Enterprise Networking - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Enterprise Networking


NFR Appliance Nips, Analyzes Attacks



 By: eWEEK
2001-02-19
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Enterprise Networking story.


  Table of Contents:
  1. NFR Appliance Nips, Analyzes Attacks
  2. ' Network Intrusion Detection 5'

Rate This Article:
Poor Best
NFR Appliance Nips, Analyzes Attacks
( Page 1 of 2 )

NFR Security Inc.'s updated NID software and Network Flight Recorder Intrusion Detection Appliance caught virtually all the attacks eWeek Labs threw at it, proving to be a great combo for IT managers who need to know when their network is under attack.

NFR Security Inc.s updated NID software and Network Flight Recorder Intrusion Detection Appliance caught virtually all the attacks eWeek Labs threw at it, proving to be a great combo for IT managers who need to know when their network is under attack. Although using the appliance requires a minor workaround in a switched network environment, most system administrators should not find this problematic.

Like a virus scanner, an intrusion detection system can recognize only known attack signatures. Although this is limiting, NFRs Network Intrusion Detection software will catch the majority of hackers who use known exploits. Changes in Version 5.0 of NID include an expanded library of attack signatures, remote administration, advanced query capabilities and ability to manage the appliance from a Unix workstation.

NFR officials said they have specialists who identify new attack signatures and make updates available for download, generally within 24 hours.

Analyzing attack and probe trends over time is almost as important as catching them as they happen. Upon completion of eWeek Labs tests, we were impressed with the ability of the NFR appliance to make sense of a lot of data. We were able to perform ad hoc queries, produce graphs and create custom reports.

Resource Library:

The intrusion detection market ranges from free open-source offerings like Snort (available from www.snort.org) to Cisco Systems Inc.s Secure Intrusion Detection System, which starts at $6,120, and Internet Security Systems Inc.s RealSecure 5.0, priced at $8,995 for the central unit and $750 per server. RealSecure takes a different approach than Cisco and NFR, running intrusion detection on each host.

Version 5.0 of NID, which began shipping in December, and a hardened version of the BSD Unix operating system for the appliance cost $4,500; the appliance costs $2,700.

Minor Adjustment Required

We modified the Cisco 3524 Catalyst Switch on the test network to use the Switched Port Analyzer feature. This minor workaround let us program the switch to transfer traffic to the destination port and also to the port where the NFR appliance was, allowing port analysis in a switched environment. Although this did not cause problems on the test network, we believe that as the number of aggregated ports increases, performance will suffer. For larger installations where this may be a problem, the NFR appliance has distributed scanning and management capabilities, but their implementation requires the purchase of more appliances.

We installed the NFR console on a computer running Windows 2000 Professional. All other interaction with the appliance is made at this console. The testbed consisted of three more computers: one running Windows 2000 Server Edition, another running Windows NT 4.0 and the third running Red Hat Inc.s Red Hat Linux 7.0.

From the Linux box we used nmap, a Unix security-scanning utility, to probe the network for open ports and operating system signatures. All of nmaps port scans were immediately detected and generated pop-up and audible alerts; pager and e-mail alerts are also available. However, if a hacker slows the pace at which the network is probed with nmap, he or she can avoid detection.

A brute-force password attack against the FTP server on the Linux machine was also caught almost immediately, as was a slew of known attacks including buffer overflow, the ping of death, malformed http headers and scanning with bad IP addresses.

We also flooded the network with large file transfers to see if a busy network hid any hacks and scans. The only one that was hidden was the painfully slow scan from nmap.

However, the large traffic volume caused several false alarms because the intrusion detection appliance reported there was a Win Nuke attack under way. We added a filter to the alert mechanism to change the level of reporting to cure this annoying trait.





  Reader Comments: NFR Appliance Nips, Analyzes Attacks
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Enterprise Networking Articles          >>> More By eWEEK
 


x}r*({Ew{lcؖgfwKEĘ"yH%{^վ>vMZe쎧Ɩ4Fw?H9wtô'1%3t;D{{}.ЇP|oSo92t$E%U5ExLԸ#|Ow0{ Vb}" @D%\.fI"0iMmd:~Hs|T㍒~7jy%R+ iɥz4JR ])1N,ԐX;~K~2/NM퓳NlM,O!R42V,]?c;sDutqӹluoz{MZ폝vI3 a ׵Vy['^=z?Yz>5409;RZIjg$Zݓ6Py$Y)r"/ !}O}nr2GrI/o"/K$jȱo>0@|Ӡdq, ߱n\S;G`ho__ VYKS703K_s;j\K}0[=RFp JpJq䰉c,XSl \Mo4x M2X $}ВYtBFxa:]R$y3DDȝ g/3E94>BzBp4_~aϨ>s|V궝x>:AGAticŦh4@MMrӇtu4A.~{ݣn]?'tno7,Abχ@a`ΨsZ LP"AЂMx>tT؎]6}l2w9;-(;hk=`DkwCPb1(բ!Tg,zu= H X./ l~>4-0%Km;r-FaADأ$@!"-i]NP@Ar68 -8,rr/~Cy-#!bTLZ(ݞH:w&@-hƚTL٣XB ^X/_2әJRj2m8-&D7r"e.G7Kቖ6F5oY,*GV+WMz92a z {[W5ܴ ҄%(N@Z:' 5$&.*lhAP9o@Cys;J`p=f"hZ5{0]@kwtlQ̴a85GS9_A\!4Lh,G7uIT5I5);eڷTۊv!39n! hW.Y 2cxRUyRt+[fnR>Mr=&"ǰ@7>`(^HIbЙj!@)zէl.>3-[7˦buc"$lJʴ.Z*Z!d[o0Ԣ(`|M(" !tsaʹ,C /0q6Omj+CoLrCm0 Ǧ"}ZlB{Ow]1W=PZ`!?RP$' q/#Y XTر,>1}6Ⱥ a(Juѧȅi@s@M~N!3pPQ@1"N;t/#_.sz>UF>3 $#о'hʰeh8`Zzq&$sD(Mܧh&\3atSM副3 i0ցq_HEy[pp\U.(L,:j1-[ Hg [Qzo3C zoA$zcK& GGsݧ==1g *3@{@hVBc{ZYUKZTPYaPs1)'@S$f|`g<ڗ_ޝ?4Mc'67_0t*tȕ`s|eLFjAB;?kJB4By^Ypw\pR "(87~Ɋ`3 خ crFmhv~:N HQj89G& B1FGF'%:"pwC*2GԻ5ebՈG:`JEWFlJ瞏+ӥ ,ć# 4k 0Y[ ⺪TjՂʾ_YN_7{%|h#R @ `! Kx{ZCAk1۩Dw\܁c2P>H(Tg7gME]ac6U{zn&)Z-MӓU;4zJ幛>67/=Ǐt[̍<9E7"=_`%SQl7xv@̬}#u6霎0 M<G\մRb/Y`#1s*? << Rglס3i21󓫻Z+U c ׃nc>GsWnj*r66~ z&zi1bZ`7=3#[4QkX9 2<`(Z6Xk q Iv/K̽~jL-}TJJ\ӳ (Jq$ {2u9p\sG3~a,0t&o\#A`|l'8oy U8e3 S`e3˕2~g^`. JU-~ txAcEi\khkc_ȕ?"⃨j4 J7O \v[/ha~%36R-ܛ`,@N|K]kl`\ASf<^ΐےtKק~ 6=B.SnIoΛZx\[ XLh;yX^5eX$fPVVjM@iUI+T Z}̡2a{і$}/\EI'sSfn G`@|7=#S$·RiEmT)玾ߓN\cĵ) rZ: #ɢ\' WeRU8J3 ,O$%,t=ǃۻmpI74!,KVCR:"jueK\4߷p-:%5ރ4 `i8~{DC?rfWϊ۫fչ|/]:li?`y Bran߽p.;K'5?wD;m)^{%<rDp'Bjw_$'d0 srn^'7b7L`jX&IEyD#Sk!F4 H0 BX׭5' ^t%V}Xq!q6(FG<]?T+[Ě_f?B!|JgG<؇AP#{ z P)'$N):cϻ;$BL0BD_XJI!)W$f'e*K6z?"iZ7* Í7E馺@7dj#J M5"v=O[?qu#1ðaTwd e~=m2첰nIlx8c%RLɔ&]'C8 z>SB&T ˓$-I^O eqj ieʒ~(i'1ۡ ҡۓ]5/G8{Pt.+ͥ0i8;=?P.V=w)c9|s\nW gt!&HK.}<﷯IS 09n~%H@R`@wGL|9~ÿ§ ' ;s]#'伉q+^QW{2.}?H/K턟ݖisP!OKdLg!I ɫ׺w7}Y9sJeOVr{ld+N$Qd1 0dƛ'a=+#{G{ {!F.u01쯌s@k~=ϸ2]a^R/o}VZtCqD &^--^\RK>\+U뀞< h`#Fm`"fFs8EE[o\gmef7cŸց!{ Rb'MNi zc{ƹ39@*yx\[w5&P)<A~F<v4);7yΛz}hn;d⫆ܖ~@F' zYXW+*/[QVD3>>dzQc%F}?^Sϗt8/`8?6#,Ӝi` LtձW, }mraQ:F {+Sah[o<L}֨Og k[˼HɺW?R[)k&Go9O?*Q@)I0E\`@MΜ{): $h;XS{"`OPWD16A .=9v1mנRSI2YqF <^JV&-> )p$tA GUy^"VrK| tT&r<vZl -9|'Cq$e1@ X*j9 6NPјN0_ =2*6CVCf9Z L K}gzlWlel L Ig0rxoJc:%rP#a?;ˌF-g>N+bﱠb 7,a;ndb%޴,xDdIJ]y'0s؃HQ>=SLgIϴ!#CBrӖ'hxꐬdpe1'9DNLN}( >3B$= 1'UI -> T#%[c.t{wT4AuH`@v.bbJjF $ $a 1T"FڄpeG4v{'R+JJYRےZ%I-Mk?*6%PgQ֨gU;1[C5c&%0>0aΤsZf}cxA O0$RK0hYPۿhRٖd*N2(1!- 0jRwS'9Կ71sԚR *9C;a51vk @')诋 Iǧ1||Y7,[ԘP(`yτƳڒNSB} h CZ۔@ g&ћvS߫s)ޮqHX=BDEWU$Xq3yW"'<cmdo9VԙsGN_:Y VYl#ᭅi` ~u,y%qǽx;% ~_UOrL7{jbMAT%JxU«+kmF-ٜh &% C2{%B@>&D &Y2uFpтEiI ף8^]KQj<4Wy)ę .t K)&= 4ow%LZ6qDKHUC0ö_H-cxZMHE_72};,S| [sLFu\bD+c=4(&>iO٥xgˆV0 fe@.!v{c/Ds"t73(1*6ď\m 8| cNOcl<˻֍s~l@?Wx҉n昤u.,0UUNoty(1,`0U'^5<~"Oh^Ose1}vtK2|чy=oH@85QY'6 [IHgs;wRPcEX1̭-yUdn;RÔ#VjpsA.p=yW`A|`߱1 נ 8wiQ+|j~r~i/m~ cȗ+`5-kw2$/dM E3(hMVLm!90 h61#a|?ݝ{Cя"vvh2݀wJ*k+Hr#-sx_h k'ΐ[?qñŃM̟OˮOq\dIw'y{Dd:aI¿G)G3E;L4}Su&\[{Wꏉ+T= ? KL)`G%|ݔB~0g}ޥ~ J5?4+Oηw 2E~RtnU;@ u&=Dfן|' FZYݵ#꞊ZGkRX SW$5d &BaD0‡ΔqG G#08ߋ.>"%KRku+N ߥtc [c+w#UA_e:-0Q5]]\U B-~0[h1zi <)fF<{i ?Ll_zZ3>{i kj_ڹ&qwzRKovwO%թHz -ݾ]yr:h 7pKm$:s'ң8*%>F6tkeL٦ƗRµIʥ rQ Dc'2&EbwW 2i#7Cy^Ywqݗ'V5U*2l1mX5,g:MQZ#xم9ꁇI\G:g~`䥒V,T˩uZḁ=X2xof(F<<~Q,턂R!FғR71l˖C/0经UztWc| 0%pg|%5Fo[q{e>dg%ƴ#/0۱px6-Rý<&HPjߙc#/Vk0,9)KxfV-j%VG4K,20q8 rۺm6A`Wt KP?K }+6a^ ʵxd=-&TQaLs\_Ō\>fF+iAwcsDOcLy&_*J@(fYir' o.GYo/>VHE*o[Z2_D_tK|gQL󛐏n5aT0|LD}d+VzK"?{|kh:Mx\Hu /`< w{̥7f?= n9N9ǃ"Ba=X@:>IoH !]F”0\'6K윓M﷯{a/4p(M~i^<y(A >4?xa9˝yP$ERdi"y»򽉡:ςإ)s)aR;(}uR_ GMMo )n}>e;Mj^+Q_<r<(( 3ʯzsI(QޅnF9Rzsy pjg@Si~Cg(ku6wZFQd3ˌr'r_z埠s]"c~.`Y\d1 ϋ ȠOˌ_~gP~Q(GF_d^f%e\]f_O7CtAt3U}\A@?Ӄ2߃2g_W(us?f>f#cn&&~oon2/$)CAy3ϚWpzz;"9(/R*Ȫ_~*%iFy 3YY zvAeX^e\512ௗeߧdnle~\t[u CFWz^Syڞ馵pۭ]n@+G{1Ti k{ʳyHGW4<< X1rnmŚ/JYy8* t!=}}Zź-(s#h603.Ñp[{剹?|k2Fs?`fEـ@' @8pmঠϻH-Ak0.: 7WiMnڧ[v<2kSյ/kp'k͠~%s"N^'K_u}ςoDBN$p g;6^a /`xIO15D =C}58]WiTt8&3O7#ؑ:ɹT.jZQo\)Uʹ俓kD2L(8 "(rjUUEVro9 VVjb`"! ^x|Femƫ9 C8b{hDŽ[ɖ^cwp E?FG'&|lu^ʘ@,% eȢHᄽIЯ!1` }HTROcoy=u YI N?rl{IW1hӐEX%#lŒh"b( N>@O,#CgAa&38M "7.@cmc߻C{ NMx cx([Lot_=F.t7 \V=w[p*08k~CBadakf!tmTNx6)G)Y1_f5O3wzqUIML_b aM{;jsqSHL#hOW[l,&1{;sH.ZԿsg:-C{1L9 H\},.q " 2HH 2s{D|%{Z{JF!L%؉GΗcӄ0\8Fg, {+|#e VIu;WdԢԱ"tHϱ=8YƄ)5Y~l'PUE'0P;Cb K #wgY{6DOn fiy] ,pd+7!31Q1jkI/?tI3軱Wx&%}YQ v|.yzc[?B^!t#R.܋OFې/)0XPy4w)n9wa3[T:KDePީiH@_v܅iUhHm;:h2֭0kc'pG !MX|wVulÝg8G# dd9a7rWu`'~"V[CA6p8_@&s ܐ}oDI COxr8ˤ`+g~v0q=Ķ2|R4ϜUpvRvcdLwsM`tM2cQ!*EcۮS3̜ċOgW<2ZP'yQ;Z?] m-!k8~m=fҮT)V"ʕ.Sܟ=Cʗa҃fnA_{QAbf]s:#vAѺ v7" a^n1n-/ـ9@/":xqea @T*zO;f?Pv/is鐇T3t[?<; O5z}B=FBl4*7y:?CK/ﯻ.[RhIw׭v޻jZ񞞽T7v r9F˳p7*РtMjez'14ɋmEg,(3lW'5X-lu; o]jm٦d U4s_jj՗"mxTɉ|Y+z[;6Nw6ȄM b7;a1Բ )