IntruShield thwarts cyberthreats

Product review: IntruVert Networks's IntruShield is a next-generation intrusion-detection system that stop intrusions and denial-of-service attacks

An intrusion-detection system alone will not keep every intruder from sneaking into your network. For a truly effective defense, you must combine intrusion detection with a capable firewall, an antivirus system and a network configuration that capitalizes on best practices.

Until recently, intrusion- detection systems have mainly been used to interpret network transactions, much like a protocol analyzer. Most often, such systems did nothing about offensive traffic; they merely reported what was happening on the network and, at best, sent alerts to network administrators about suspected problems.

IntruVert Networks Inc.'s IntruShield is a next-generation intrusion-detection system with intelligence capable of not only detecting offensive traffic, but also blocking it before it enters your networks.

We evaluated the IntruShield 2600, which is a sensor appliance capable of real-time detection at speeds of up to 600 megabits/sec. Its big brother, the IntruShield 4000, can work with traffic speeds of up to 2 gigabits/sec.

The sensor appliance is the first part of the system. The second part is management software that runs on a separate PC. We used IntruShield Global Manager, which is capable of managing several hundred sensors. There is also a lighter-weight IntruShield Manager that supports up to three sensors.

Installing the IntruShield system took less than an hour. We began, as most customers will, by using the default settings and policies. However, we soon realized that the system was reporting several network events that were not related to intrusions. Some Microsoft Corp. Windows 2000 workstations were unsuccessfully attempting directory access, and some packets had invalid IP addresses. IntruShield clearly explained these errors and also gave us references to further information.

With a bit of manual tweaking to the IntruShield sensor, we were able to disable those alarms, but this solution was not optimal because the alerts could have resulted from a real attack. With the aid of IntruShield's Help function we were able to find the malfunctioning hosts and fix them so that the alarms could be enabled again.

Because the manager server can be operated via a Web interface, we decided to move our observation post to a location across town. We logged into the server using a virtual private network over a Secure Sockets Layer-encrypted cable modem. The performance was so good it was almost like sitting in front of the management server.

Much of this good performance must be attributed to the management server PC that we borrowed from IntruVert. It was a generic dual processor, 1.13 GHz host with 4G of RAM and uses the Apache Software Foundation's Web server and Tomcat for the JavaServer Pages application server. We applaud IntruVert for using these open-source components.

From our remote PC, we began exploring the many pages in the management server's Web interface. Because each page presented only a small set of information on the screen, we realized only gradually the immense number of features and extraordinary amount of control that we had over the system.

The Alert Viewer is where most of the excitement takes place. It is the administrator's one-stop information shop when someone screams, "We've been hacked!" In the past, when a system was under attack, the systems administrator had to rely on educated guesswork and painful experience. With this product, the administrator can drill down from the Alert Viewer to see events as they happen in real time. He or she can even access a long history of packet-level information.

We began our simulated attacks with a "vanilla," or unmodified source, port scan against our test host using Insecure.org's Network Mapper (www. insecure.org/nmap). This scan, which opens a full TCP connection to many well-known ports, was detected immediately by the IntruShield sensor's default exploit policies.

Then we performed a "half-open" TCP synchronization scan to simulate the start of a denial-of-service attack. Such scans do not fully complete the normal TCP connections, thus leaving the target server waiting for responses. Our test scan was not detected. We discovered that the "reconnaissance" filters that detect such activity must be enabled for each interface, and they are not included in the global policy that governs exploit detection. However, it was easy to turn the filters on, and in a few moments, the sensor was reporting our scans.

With some experimenting, we found that by increasing the timing intervals on our port scans, we were able to avoid detection by the sensor's default timing policy. This is an excellent example of a setting that must be tuned for each individual network. You may elect to make policies more sensitive on publicly exposed interfaces but allow a more liberal timing policy on trusted inside interfaces. We were impressed by the extraordinary degree to which you can manage policies throughout the system.

Nessus (www.nessus.org) and SAINT from SAINT Corp. (www.saint corporation.com) are security-auditing tools that launch a variety of sophisticated attacks on servers or workstations. We first ran Nessus and then SAINT against our test workstation protected by IntruShield. IntruShield issued an alert when the programs executed their attacks. In real time, IntruShield gave us instant access to a general description of each attack.

IntruShield's reporting features are excellent. If an Internet service provider requires logs to prove an incident, IntruShield provides the evidence, clearly presented in PDF files.

It is easy to see how IntruShield could earn its keep in a crisis. The system identified a wide variety of attacks. With a few clicks of the policy editor, we were able to drop offensive traffic, thereby hiding the network's vulnerability from the attacker. If it is too risky to deny a certain kind of traffic, you can choose to watch certain IP addresses. When you determine that you are being probed by a particular IP address, you can create a user-defined attack signature that will alert you when that IP address sends traffic to your network.

How IntruShield detects so many attacks is confidential information. But we do know that the company uses a combination of signature detection, stateful traffic inspection (a firewall technology that matches inbound packets with the sources of previous outbound requests), anomaly detection and denial-of-service detection. Their signature files can be downloaded manually or automatically sent to the user as needed. Their signature files are large and include detection of a number of Internet worms.

In high-stakes environments that deal with sensitive or valuable data, IntruShield can add a critical extra layer of protection against the bad guys. Too often, network administrators find out after the fact that their network has been probed. With a tool like IntruShield, the administrator will be alerted immediately of attacks or hostile reconnaissance.

Greer and Bishop are network analysts at a large Texas state agency. They can be reached at Earl.Greer@dhs.state.tx.us.

***

At a glance

Intrusion protection

IntruVert Networks Inc.'s IntruShield intrusion-detection sensors offer:

* Flexible deployment — Allows administrators to deploy sensors in several modes to suit their network security architectures.

* Stateful analysis — Provides protocol analysis and thorough analysis of network traffic at multigigabit rates.

* Comprehensive intrusion detection — Detects known, first-strike and denial-of-service attacks using a combination of signature, anomaly and denial-of-service detection techniques.

* Real-time intrusion prevention — Provides proactive capability for stopping in-progress attacks, coupled with a set of alert and response actions.

* Virtual intrusion detection — Gives administrators the ability to set multiple, customized intrusion policies within a single sensor.

* Interoperability — Works with leading firewalls and enterprise management applications.

REPORT CARD

IntruShield

Grade: A

IntruVert Networks Inc.

(408) 434-8300

www.intruvert.com

The list price for the IntruShield 2600 sensor is $34,995. The IntruShield Manager software costs $7,995. IntruShield Global Manager software costs $29,995.

IntruShield is a next-generation intrusion-detection system that can do more than just detect intrusions and denial-of-service attacks — it can also stop them. It does not burden administrators with excessive false positives and does not get overwhelmed by heavy network traffic. Those advantages, plus a wealth of features, earn IntruShield our highest rating. IntruShield Global Manager runs on Microsoft Corp. Windows 2000 or Sun Microsystems Inc. Solaris 8. IntruShield Manager runs only on Windows 2000.

NEXT STORY: HHS publishes HIPAA security rules

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.