We set up a test network of three Windows NT 4.0 servers, a firewall, five Windows NT Workstation clients and 10 Windows 95 and 98 clients. Our clients were 266-MHz Pentium IIs. Our servers were 500-MHz Pentium III systems. Our firewall machine, also a 500-MHz Pentium III, ran Axent Technologies' Raptor Firewall for NT 5.0.1. We configured the firewall to allow internal hosts to send out the most widely used services, such as Domain Name System, HTTP and telnet, but to allow only SMTP and FTP to enter through the firewall from external hosts. However, for our denial-of-service attack, we configured the firewall specifically to allow a SYN attack through.
After installing each of the products, we ran scripts that simulated normal network activity: accessing documents, databases and Web sites, as well as sending and receiving e-mail. We then attempted a variety of security attacks and suspicious maneuvers, including brute force attacks, denial of service using a SYN attack, strobe scans, share scans, BackOrifice attacks, port scans and sweep pings. During the attacks, we evaluated the intrusion-detection systems' alert, defense, policy enforcement and real-time tracking mechanisms. After the attacks, we reviewed the products' reporting and tracking capabilities and corrective action recommendations. If the product recommended a correction or fix, we implemented it, then repeated the attack. If the product identified the perpetrator, we verified it. We also evaluated each product's management program for alert and enforcement features, reporting capability and ease of use. RELATED LINKSReview: Intrusion detection
See why we give our highest marks to Network ICE. Network World, 10/4/99.
Intrusion detection buyer's guide
Use it to compare the specs for 11 different models or download all the specs to perform your own analysis.
Getting the drop on network intruders
A look at trends in intrusion detection and what you should think about before installing a system. Network World, 10/4/99.
