validations. If no such validation has been performed, this field will be blank. If the tool has received a Common Criteria certification, the Evaluation Assurance Level and date of that certification. If no such certification has been performed, this field will be blank. The individual or organization responsible for creating and/or distributing the tool The Uniform Resource Locator (URL) of the Web page from which the tool can be obtained (downloaded or purchased), or in some cases, the Web page at which the supplier can be notified with a request to obtain the tool
Hardware
License
NIAP Validated
Developer URL
19
IA Tools Report
21
CSP Alert-Plus
Abstract
Alert-Plus protects Hewlett-Packard (HP) NonStop systems by providing real-time intrusion protection on systems running Safeguard. Alert-Plus is a rulesbased system that compares events recorded in a Safeguard audit trail against custom-defined rules and automatically invokes a response when it detects an event of interest. Alert-Plus can detect an intrusion attempt and actually help to block it. Alert-Plus includes a Windows GUI, which allows a user to perform all Alert-Plus functions more directly from the GUI. Functions include the following
uXCreating, editing, and compiling rules; uXObserving on console windows the events
Alert-Plus Type Operating System Hardware License NIAP Validated Common Criteria Developer URL Computer Security Products (CSP ), Inc. http://www.tandemsecurity.com/ solution_3.php HIDS Windows Required Commercial
BUILTINS
BUILTINS are new in Alert-Plus and allow defining a complete rule in a single statement, monitoring up to 20 security vectors, and invoking 12 different responses, including audible announcements. Security vectors include suspicious logon activity and access attempts.
Threat Board
Threat Board is an optional component that can be added to an Alert-Plus installation. Threat Board works in conjunction with Alert-Plus to analyze patterns within multiple events and map them to threat indicators based on category, frequency, and customized thresholds.
22
IA Tools Report
eEye Retina
Abstract
Retina Network Security Scanner provides vulnerability management and identifies known and zero day vulnerabilities, plus provides security risk assessment, enabling security best practices, policy enforcement, and regulatory audits.
eEye Retina Type Operating System Hardware License NIAP Validated Common Criteria Developer URL HIDS Windows Required Commercial True EAL2 eEye Digital Security http://www.eeye.com/html/Products/ Retina/index.html
Features
uXNetwork Security ScannerEnables prioritized
policy management, patch management, and vulnerability management uXNetwork Vulnerability AssessmentIdentifies network security vulnerabilities, missing application updates, and zero day threats uXNetwork Discovery and Policy Assessment Discovers all devices, operating systems, applications, patch levels, and policy configurations uXVulnerability ManagementEnables prioritized policy management, patch management, and vulnerability assessment uXFast and Accurate ScansAccurately scans a Class C network of devices, operating systems and applications in ~15 minutes uXPolicy ComplianceIdentifies and simplifies corporate and regulatory requirements (SOX, Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley Act of 1999 (GLBA), Payment Card Industry (PCI) and others)
IA Tools Report
23
Features
uXApplication Layer ProtectionSecureIIS inspects
requests as they come in from the network layer, as they are passed up to the kernel, and at every level of processing in between. If at any point SecureIIS detects a possible attack, it can take over and prevent unauthorized access and/or damage to the Web server and host applications. uXIIS ISAPI IntegrationSecureIIS was developed as an ISAPI filter, which allows for a tighter integration with the Web server as compared to other application firewalls. It monitors data as it is processed by IIS and can block a request at any point if it resembles one of many classes of attack patterns, including SQL injection and crosssite scripting. uXZero Day ProtectionUnlike network firewalls and intrusion detection systems, SecureIIS does not rely upon a database of attack signatures that require regular updating. Instead, it uses multiple security filters to inspect Web server traffic that could cause buffer overflows, parser evasions, directory traversal, or other attacks. Therefore, SecureIIS is able to block entire classes of attacks, including those attacks that have not yet been discovered. uXCompatibility and Key FeaturesSecureIIS works with and protects all common Web-based applications such as Flash, Cold Fusion, FrontPage, Outlook Web Access, and many third-party and custom applications. Configurations can be modified without having to restart the Web server, thus preventing disruption of the active Web site. SecureIIS runtime logs
24
IA Tools Report
GFI EventsManager
Abstract
GFI EventsManager is a software-based events management solution that delivers automated collection and processing of events from diverse networks, from the small, single-domain network to extended, mixed environment networks, on multiple forests and in diverse geographical locations. It offers a scalable design that enables you to deploy multiple instances of the front-end application, while at the same time, maintaining the same database backend. This decentralizes and distributes the event collection process while centralizing the monitoring and reporting aspects of events monitoring. GFI EventsManager includes
uX performance-tuned event processing engine, A uX comprehensive set of event processing rules that A
GFI EventsManager Type Operating System Hardware HIDS Windows Processor: 2.5 Gigahertz (GHz) or higher Random access memory (RAM): 1024 Megabyte (MB) Hard disk: 2 Gigabyte (GB) of available space Commercial
are pre-configured and applicable to a wide variety of networks regardless of their size, uX set of noise reduction features, critical in large A complex networks, uX centralized and user-friendly events browser A that enables you to locate events that occurred on your network from a single console, uX Triggered-based alerts, uXReporting features can be added by installing the GFI EventsManager ReportPack, a fully fledged reporting companion to GFI EventsManager.
IA Tools Report
25
HP-UX 11i HIDS Type Operating System Hardware License NIAP Validated Common Criteria Developer URL Hewlett-Packard http://h20338.www2.hp.com/hpux11i/ cache/324806-0-0-0-121.html HIDS Unix Required Freeware
of suspicious activity that can precede an attack. uXHP-UX HIDS is useful for enterprise environments where centralized management tools control networks of heterogeneous systems. These environments can include Web servers, transaction processors, application servers, and database systems. uXHP-UX HIDS uses knowledge about how host systems, the network, or the entire enterprise can be exploited, and applies that expertise to the flow of system events. HP-UX HIDS uses known building blocks to protect resources against existing attack scenarios and unknown scenarios. uXHP-UX HIDS provides simplified administration through a secure GUI the HP-UX HIDS System Manager. uXHP-UX HIDS provides customizable intrusion response capabilities. Hosts always send alerts to the administration interface. You can augment these notifications with automated host-based response programs that you can customize for the host that is being monitored. HP provides a customized program for OpenView Operations (OVO) integration; you can also create your own.
26
IA Tools Report
management of operating system audit policy helps ensure that all critical servers have consistent and effective audit policy and allows for the management of true kernel-level auditing uXGlobal technical supportProvides customers with a wide array of support offerings, specifically designed to meet the cost and service demands of diverse networking environments
IBM RealSecure Server Sensor Type Operating System Hardware License NIAP Validated Common Criteria Developer URL IBM http://www-935.ibm.com/services/us/index. wss/offering/iss/a1026960 HIDS Windows, Sun Solaris, IBM AIX, HP-UX, VMware ESX Required Commercial
Benefits
uXServer protectionDesigned to protect the
underlying operating system by helping prevent attackers from exploiting operating system and application vulnerabilities uXWeb application protectionProvides SSL) encrypted application layer intrusion monitoring, analysis, and response capability for both Apache and IIS Web servers uXAdvanced intrusion prevention/blockingMonitors all traffic to and from the server or network in order to detect and prevent inbound attacks as well as block new and unknown outbound attacks such as buffer overflows, Trojans, brute force attacks, unauthorized access and network worms uXConsole and network intrusion protection Provides the flexibility to detect and prevent both console and network-based attacks through log monitoring capabilities that detect malicious activity before it causes any damage uXBroad platform coverageProvides you with the flexibility to grow their server protection strategy regardless of the environment: Windows, Solaris, HP-UX, AIX and Linux uXWindows Server 2003 and Windows 2000 Server certifiedThis rigorous test is endorsed for business-critical applications by analysts and enterprise customers alike because it verifies features and functionality that make applications more robust and manageable.
IA Tools Report
27
integrit
Abstract
integrit has a small memory footprint, uses up-to-date cryptographic algorithms, and has other features. The integrit system detects intrusion by detecting when trusted files have been altered. By creating an integrit database (update mode) that is a snapshot of a host system in a known state, the hosts files can later be verified as unaltered by running integrit in check mode to compare current state to the recorded known state. integrit can do a check and an update simultaneously.
integrit Type Operating System Hardware License NIAP Validated Common Criteria Developer URL Ed L. Cashin http://integrit.sourceforge.net/texinfo/ integrit.html http://sourceforge.net/projects/integrit/ HIDS All POSIX (Linux/BSD/UNIX-like OS) Required Open Source
28
IA Tools Report
GUI-based application (the SecureWave Management Console, or SMC) and various command-line tools. It also operates in the client tier, and is supported on Windows 2000 Server or Professional, Windows XP Professional, or Windows Server 2003.
Lumension Sanctuary Application Control Type Operating System Hardware License NIAP Validated Common Criteria Developer URL HIDS Windows Required Commercial True EAL2 Lumension, Inc. http://www.lumension.com/
system (Microsoft SQL Server 7.0 or higher, or MSDE version 1.0 or 2000) and underlying operating system (Windows 2000 Server or Professional, Windows XP Professional, or Windows Server 2003) are in the TOE environment. uXOne or more serversThe Sanctuary Application Server (SXS) runs as a service on the underlying operating system (Windows 2000 Server or Professional, or Windows Server 2003). uXClient kernel driver (SXD)This is installed on each of the client computers to be protected. Client kernel drivers are available for the following operating systems: Windows NT4 SP6a Server or Workstation; Windows 2000 Server or Professional; Windows XP Professional; or Windows Server 2003.
IA Tools Report
29
Features
uXBehavioral protection secures endpoints against
unknown attacks; signature protection identifies and blocks known attacks; stateful firewall applies policies, bars unsolicited inbound traffic, and controls outbound traffic; application control specifies which applications can or cannot be run; custom, connection-based policies safeguard laptops when they are off the network uX Apply different levels of security using rules based on the endpoints connectionon the corporate network, over VPN, or from a public
30
IA Tools Report
with real time monitoring for security incidents, extensive notification and information capabilities and automated responses. uXImproves security knowledgeDelivers a comprehensive Knowledge Base that automatically builds security knowledge and internalizes new and updated information. This helps ensure that the knowledge needed to understand and respond to incidents is available when needed. uXIncreases protection levelsIntegrates and correlates real time and archived data from all security systems and processes. By tracking incidents to ensure they are handled correctly and on time, customers achieve true incident life cycle management for optimal protection. uXBoosts operational performanceImproves ROI by consolidating security information from across the organization into a central location, filtering out noise and false positives, and presenting real incidents. This enables a focused monitoring and response capability. uXAssures complianceFacilitates regular review and reporting on enterprise security information, monitors security controls to validate their effectiveness and provides real-time enforcement of policies and best practices.
IA Tools Report
31
Osiris
Abstract
Osiris is a host integrity monitoring system that can be used to monitor changes to a network of hosts over time and report those changes back to the administrator(s). Currently, this includes monitoring any changes to the file systems. Osiris takes periodic snapshots of the file system and stores them in a database. These databases, as well as the configurations and logs, are all stored on a central management host. When changes are detected, Osiris will log these events to the system log and optionally send email to an administrator. In addition to files, Osiris has the ability to monitor other system information including user lists, group lists, and kernel modules or extensions. Some integrity monitoring systems are signaturebasedthat is, they look for specific file attributes as a means of detecting malicious activity. Osiris is intentionally not like this. Osiris will detect and report changes to a file system and let the administrator determine what, if any, action needs to take place.
Osiris Type Operating System Hardware License NIAP Validated Common Criteria Developer URL Schmoo http://osiris.shmoo.com HIDS Linux, Unix, Windows Required Open Source
32
IA Tools Report
OSSEC HIDS
Abstract
OSSEC HIDS is an open-source HIDS. It performs log analysis, integrity checking, rootkit detection, time-based alerting, and active response. For single-system monitoring, the OSSEC HIDS can be installed locally on that box and perform all functions from there; however, for additional systems, an OSSEC server may be installed with one or more OSSEC agents that forward events to the server for analysis.
OSSEC HIDS Type Operating System HIDS FreeBSD, Linux, OpenBSD, Solaris, AIX, HP-UX, MacOSX, VMWare ESX, Windows Required Open Source
IA Tools Report
33
PivX preEmpt
Abstract
preEmpt uses Active System Hardening to protect Windows desktops and servers against new threats by blocking the underlying vulnerabilities exploited by worms and viruses. preEmpt includes a comprehensive management console for enterprise use and an easy to use interface for individual users.
preEmpt Type Operating System Hardware License NIAP Validated Common Criteria Developer URL PivX Solutions, Inc http://www.pivx.com/HomeOffice HIDS Windows Required Commercial
34
IA Tools Report
Samhain
Abstract
Samhain is a file and host integrity and intrusion alert system suitable for single hosts as well as for large, UNIX-based networks. Samhain offers advanced features to support and facilitate centralized monitoring. In particular, Samhain can optionally be used as a client/server system with monitoring clients on individual hosts, and a central log server that collects the messages of all clients. The configuration and database files for each client can be stored centrally and downloaded by clients from the log server. Using conditionals (based on hostname, machine type, OS, and OS release, all with regular expresions) a single configuration file for all hosts on the network can be constructed. The client (or standalone) part is called Samhain, while the server is referred to as Yule. Both can run as daemon processes.
Samhain Type Operating System Hardware License NIAP Validated Common Criteria Developer URL Samhain Labs http://www.la-samhna.de/samhain/ HIDS Cygwin/Windows, Linux, Unix Required Open Source
Features
uXCentralized monitoring, uXWeb-based management console, uXMultiple logging facilities, uX Tamper resistance.
IA Tools Report
35
Tripwire Enterprise
Abstract
The Tripwire Enterprise is a change audit assessment product that can ensure the integrity of critical data on a wide variety of servers and network devices (e.g., routers, switches, firewalls, and load balancers) called nodes. It does this by gathering system status, configuration settings, file content, and file metadata on the nodes and checking gathered node data against previously stored node data to detect modifications. The Tripwire Enterprise consists of a server application component (Tripwire Enterprise Server for Windows 2000, XP Professional, or 2003; Solaris 7, 8, or 9; or, Red Hat Enterprise Linux 3 or 4), a client application component (Tripwire Enterprise Agents for Windows 2000, XP Professional, and 2003; Solaris 8, 9, 10; Red Hat Enterprise Linux 3 and 4; SUSE Enterprise Server 9; HP-UX 11.0, 11i v1, and 11i v2; and, AIX 5.1, 5.2, and 5.3), and a client administrative console application component (Tripwire Command Line Interface [CLI]). The Tripwire Enterprise Server utilizes the SSL mechanism provided by the Java Virtual Machine (JVM) in its information technology (IT) environment to facilitate HTTPS communication with the GUI and the CLI. The product is also bundled with a database application (Firebird Database) to support the products storage needs. The Firebird Database is considered part of the IT environment. While the product supports using the Firebird Database and the Tripwire Enterprise Server (TE Server) on different machines, they must run on the same machine in an evaluated configuration. The other Tripwire Enterprise components can run on different machines in various combinations. The Tripwire Enterprise Server is the only product installed and active on the machine in which it is running.
Tripwire Enterprise Type Operating System Hardware HIDS Linux, Unix, Windows Windows and Linux 3.0 GHz x86 processor or compatible 2 GB RAM 2 SATA or SCSI hard drives 3.2 GB free disk space 4 GB Data storage space 256-color display 900 MHz UltraSPARC III processor 2 GB RAM 2 SATA or SCSI hard drives 3.2 GB free disk space 4 GB Data storage space X-Windows capable display 256-color display Commercial True EAL3 Tripwire, Inc. http://www.tripwire.com/products/ enterprise/
36
IA Tools Report
IA Tools Report
37
Hardware Cont.
Tripwire Manager Windows Pentium IV class processor or above 1024 MB RAM 75 MB disk space (150 MB for installation) Solaris Sun UltraSPARC II or higher processor 1024 MB RAM 86 MB disk space (229 MB for installation) X Window System Linux Pentium IV class processor or above 1024 MB RAM 85 MB disk space (167 MB for installation) X Window System Commercial True EAL1 Tripwire http://www.tripwire.com/products/servers/
38
IA Tools Report
Features
uXBuilt-in application intelligenceWith its
integrated Application Intelligence collector, Peakflow X extends its network-wide visibility down to the application layer. This micro-level visibility helps maximize the performance, reliability and security of key applications; reduce cost and downtime by quickly resolving network issues; avoid over-provisioning a network to meet application demands; and expand application usage across geographically dispersed networks without risking bandwidth or security issues. uXNetwork-wide visibilityLeverage IP flow technology in existing network devices to achieve pervasive, cost-effective visibility and security of enterprise networks including those based on MPLS. uXApplication intelligenceDetect the applications on a network and identify whos using them enabling you to improve the performance of
IA Tools Report
39
ArcSight
Abstract
The ArcSight product includes a security management software product designed to monitor, analyze, and report on network anomalies identified by third-party network monitoring devices (e.g., IDS Sensors or IDS Scanners, firewalls). ArcSight then provides second-order IDS in that it provides enterprise-wide monitoring for sub-networks monitored by non-homogeneous network monitors. As such, ArcSight provides a solution for managing all network events and/or activities in an enterprise from a centralized view. ArcSight allows trusted users to monitor events, correlate events for in-depth investigation and analysis, and resolve events with automated escalation procedures and actions. ArcSight Console is a centralized view into an enterprise that provides real-time monitoring, in-depth investigative capabilities, and automated responses and resolutions to events. The Console provides administrators, analyzer administrators, and operators with an intuitive interface to the Manager to perform security management functions that includes viewing the audit data. ArcSight Manager is a high-performance engine that manages, cross-correlates, filters, and processes all occurrences of security events within the enterprise. The ArcSight Manager sits at the center of ArcSight and acts as a link between the ArcSight Console, ArcSight Database, and ArcSight SmartAgent. The ArcSight Database is the logical access mechanism, particular schema, table spaces, partitioning, and disk layout. The ArcSight Database stores all captured events, and saves all security management configuration information, such as system users, groups, permissions, and defined rules, zones, assets, reports, displays, and preferences in an Oracle database. ArcSight SmartAgent collects and processes events generated by security devices throughout an enterprise, such as routers, email logs, anti-virus products, firewalls, IDSs, access control servers, VPN systems, anti-DoS appliances, operating system logs, and other sources where information of security threats are detected and reported. Agents for the following products are included in the product
uXNessus, a vulnerability scanner that delivers its
delivers its data via a proprietary, push protocol (OPSEC); uXSnort IDS DB, an intrusion detection system that delivers its data via a database (MySQL).
ArcSight Type Operating System Hardware License NIAP Validated Common Criteria Developer URL NIDS N/A N/A Commercial True EAL3 ArcSight Inc. http://www.arcsight.com
40
IA Tools Report
Bro
Abstract
Bro is an open-source, Unix-based NIDS that passively monitors network traffic. Bro detects intrusions by first parsing network traffic to extract its application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome. Its analysis includes detection of specific attacks (including those defined by signatures and by events) and unusual activities. Bro uses a specialized policy language that allows a site to tailor Bros operation, both as site policies evolve and as new attacks are discovered. If Bro detects something of interest, it can be instructed to either generate a log entry, alert the operator, or execute an operating system command. In addition, Bros detailed log files can be particularly useful for forensics. Bro targets high-speed (Gigabytes per second [Gbps]), high-volume intrusion detection. By leveraging packet-filtering techniques, Bro is able to achieve the necessary performance while running on commercially available PC hardware.
Bro Type Operating System Hardware NIDS Unix Processor 1 GHz CPU (for 100 BT Ethernet with average packet rate <= 5,000 packets/second) 2 GHz CPU (for 1000 BT Ethernet with average packet rate <= 10,000 packets/second) 3 GHz CPU (for 1000 BT Ethernet with average packet rate <= 20,000 packets/second) 4 GHz CPU (for 1000 BT Ethernet with average packet rate <= 50,000 packets/second) (Note: these are very rough estimates, and much depends on the types of traffic on your network [e.g., HTTP, FTP, email, etc.].) O perating System FreeBSD 4.10 (http://www.freebsd.org/) Bro works with Linux and Solaris as well, but the performance is best under FreeBSD. In particular, there are some performance issues with packet capture under Linux. Memory 1 GB RAM is the minimum needed, but 23 GB is recommended Hard disk 10 GByte minimum, 50 GByte or more for log files recommended Network Interfaces 3 interfaces are required: 2 for packet capture (1 for each direction), and 1 for host management. Capture interfaces should be identical. License NIAP Validated Common Criteria Developer URL Lawrence Berkeley National Laboratory http://www.bro-ids.org/ Open Source
IA Tools Report
41
Benefits
uXComplete IPS protectionA fully functioning IPS
management tools including real-time event views and an automated protection process; uXProtection between patchesReinforces security during delays in the patching process.
42
IA Tools Report
Benefits
uXFireWall-1 security with integrated firewall, VPN,
and intrusion prevention; uX Accelerated security up to 12 Gbps; uX Accelerated SmartDefense intrusion prevention up to 6.1 Gbps; uXSimple centralized management of a unified security architecture; uXProtection against new threats through SmartDefense Services.
IA Tools Report
43
Benefits
uXUnique and comprehensive virtualized security
solution with firewall, VPN, IPS, and URL filtering; uXConsolidate hundreds of security gateways to a single device, increasing device hardware utilization and reducing power, space, and cooling; uXLinear scaling of performance up to 27 Gbps; uXFlexible deployment options including software and a full line of turnkey appliances; uXSingle proven security management architecture; uXFlexible Deployment Options.
44
IA Tools Report
ASA 5500 Series IPS Edition combines inline intrusion prevention services with innovative technologies that improve accuracy. uXNetwork integration and resiliencyBuilding on Cisco networking expertise, the Cisco ASA 5500 Series IPS Edition provides tight integration with other network elements, increasing the effectiveness of security technologies. uX Threat-protected VPNBuilding upon the marketproven VPN capabilities of the Cisco VPN 3000 Series Concentrator, the Cisco ASA 5500 Series IPS Edition provides secure site-to-site and remoteuser access to corporate networks and services. uXComplete incident life-cycle managementThe Cisco management and monitoring suite enables large-scale deployment and operation of the Cisco ASA 5500 Series IPS Edition. Also included with the solution is the Cisco Adaptive Security Device Manager, which provides a browser-based management and monitoring interface for individual devices.
IA Tools Report
45
Cisco Catalyst 6500 Series Intrusion Detection System Services Module (IDSM-2)
Abstract
The Cisco Catalyst 6500 Series Intrusion Detection System Services Module (IDSM-2) is an IPS solution to safeguard organizations from costly and debilitating network breaches and help ensure business continuity. The second-generation Cisco IDSM2 protects switched environments by integrating full-featured IPS functions directly into the network infrastructure through the widely deployed Cisco Catalyst chassis. This integration allows a user to monitor traffic directly off the switch backplanea logical platform for the additional services of a firewall, a VPN, or IPSs. The Cisco IDSM2 with Cisco IPS Sensor Software v5.0 helps users through the use of the following elements
uXMulti-vector threat identificationDetailed
Cisco Intrusion Detection System Module (IDSM2) Type Operating System Hardware License NIAP Validated Common Criteria Developer URL NIDS N/A N/A Commercial True EAL2 Cisco http://www.cisco.com/en/US/products/hw/ modules/ps2706/ps5058/
inspection of Layer 27 traffic protects a network from policy violations, vulnerability exploitations, and anomalous activity. uXAccurate prevention technologiesCisco Systems innovative Risk Rating feature and Meta Event Generator provide the confidence to take preventive actions on a broader range of threats without the risk of dropping legitimate traffic. When combined, these elements provide a comprehensive inline prevention solution to detect and stop malicious traffic before it affects business continuity.
46
IA Tools Report
Cisco Guard XT
Abstract
Working in concert with Cisco Traffic Anomaly Detectors, Cisco Guards detect the presence of a potential DDoS attack, and block malicious traffic in real time, without affecting the flow of legitimate, mission-critical transactions, thus ensuring availability and business continuity. The Cisco Guard XT diverts traffic destined for a targeted device under attack (and only that traffic) and subjects it to the unique Multi-Verification Process (MVP) architecture from Cisco. The MVP architecture imposes multiple layers of defense designed to identify and block the specific packets and flows responsible for the attack while allowing legitimate transactions to pass, ensuring business continuity even while under attack. The Cisco Guard XT delivers multi-gigabit performance to protect the largest enterprises and service providers from distributed denial-of-service (DDoS) attacks by performing per-flow-level attack analysis, identification and mitigation to block specific attack traffic.
Cisco Guard XT Type Operating System Hardware License NIAP Validated Common Criteria Developer URL Cisco http://www.cisco.com/en/US/products/ ps5888/ NIDS N/A N/A Commercial
IA Tools Report
47
48
IA Tools Report
Benefits
uXProvides network-wide, distributed protection
URL
from many attacks, exploits, worms, and viruses exploiting vulnerabilities in operating systems and applications; uXEliminates the need for a standalone IPS device at branch and telecommuter offices as well as small and medium-sized business networks; uXUnique, risk rating based signature event action processor dramatically improves the ease of management of IPS policies; uXOffers field-customizable worm and attack signature set and event actions; uXOffers inline inspection of traffic passing through any combination of router LAN and WAN interfaces in both directions; uXWorks with Cisco IOS Firewall, control-plane policing, and other Cisco IOS Software security features to protect the router and networks behind the router; uXSupports nearly 2,400 attack signatures from the same signature database available for Cisco IPS appliances.
IA Tools Report
49
Benefits
uXZero-update protection reduces emergency
patching in response to vulnerability announcements, minimizing patch-related downtime and IT expenses; uX Visibility and control of sensitive data protects against loss from both user actions and targeted malware; uXPredefined compliance and acceptable use policies allow for efficient management, reporting, and auditing of activities; uX Always Vigilant SecurityThe system is always protected, even when users are not connected to the corporate network or lack the latest patches.
50
IA Tools Report
IA Tools Report
51
52
IA Tools Report
Highlights
The Proventia protection engine employs multiple intrusion prevention technologies working in tandem tomonitor,detectorblocktheseclassesofnetworkthreats
uX Application attacks, uX Attack obfuscation, uXCross-site scripting attacks, uXData leakage, uXDatabase attacks, uXDoS and DDoS attacks, uXDrive-by downloads, uXInsider threats, uXInstant messaging, uXMalicious document types, uXMalicious media files, uXMalware, uXOperating system attacks, uXPeer-to-peer, uXProtocol tunneling, uXSQL injection attacks, uXWeb browser attacks, uXWeb server attacks.
IA Tools Report
53
Imperva SecureSphere
Abstract
Imperva SecureSphere 6 is an IDS/IPS that monitors network traffic between clients and servers in real-time, analyses that traffic for suspected intrusions, and provides a reaction capability. Reaction options include recording and monitoring suspected traffic and ID events, blocking traffic, and generating alarms containing event notifications. Database auditing allows the user to record selected user database queries for audit purposes. Web queries and responses can also be selectively recorded. In addition, monitored databases can be actively scanned to identify potential vulnerabilities.
SecureSphere Type Operating System Hardware License NIAP Validated Common Criteria Developer URL NIDS N/A N/A Commercial True EAL2 Imperva, Inc. http://www.imperva.com/
54
IA Tools Report
Benefits
uXSoftware and hardware appliance options; uX Available for 10, 100, 250, 1000 Mbit/s networks; uX Tweak, tune, and create pattern-matching and
protocol-decode signatures; uXHighly scalable and flexible management with Provider interface. When used for detection, prevention, or both, the Intrusion SecureNet technology accurately detects attacks and proactively reports indicators of future information loss or service interruption. By using pattern matching for performance and protocol decoding for detecting intentional evasion, polymorphic attacks, and protocol and network anomalies, the SecureNet System protectis critical networks and valuable information assets. The SecureNet family uses a hybrid detection model that permits quick and easy updating of network signatures. It also has a scripting language and graphical interface for tuning, tweaking, and creating highly accurate and very specific protocol-decode detection signatures.
IA Tools Report
55
Benefits
uXComprehensive security: Firewall, IPS/IDS, DoS/
DDoS, URL filtering; uXReal-time worm, spyware and attack protection; uXLayer 37 firewall-based control; uXHigh-speed transparent URL filtering; uX VLAN and Network Address Translation (NAT) support in both transparent and gateway mode; uXSecurity domain (virtualization) for all security functions; uXHigh-availability support; uXCentralized management with hierarchical delegation; uXWeb-based updates (software, attack signatures, URL database, etc.); uXComprehensive real-time reporting and monitoring.
56
IA Tools Report
Features
uXStateful Signature DetectionSignatures are
capability available in each IDP appliance. Provide detailed real-time reports from each IDP appliance installed in the network without taxing the central IT organization. uXProfilerCapture accurate and granular detail of the traffic pattern over a specific time period. Provide details on what threats are encountered by the network as well as the mix of application traffic.
Juniper Networks IDP Type Operating System Hardware License NIAP Validated Common Criteria Developer URL NIDS N/A N/A Commercial True EAL 2 Juniper Networks, Inc. http://www.juniper.net/us/en/productsservices/security/idp-series/
applied only to relevant portions of the network traffic determined by the appropriate protocol context. This minimizes false positives. uXProtocol Anomaly DetectionProtocol usage against published RFCs is verified to detect any violations or abuse. Proactively protect network from undiscovered vulnerabilities. uX Traffic Anomaly DetectionHeuristic rules detect unexpected traffic patterns that may suggest reconnaissance or attacks. Proactively prevent reconnaissance activities or block DDoS attacks. uXQoS/DiffServ MarkingPackets are marked using DiffServ code point. Optimize network and ensure necessary bandwidth for businesscritical applications. uXVLAN-Aware RulesUnique policies are applied to different VLANs. Apply unique policies based on department, customer, and compliance requirements. uXRole-Based AdministrationMore than 100 different activities can be assigned as unique permissions for different administrators. Streamline business operations by logically separating and enforcing roles of various administrators. uXDomainsEnable logical separation of devices, policies, reports, and other management activities. Conform to business operations by grouping of devices based on business practices.
IA Tools Report
57
Lancope StealthWatch
Abstract
Lancope delivers behavior-based, enterprise solutions that unify flow-based anomaly detection and network performance monitoring across physical and virtual networks to save limited resources. Leveraging NetFlow, sFlow and packet capture, Lancopes StealthWatch System combines behaviorbased anomaly detection and network performance monitoring to protect critical information assets and ensure network performance by preventing costly downtime, repair, and loss of reputation. StealthWatch eliminates network blind spots and reduces total network and security management costs. Delivering unified visibility across physical and virtual networks, StealthWatch provides network, security, and IT administrators with an single platform of network intelligence for all parties.
StealthWatch Type Operating System Hardware License NIAP Validated Common Criteria Developer URL NIDS N/A N/A Commercial True EAL2 Lancope, Inc. http://www.lancope.com
58
IA Tools Report
Intrusion Prevention system has the ability to set rules to govern the collection of data regarding potential intrusions. uXSystem Data AnalysisThe IntruShield Intrusion Prevention system provides tools to analyze both IDS traffic log data as well as audit information. uXSystem Data Review, Availability and LossThe IntruShield Intrusion Prevention system provides a user interface for menu selectable data review. The data stores of the raw collection data are limited only by the storage capacity of the platform and table management of the database.
McAfee IntruShield Network IPS Appliances
Features
uXSecurity AuditThe IntruShield Intrusion
Type Operating System Hardware License NIAP Validated Common Criteria Developer URL
NIDS N/A N/A Commercial True EAL3 McAfee, Inc. http://www.mcafee.com/us/enterprise/ products/network_intrusion_prevention/ index.html
Prevention system generates audit records related to the administration/management of the TOE and traffic logs for IDS information. uXIdentification and AuthenticationThe IntruShield Intrusion Prevention system requires users to provide unique identification (user IDs) and authentication data (passwords) before any access to the TOE is granted. uXSecurity ManagementThe IntruShield Intrusion Prevention system provides a Web-based (using HTTPS) management interface for all administration, including the IDS rule set, user accounts and roles, and audit functions. uXProtection of Security FunctionsThe IntruShield Intrusion Prevention system protects the security functions it provides through a variety of mechanisms. These mechanisms include the requirement that users must authenticate before any administrative operations can be performed on the system. The encrypted data transferred between the ISM and sensor uses a proprietary SSL implementation.
IA Tools Report
59
NIKSUN NetDetector
Abstract
NIKSUNs NetDetector is a full-featured appliance for network security surveillance, signature-based anomaly detection, analytics, and forensics. It complements existing network security tools, such as firewalls, intrusion detection/prevention systems and switches/routers, to help provide comprehensive defense of hosted intellectual property, missioncritical network services and infrastructure. NetDetector alerts on defined signatures and traffic patterns. Built-in modules provide complementary signature and statistical anomaly detection, thus locating the proverbial needles of actionable information in the haystack of raw data. Advanced reconstruction capabilities allow for detailed review of Web, email, instant messaging, FTP, Telnet, and other application content. NetDetectors highly intuitive Web-based GUI eliminates the need for a special client application.
NIKSUN NetDetector Type Operating System Hardware License NIAP Validated Common Criteria Developer URL NIkSUN http://www.niksun.com/Products_ NetDetector.htm NIDS N/A N/A Commercial False
Key Benefits
uX 100 percent real-time visibility into the network; uXContinuous, in-depth real-time surveillance; uXCapture network events the first time and store
events for post-event analysis; uXDrill down forensic analysis down to packet level; uXSignature and statistical anomaly detection; uX Advanced reconstruction of Web, email, instant messaging, FTP, Telnet, VoIP and other TCP/IP applications; uXString search within application content; uX Advanced scheduled and on-demand reporting; uXFlexible and secure data export/import, including common third-party formats; uXEvent Viewer with immediate paths from event to analysis, packet or statistical information, report generation or application reconstruction screen; uXUnlimited storage (add as you grow); uXSecure and easy-to-use Web interface with Role-Based Access Control; uXCisco IDS, Micromuse NetCool, IBM/Tivoli Risk Manager and Arcsight integration.
60
IA Tools Report
Worms, trojans, spyware and other malicious content; Port scans, buffer overflow, DoS, and other attacks; Protocol and traffic anomalies; Malformed traffic, Invalid headers, a fragmentation attacks; Obfuscations & evasions; Zero-day attacks;
within your network topology, uXCorrelation of NitroGuard flow and event data to other host, application, and third-party event data collected by NitroView receivers, uX Automated remediation, including blacklist capabilities.
NitroSecurity Intrusion Prevention System Type Operating System Hardware License NIDS N/A N/A Commercial True EAL3 NitroSecurity, Inc http://nitrosecurity.com/informationsecurity/intrusion-prevention/
When used with NitroGuard Database Activity Monitor (DBM), the system provides:
uXEdge-to-core network protection uXEdge defenseto prevent breaches at the
IA Tools Report
61
PreludeIDS Technologies
Abstract
The Prelude Open Source IDS was created in 1998. Since its creation, security engineers and specialists have enthusiastically contributed to Prelude in the spirit of Open Source. Prelude is a Universal Security Information Management system. Prelude collects, normalizes, sorts, aggregates, correlates, and reports all security-related events independently of the product brand or license giving rise to such events; Prelude is agentless.
PreludeIDS Technologies Type Operating System Hardware License NIAP Validated Common Criteria Developer URL PreludeIDS Technologies http://www.prelude-ids.com/ NIDS N/A N/A Commercial False
62
IA Tools Report
Q1 Labs QRadar
Abstract
The Q1 Labs QRadar product is an administrator configurable network security management and response system. QRadar collects and processes data both from network taps and from event collectors installed on network devices. The product produces prioritized security events by real-time event matching and by comparing the collected data to historical flow-based behavior patterns. The security events are then correlated by the product to produce weighted alerts, which are sent to the product users.
QRadar Type Operating System Hardware License NIAP Validated Common Criteria Developer URL Required Commercial True EAL 2 Q1 Labs, Inc. http://www.q1labs.com/ NIDS
Benefits
uXReads network data in real-time, including data
from GB networks;
uX Allows for amount of payload information to be
event with the various types of raw data, normalized data, and Offences. As a result, weighted Offence alerts can be generated; uXProvides behavioral and event correlation analysis on surveillance information; uXRecords results by date, time, and type; uXGenerates internal events and their associated violations; uXSends alerts based on analysis of defense perspective data; uXProvides security responses to block network security threats based on analysis of defense perspective data; uXGenerates automatic reports on defense perspective data; uXProvide administrators and users the ability to review the defense perspective data they are authorized to view.
IA Tools Report
63
Radware DefensePro
Abstract
Radwares DefensePro is a real-time IPS that maintains business continuity by protecting IP infrastructure against existing and emerging network-based threats that cannot be detected by traditional IPS, such as application misuse threats, SSL attacks, and VoIP service misuse. DefensePro features full protection against vulnerability-based threats through proactive signature updates, which safeguard against already known attacks including worms, trojans, botnets, SSL-based attacks, and VoIP threats. Unlike alternatives that rely on static signatures, DefensePro provides behavioral-based and automatically generated real-time signatures that prevent non-vulnerability-based threats and zero-minute attacks, such as application misuse attacks, server brute force attacks, application, and network flooding. DefensePro offers adaptive, behavior-based protection capabilities at client, application server, and network levels. It immediately identifies and mitigates a wide range of network attacks (including non-vulnerability threats and zero-minute attacks) by automatically generating real-time signatures. The real-time signature engine is an adaptive multidimension decision engine that deploys fuzzy logic technology for accurate attack detection and mitigation without blocking legitimate user traffic. DefensePros behavior-based, self-learning mechanism proactively scans for anomalous network, server. and client traffic patterns. When detecting an attack, DefensePro characterizes the attacks unique behavior, establishes a real-time signature, and creates a blocking rule. A closed feedback mechanism dynamically modifies the signature characteristics as the attack unfolds and mutates, protecting against even the most sophisticated attacks with a high degree of accuracy. DefensePro rapidly and accurately distinguisesh between three broad categories of behavior: legitimate normal traffic, attack traffic and unusual patterns created by legitimate activity.
DefensePro Type Operating System Hardware License NIAP Validated Common Criteria Developer URL Radware http://www.radware.com/Products/ ApplicationNetworkSecurity/DefensePro. aspx NIDS N/A N/A Commercial
64
IA Tools Report
SecurityMetrics Appliance
Abstract
The SecurityMetrics Appliance is an integrated hardware and software solution that provides advanced ID and intrusion prevention functionality that analyzes network traffic and automatically stops attacks.
SecurityMetrics Appliance Type Operating System Hardware License NIAP Validated Common Criteria Developer URL SecurityMetrics, Inc. https://www.securitymetrics.com/ appliance_features.adp NIDS N/A N/A Commercial False
Features
uXIntrusion detection and preventionThe
SecurityMetrics Appliance is an integrated hardware and software solution. It provides advanced ID and intrusion prevention functionality that analyzes your network traffic and automatically stops attacks 24x7. uXVulnerability assessmentPerform unlimited vulnerability assessment scanning of an entire network. Schedule the scans to run at off-peak hours, receive emails whenever computer risk increases, and receive repair instructions in each security report. uXFirewall and routerOptional firewall and router modules are provided with each appliance. These modules complement and are compatible with existing network infrastructure and security equipment. uXIntelligent IDS technologyEach attack is compared to the vulnerability assessment database to confirm it is a real threat. If the attack is not a real threat, then an alert is not sent. This saves time, reduces false positives, and alerts you only when real threats are occurring.
IA Tools Report
65
Snort
Abstract
Snort is an open-source network intrusion prevention and detection system using a rule-driven language that combines the benefits of signature, protocol, and anomaly-based inspection methods.
Snort Type Operating System Hardware License NIAP Validated Common Criteria Developer URL Marty Roesch http://www.snort.org NIDS Linux Required Open Source False
66
IA Tools Report
snort_inline
Abstract
snort_inline is a modified version of Snort that accepts packets from iptables and IP firewall (IPFW) via libipq(linux) or divert sockets(FreeBSD), instead of libpcap. It then uses new rule types (drop, sdrop, reject) to tell iptables/IPFW whether the packet should be dropped, rejected, modified, or allowed to pass based on a snort rule set. This acts as an IPS that uses existing IDS signatures to make decisions on packets that traverse snort_inline.
snort_inline Type Operating System Hardware License NIAP Validated Common Criteria Developer URL William Metcalf http://snort-inline.sourceforge.net NIDS Linux Required Open Source False
IA Tools Report
67
Sourcefire 3D Sensor
Abstract
Sourcefire 3D Sensors are purpose-built network security appliances available with throughputs from 5 Mbps up to 10 Gbps. 3D Sensors running Sourcefires intrusion prevention (Sourcefire IPS), network intelligence (Sourcefire RNA), and user identity (Sourcefire RUA) software can be deployed to protect all areas of a networkthe perimeter, the DMZ, the core, and critical internal network segments.
Sourcefire Intrusion Detection Sensors Type Operating System Hardware License NIAP Validated Common Criteria Developer URL NIDS N/A N/A Commercial True EAL2 Sourcefire, Inc. http://www.sourcefire.com/products/3D/ sensor
Features
uXFault Tolerance and High Availability3D Sensors
are available with critical fault-tolerant features, such as fail-open copper and fiber ports, dual power supplies, and RAID drives, and each sensor supports an array of high availability configuration options. With up to 10 Gbps of IPS throughput, latency of less than 100 microseconds, and fully redundant configurations, 3D Sensors meet the requirements of todays largest networks. uXSimple and Easy to UseThe plug-and-protect nature of 3D Sensors with Sourcefire IPS enables customers to easily install and configure their IPS with minimal effort and training. For customers with limited IT security resources, the process of tuning an IPS can be fully automated to ensure that each IPS is continuously optimized to protect the dynamic network environment. Using the powerful Sourcefire Defense Center management console, customers can centrally manage up to 100 3D Sensors, analyze events, configure and push IPS and RNA (Real-time Network Awareness) policies, automatically download and apply Sourcefires Snort rule updates, and much more. For larger deployments or distributed IT security teams, customers can leverage Sourcefire Master Defense Center technology to manage multiple defense centers and many hundreds of 3D Sensors across their entire organization.
68
IA Tools Report
IA Tools Report
69
StrataGuard Type Operating System Hardware License NIAP Validated Common Criteria Developer URL StillSecure http://www.stillsecure.com/strataguard/ index.php NIDS N/A N/A Commercial False
True IPS functionality React instantaneously to attacks; drop offending packets (Pre-emptive policies) Highest level of protectionattacks cannot penetrate the network Allows you to move from IDS to IPS functionality at your own comfort level Available with fail-open bypass switch
uXOut-of-band deployment:
Triggers alerts and notifications of suspicious activity Provides history of attack events Forensic tracking
70
IA Tools Report
Features
uXProvides prevention techniques that shield
URL
operating systems, applications, and services by defining acceptable behaviors for each function; uXProtects systems from misuse by unauthorized users and applications through system and device controls that lock down configuration settings, file systems, and the use of removable media; uXProvides monitoring, notification, and auditing features that ensure host integrity, system, and regulatory compliance; uXEnables cross-platform server auditing and compliance enforcement with graphical reporting engine featuring multiple queries and graphic formats to visually highlight data.
IA Tools Report
71
72
IA Tools Report
IA Tools Report
73
Webscreen
Abstract
Webscreen has been developed to ensure uninterrupted service and minimum performance degradation from an enterprise data centre and hosted service environments. Through its patented heuristic protocol, Webscreen intelligently monitors and filters Web traffic at the network perimeter, thereby maintaining connectivity for missioncritical services, and prioritizes bandwidth availability for core applications by identifying nonessential network traffic.
Webscreen Type Operating System Hardware License NIAP Validated Common Criteria Developer URL Webscreen Technologies http://www.webscreen-technology.com/ NIDS N/A N/A Commercial False
74
IA Tools Report
AirMagnet Type Operating System Hardware Wireless Windows AirMagnet Enterprise Server: Intel Pentium-4 Processor 2.4 GHz or higher. (Dual Pentium-4 Xeon Processor 3.0 GHz or higher recommended) 1 GB of RAM (2GB recommended for larger deployments) 20 GB Hard Disk Space 10/100Mb Ethernet connection AirMagnet Enterprise Console: Intel Pentium-Class Processor 2.0 GHz 512 MB of RAM (1GB recommended) 500 MB of hard disk space Commercial
Cisco controllers.
IA Tools Report
75
AirSnare
Abstract
AirSnare is an IDS to help monitor a wireless network. AirSnare will generate alerts on to unfriendly MAC addresses and dynamic host configuration protocol requests. If AirSnare detects an unfriendly MAC address, it provides the option of tracking its access to IP addresses and ports or of launching Ethereal. Version 1.5 may include unspecified updates, enhancements, or bug fixes.
AirSnare Type Operating System Hardware License NIAP Validated Common Criteria Developer URL http://download.cnet.com/ AirSnare/3000-2092_4-10255195.html Wireless Windows Required Open Source
76
IA Tools Report
Components
uXServer for Data ProcessingProcessing of wireless
security data is performed in server. Server can be set up in high availability mode to maximize up time. uXSpectraGuard Managed Network Console (MNC) Console to manage multiple servers. uXWireless ScannersWireless scanners for ondemand scanning and 24x7 monitoring. Wireless scanners scan wireless activity at locations where they are installed. Wireless scanner devices are also known as sensors. Wireless scanners transfer the scan data to the servers securely using industry standard AES encryption. uXWeb BrowserWeb browser to access user interface securely
IA Tools Report
77
Features
uXIntegration with Arubas mobility infrastructure; uXScanning several across the 802.11
frequency spectrum; uXRogue AP & ad-hoc detection, location, classification, containment, and DoS detection; uXFully automated threat prioritization and response; uXPre-configured compliance reporting; uXCentralized and Web-accessible monitoring, troubleshooting, and analysis.
78
IA Tools Report
Kismet
Abstract
Kismet is an 802.11 Layer 2 wireless network detector, sniffer, and IDS. Kismet will work with any wireless card that supports raw Radio Frequency Monitoring mode and can sniff 802.11b, 802.11a, and 802.11g traffic. Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and inferring the presence of nonbeaconing networks via data traffic.
Kismet Type Operating System Hardware License NIAP Validated Common Criteria Developer URL http://www.kismetwireless.net Wireless Linux Required Open Source
IA Tools Report
79
Functionality
Motorola AirDefense provides a real-time snapshot of all 802.11 a/b/g/n wireless infrastructure, including
XXReal-time device discovery and
connection analysis,
XX Advanced rogue management with threat
triangulation positioning, XX Automated protection with termination capabilities, XXLive view for traffic analysis, XXWireless network usage statistics and health analysis, XXCapture file playback for off-site analysis and reporting, XX Advanced diagnostics tools for troubleshooting, XXReporting capabilities.
80
IA Tools Report
IA Tools Report
81
SECTION 8
Bibliography
Allen, Julia; Christie, Alan; Fithen, William; McHugh, John; Pickel, Jed; Stoner, Ed. State of the Practice of Intrusion Detection Technologies. Pittsburg, PA: Carnegie Mellon Software Engineering Institute, January 2000 Base, Rebecca & Mell, Peter (2001). SP 800-31, Intrusion Detection Systems. Washington, DC: National Institute of Standards and Technology. Kent, Karen & Mell, Peter (2006). SP 800-94, Guide to Intrusion Detection and Prevention (IDP) Systems (DRAFT). Washington, DC: National Institute of Standards and Technology. Kent, Karen & Warnock, Matthew (2004). Intrusion Detection Tools Report, 4th Edition. Herndon, VA: Information Assurance Technology Analysis Center (IATAC). Low, Christopher (2005). Understanding wireless attacks & detection. Bethesda, MD: The SANS Institute, Global Information Assurance Certification (GIAC) Security Essentials. Thomas, Duncan. http://compm067.paisley.ac.uk/ notes/unit01.html. ICT, Paisley University, 19992003.
IA Tools Report
83
SECTION 9
Acronym or Term 3DP ACL AIDE AP ASIC ATF ATLAS BotNet CLI DDoS DiD DMZ DNS DoD DOS DoS DTIC EAL ESM ETM FTP Gbps GB GHz GIAC GLBA GUI HBSS HIDS HIP HIPS HIPAA HP
Definition Three Dimensional Protection Access Control List Advanced Intrusion Detection Environment Access Point Application-Specific Integrated Circuit Active Threat Feed Active Threat Level Analysis System Robot Network Command Line Interface Distributed Denial of Service Defense in Depth Demilitarized Zone Domain Name Server Department of Defense Disk Operating System Denial of Service Defense Technical Information Center Evaluation Assurance Level Enterprise Security Manager Enterprise Threat Management File Transfer Protocol Gigabytes Per Second Gigabyte Gigahertz Global Information Assurance Certification Gramm-Leach-Bliley Act of 1999 Graphical User Interface Host Based Security Systems Host-Based Intrusion Detection System Host Intrusion Prevention Host-Based Intrusion Prevention System Health Insurance Portability and Accountability Act of 1996 Hewlett-Packard
IA Tools Report
85
Acronym or Term HP-UX HTTP HTTPS IA IAC IATAC ICMP ID IDP IDS IDSM IIS IM IO IP IPFW IPS ISAPI IT JVM MAC Mbps MB MITM MVP NAT NBA NBAD NIAP NIC NIDS NSk Open SSL OS OSI
Definition Hewlett-Packard-UNIX Hypertext Transfer Protocol Hypertext Transfer Protocol Secure Information Assurance Information Analysis Center Information Assurance Technology Analysis Center Internet Control Message Protocol Intrusion Detection Intrusion Detection and Prevention Intrusion Detection System Intrusion Detection System Module Internet Information Server Instant Messaging Information Operations Internet Protocol IP Firewall Intrusion Prevention System Internet Server Application Programming Interface Information Technology Java Virtual Machine Mandatory Access Control Megabytes Per Second Megabyte Man in the Middle Multi-Verification Process Network Address Translation Network Behavioral Analysis Network Behavior Anomaly Detection National Information Assurance Partnership Network Interface Card Network Intrusion Detection System Non-Stop kernel Open Source Secure Sockets Layer Operating System Open Systems Interconnection
86
IA Tools Report
Acronym or Term PC PCI POSIX P2P R&D RAM ROI SNMP SOAR SOX SQL SSH SSL STI Syslog TCO TCP Telnet TSE UDP URL VA VLAN VoIP VPN W3C WIDP WIPS WLAN
Definition Personal Computer Payment Card Industry Portable Operating System Interface Peer-to-Peer Research & Development Random Access Memory Return on Investment Simple Network Management Protocol State-Of-the-Art-Report Sarbanes-Oxley Act Structured Query Language Secure Shell Secure Sockets Layer Scientific and Technical Information System Log Total Cost of Ownership Transmission Control Protocol Telephone Network Threat Suppression Engine User Datagram Protocol Uniform Resource Location Vulnerability Assessment Virtual Local Area Network Voice over Internet Protocol Virtual Private Network World Wide Web Consortium Wireless Intrusion Detection & Prevention Wireless Intrusion Prevention System Wireless Local Area Network
IA Tools Report
87