Securify Nabs Intruders

SecurVantage sniffer has attitude but takes gumption to fine-tune.

Securify Inc. has revamped its SecurVantage packet sniffer, adding an enterprise management console and automatic policy generation, enhanced reporting, and better alert management— improvements that make the product a top contender in the emerging space of network security management.

SecurVantage monitors are connected to the span port of switches in the network, and they scan traffic for unauthorized packets. The monitors send alerts to the central console in real time. We defined specific events such as FTP traffic as critical alerts. Critical alerts caused our Enterprise console to send an SNMP trap alert to our Hewlett-Packard Co. OpenView Network Node Manager console. This kind of interoperability is essential for enterprise-class products.

SecurVantage can also send e-mail or pages to a person. During tests at our San Francisco Labs facility, in conjunction with a Securify monitor at the PC Magazine Labs in New York, we found that the new enterprise management console worked smoothly.

SecurVantage is distinguished from other products because it can identify application layer traffic, specific servers and users on the network. The product uses policies to flag unauthorized traffic. Because the product does not affect network traffic—in other words, SecurVantage does not make new policies for firewalls or routers—it does not interfere with new traffic. For example, during tests, we authorized only HTTP traffic on a network segment. When we subsequently executed an FTP file transfer, we got an alert on our console about the violation.

This is in contradistinction to the tack taken by competitive products such as Lancope Inc.s StealthWatch or Symantec Corp.s ManHunt (part of the Recourse Technologies Inc. acquisition). These products monitor the network for several weeks or even months to generate a profile of normal network traffic and system behavior. When anomalies are detected, an alert is sent. Some of these products can also suggest policy changes that enable network equipment to stop suspected attacks.

eWeek Labs tests of SecurVantage showed that although it allowed us to quickly create policies, it must be fine-tuned to really scope out networks—and that fine-tuning takes time. Depending on how often applications and traffic change on the network, tweaking SecurVantage could take as long as working with one of these other products.

In addition, IT managers will need to devote a high-level security manager to the initial setup. Initial policy creation takes only minutes, but we suggest reviewing traffic rules to minimize the number of false-positive alerts. This takes time and expertise.

SecurVantage started shipping in November and starts at $40,000, which is in line with other products in this category. IT managers should keep in mind that Securify is a relatively new company that has its roots in consultancy. But despite the relative youth of the product, we had only minor problems with the setup—including a mismatch in system times that caused one display to read incorrectly. Once the system times were matched, the problem was resolved.

We tested a version of SecurVantage that is shipped on a 1U (1.75-inch) Dell Computer Corp. 1650 server with 1GB of RAM and a 750MHz processor. We used seven of these servers in our tests, with two of the seven at sister publication PC Magazine, in New York, configured as a SecurVantage Monitor. We configured four more 1650s as two monitors at eWeek Labs. The SecurVantage Enterprise Manager was also installed on one Dell box at the San Francisco Labs offices. We connected each monitor to a traffic mirror port on our Cisco Catalyst 2900XL switches.

We placed the SecurVantage monitors as close to the edge of the test network as possible to maximize the amount of traffic the monitors saw.

With the assistance of a Securify consultant, we used a module of the product called SecurVantage Studio to create monitoring rules. We captured network traffic and then ran it against the rules we made in Studio to see the results before putting the rule into production—a very cool capability. This is a good facility to help minimize the number of false-positive alerts, always a good thing in network management tools.

After creating rules, it was a simple process to centrally distribute them to the various SecurVantage monitors. Each of the monitors tracked traffic behavior for its policy domain, a Securify term for the portion of the monitored network. Enterprise Manager transmitted rules to the monitors via Secure Sockets Layer encryption, using security certificates on both the Enterprise Manager and the monitor. Organizations that use public-key infrastructure can incorporate SecurVantage into their existing system without much trouble. We think this is a satisfactory method for ensuring that bad actors dont modify the traffic monitors. The systems run a hardened version of Red Hat Inc.s Red Hat Linux 7.2 that is optimized for network management performance.

We used an Ixia Inc. Ixia 1600 traffic generator to lay down large amounts of traffic on our network. In addition, we layered traffic from NetIQ Corp.s Chariot traffic generation tool to provide enough traffic for SecurVantage to generate its traffic policies.

Despite the high traffic rates on the test system, SecurVantage was able to spot all the unauthorized traffic that we tried to sneak onto the network.

Senior Analyst Cameron Sturdevant can be reached at