NFR Security Inc.s updated NID software and Network Flight Recorder Intrusion Detection Appliance caught virtually all the attacks eWeek Labs threw at it, proving to be a great combo for IT managers who need to know when their network is under attack. Although using the appliance requires a minor workaround in a switched network environment, most system administrators should not find this problematic.
Like a virus scanner, an intrusion detection system can recognize only known attack signatures. Although this is limiting, NFRs Network Intrusion Detection software will catch the majority of hackers who use known exploits. Changes in Version 5.0 of NID include an expanded library of attack signatures, remote administration, advanced query capabilities and ability to manage the appliance from a Unix workstation.
NFR officials said they have specialists who identify new attack signatures and make updates available for download, generally within 24 hours.
Analyzing attack and probe trends over time is almost as important as catching them as they happen. Upon completion of eWeek Labs tests, we were impressed with the ability of the NFR appliance to make sense of a lot of data. We were able to perform ad hoc queries, produce graphs and create custom reports.
The intrusion detection market ranges from free open-source offerings like Snort (available from www.snort.org) to Cisco Systems Inc.s Secure Intrusion Detection System, which starts at $6,120, and Internet Security Systems Inc.s RealSecure 5.0, priced at $8,995 for the central unit and $750 per server. RealSecure takes a different approach than Cisco and NFR, running intrusion detection on each host.
Version 5.0 of NID, which began shipping in December, and a hardened version of the BSD Unix operating system for the appliance cost $4,500; the appliance costs $2,700.
Minor Adjustment Required
We modified the Cisco 3524 Catalyst Switch on the test network to use the Switched Port Analyzer feature. This minor workaround let us program the switch to transfer traffic to the destination port and also to the port where the NFR appliance was, allowing port analysis in a switched environment. Although this did not cause problems on the test network, we believe that as the number of aggregated ports increases, performance will suffer. For larger installations where this may be a problem, the NFR appliance has distributed scanning and management capabilities, but their implementation requires the purchase of more appliances.
We installed the NFR console on a computer running Windows 2000 Professional. All other interaction with the appliance is made at this console. The testbed consisted of three more computers: one running Windows 2000 Server Edition, another running Windows NT 4.0 and the third running Red Hat Inc.s Red Hat Linux 7.0.
From the Linux box we used nmap, a Unix security-scanning utility, to probe the network for open ports and operating system signatures. All of nmaps port scans were immediately detected and generated pop-up and audible alerts; pager and e-mail alerts are also available. However, if a hacker slows the pace at which the network is probed with nmap, he or she can avoid detection.
A brute-force password attack against the FTP server on the Linux machine was also caught almost immediately, as was a slew of known attacks including buffer overflow, the ping of death, malformed http headers and scanning with bad IP addresses.
We also flooded the network with large file transfers to see if a busy network hid any hacks and scans. The only one that was hidden was the painfully slow scan from nmap.
However, the large traffic volume caused several false alarms because the intrusion detection appliance reported there was a Win Nuke attack under way. We added a filter to the alert mechanism to change the level of reporting to cure this annoying trait.