OneSecure Redefines Complete IDS

Updated IDP appliance includes wide range of detection methods.

OneSecure Inc.s intrusion detection and Protection appliance provides security-conscious sites with the most comprehensive intrusion detection package eWeek Labs has seen in the form of an easy-to-set-up, compact appliance.

OneSecures IDP 1.6 differs from other IDSes (intrusion detection systems) on the market in that it provides a wealth of intrusion detection methods. The IDP not only detects known attacks but also offers stateful signature detection, protocol anomaly detection, backdoor detection, Syn-flood detection, IP spoofing and a Network Honeypot in a single appliance.

IDP also distinguishes itself in its ability to minimize false alerts and to proactively (by dumping malicious traffic) prevent attackers from damaging a network. In tests, we found the IDP not only identified our attacks and intrusion attempts, but also dropped network connections.

Signature-based IDSes are useful in detecting known attacks but can generate many false positives, alerting IT managers to every probe and scan—even those that might not result in an actual attack. OneSecures unique Stateful Signature Detection allows the IDP to more accurately distinguish real attacks from Internet "noise." The IDP looks for patterns found in the packet sequence of an attack based on the protocol. Because the IDP matches the signature as well as the attack pattern, it can more accurately identify real attacks.

In tests, we could configure the IDP to look for known attack signatures and could fine-tune the system using its granular settings to hone its searches for malfeasance.

The IDPs Protocol Anomaly Detection sniffs out noncharacterized attacks by comparing traffic with the protocol specifications of normal traffic and looking for deviations. The Backdoor Detection technology can identify worms or Trojans that allow hackers to take control of network systems behind a firewall. The IDP has a unique method of detecting interactive traffic to stop backdoor attacks.

Of course, the IDP can only identify attacks and intrusion accurately when it is configured to run efficiently. One- Secure provides an easy-to-use GUI with pre-configured policies to allow companies to start protecting their networks right out of the box. Over time, administrators can fine-tune the granular settings to appropriately monitor their sites specific intrusion detection needs.

IDP Version 1.6 consists of a 1.75-inch, rack-mount Dell Computer Corp. PowerEdge 1650 server with a single 1.3GHz Pentium III processor, 1GB of synchronous dynamic RAM, an 18GB hard drive and three 10/100M-bps NICs. This system runs the IDP software on top of Red Hat Inc.s Red Hat Linux operating system hardened by OneSecure.

At $16,495, the IDP appliance is priced competitively with other IDS products in the market. Lancope Inc.s rival StealthWatch M50 and M100 appliances cost $15,000 and $20,000, respectively. (For eWeek Labs Nov. 8, 2001, review of the StealthWatch G1, go to

OneSecures IDP has a three-tier architecture (the IDP hardware sensor, the management server and GUI software) that allows the separation of the management functions from the IDS sensor. The IDP management server can be installed on the IDP sensor itself or on a Red Hat Linux 7.2 or Solaris 7 or 8 server. The Java-based user interface can be installed on another PC on the network running Windows 2000 or Red Hat Linux 7.2. The management server provides a centralized system that manages the IDP policies, configuration and logs generated by multiple IDP sensors.

The IDP can be configured to run inline or in promiscuous mode, like a sniffer. At most sites, it will make more sense to place the IDP directly behind the firewall; larger enterprises should place multiple IDP sensors at critical network segments.

In tests, we installed the management server on the IDP appliance and set up the system to run inline between two network segments. We installed Windows 2000 and Linux servers behind the IDP and used another Linux box as the attacker on the outside network.

We launched several exploits from the attacker system, including ciscokill and translate-f. A DoS (denial-of-service) attack, ciscokill can bring down the network by corrupting Cisco Systems Inc. switches (see screen); translate-f is a buffer overflow attack that targets Microsoft Corp.s Internet Information Services servers. The IDP accurately detected the attacks and dropped the malicious traffic protecting our network and the servers.

To test the IDPs Backdoor Detection capabilities, we modified the SSH (Secure Shell) services on the Linux server to run on a nonspecific port. We then used SSH from the attacker to hack into the target system. The IDP correctly identified the attack and alerted us to suspicious activity.

We were disappointed that the IDP does not support Gigabit Ethernet networks, nor does it provide hardware failover capabilities. The next IDP release, due at the end of this month, will include Gigabit Ethernet and failover support, according to OneSecure officials.

OneSecure provides a signature update wizard that, with a few clicks of the mouse, allows the IDP to quickly update its policies as new signatures become available from the Web.

Technical Analyst Francis Chu can be reached at