NFR Appliance Nips, Analyzes Attacks

By eweek  |  Posted 2001-02-19

NFR Appliance Nips, Analyzes Attacks

NFR Security Inc.s updated NID software and Network Flight Recorder Intrusion Detection Appliance caught virtually all the attacks eWeek Labs threw at it, proving to be a great combo for IT managers who need to know when their network is under attack. Although using the appliance requires a minor workaround in a switched network environment, most system administrators should not find this problematic.

Like a virus scanner, an intrusion detection system can recognize only known attack signatures. Although this is limiting, NFRs Network Intrusion Detection software will catch the majority of hackers who use known exploits. Changes in Version 5.0 of NID include an expanded library of attack signatures, remote administration, advanced query capabilities and ability to manage the appliance from a Unix workstation.

NFR officials said they have specialists who identify new attack signatures and make updates available for download, generally within 24 hours.

Analyzing attack and probe trends over time is almost as important as catching them as they happen. Upon completion of eWeek Labs tests, we were impressed with the ability of the NFR appliance to make sense of a lot of data. We were able to perform ad hoc queries, produce graphs and create custom reports.

The intrusion detection market ranges from free open-source offerings like Snort (available from to Cisco Systems Inc.s Secure Intrusion Detection System, which starts at $6,120, and Internet Security Systems Inc.s RealSecure 5.0, priced at $8,995 for the central unit and $750 per server. RealSecure takes a different approach than Cisco and NFR, running intrusion detection on each host.

Version 5.0 of NID, which began shipping in December, and a hardened version of the BSD Unix operating system for the appliance cost $4,500; the appliance costs $2,700.

Minor Adjustment Required

We modified the Cisco 3524 Catalyst Switch on the test network to use the Switched Port Analyzer feature. This minor workaround let us program the switch to transfer traffic to the destination port and also to the port where the NFR appliance was, allowing port analysis in a switched environment. Although this did not cause problems on the test network, we believe that as the number of aggregated ports increases, performance will suffer. For larger installations where this may be a problem, the NFR appliance has distributed scanning and management capabilities, but their implementation requires the purchase of more appliances.

We installed the NFR console on a computer running Windows 2000 Professional. All other interaction with the appliance is made at this console. The testbed consisted of three more computers: one running Windows 2000 Server Edition, another running Windows NT 4.0 and the third running Red Hat Inc.s Red Hat Linux 7.0.

From the Linux box we used nmap, a Unix security-scanning utility, to probe the network for open ports and operating system signatures. All of nmaps port scans were immediately detected and generated pop-up and audible alerts; pager and e-mail alerts are also available. However, if a hacker slows the pace at which the network is probed with nmap, he or she can avoid detection.

A brute-force password attack against the FTP server on the Linux machine was also caught almost immediately, as was a slew of known attacks including buffer overflow, the ping of death, malformed http headers and scanning with bad IP addresses.

We also flooded the network with large file transfers to see if a busy network hid any hacks and scans. The only one that was hidden was the painfully slow scan from nmap.

However, the large traffic volume caused several false alarms because the intrusion detection appliance reported there was a Win Nuke attack under way. We added a filter to the alert mechanism to change the level of reporting to cure this annoying trait.

Network Intrusion Detection 5


Network Intrusion Detection 5.0


Version 5.0 of NFR Securitys Network Intrusion Detection software running on the companys Network Flight Recorder Intrusion Detection Appliance is a great tool for IT managers attempting to secure their systems in todays hack-happy society.

SHORT-TERM BUSINESS IMPACT // Systems administrators will immediately gain a better understanding of network traffic and attacks.

LONG-TERM BUSINESS IMPACT // With a better understanding of network attacks, systems administrators can implement a better defense. NFRs analysis tools will also help administrators get a handle on how to best deploy security resources.

Provides intrusion detection and notification when a network is probed with known attacks; analyzes attacks.

Requires some reworking of switched networks to transfer traffic to the port where the NFR appliance is; may not protect against new, unrecognized attacks.

NFR Security Inc., Rockville, Md.; (240) 632-9000;

Rocket Fuel