We laid out our network requirements for our 60-day test of network intrusion-detection system products and let the vendors submit all the appropriate piece parts to fit the bill.

NFR Security provided two of its preconfigured appliance sensors, one for each site of our remote sites and a Central Management Server (CMS) for our network operations center. Each sensor fed alerts to the CMS system, which we examined and managed with the Windows-based Administrative Interface client.

NFR boots its sensors off of a CD-ROM, which doesn't guarantee that they can't be broken into, but certainly makes the job a lot harder. NFR recently released a new version of this product but it was too late in our test cycle to include in this review.

Intrusion provided two sensors and a management system, its SecureNet Provider. While still a product that needs some work, its slimmed-down management is an improvement over last year's submission. On the client side, there are three pieces needed to manage sensors and rules, and conduct analysis. But at least they all run on the same system. To manage SecureNet Provider, we used tools that Intrusion pre-loaded on a management client. This installation was important, because Intrusion's client caches event information in a local database to increase performance, and using the client isn't as simple as just dropping it onto a Windows box.

Although the new architecture was welcome, it also was clearly hot off the presses. We found careless bugs, such as IP addresses sorting in the wrong order and events being mismatched to their labels during our testing. We even managed to crash the SecureNet Provider client when we used it for forensics research.Intrusion recently upgraded it's software, but it was released too late for our testing.

Internet Security Systems (ISS) also supplied a three-tier architecture (sensor, management server and management client). ISS sent two Proventia A201 systems, its new appliance-style sensor. On the sensor side, ISS had more than its fair share of bugs that resulted in the appliances shutting down several times during the test period. Complementing the sensors were three other rock-solid ISS products: SiteProtector, Security Fusion and Internet Scanner. ISS' architecture is centered on SiteProtector, its tool for managing and analyzing information from an entire suite of security tools.