Equipped to play

We laid out our network requirements for our 60-day test of network intrusion-detection system products and let the vendors submit all the appropriate piece parts to fit the bill.

NFR Security provided two of its preconfigured appliance sensors, one for each site of our remote sites and a Central Management Server (CMS) for our network operations center. Each sensor fed alerts to the CMS system, which we examined and managed with the Windows-based Administrative Interface client.

NFR boots its sensors off of a CD-ROM, which doesn't guarantee that they can't be broken into, but certainly makes the job a lot harder. NFR recently released a new version of this product but it was too late in our test cycle to include in this review.

Intrusion provided two sensors and a management system, its SecureNet Provider. While still a product that needs some work, its slimmed-down management is an improvement over last year's submission. On the client side, there are three pieces needed to manage sensors and rules, and conduct analysis. But at least they all run on the same system. To manage SecureNet Provider, we used tools that Intrusion pre-loaded on a management client. This installation was important, because Intrusion's client caches event information in a local database to increase performance, and using the client isn't as simple as just dropping it onto a Windows box.

Although the new architecture was welcome, it also was clearly hot off the presses. We found careless bugs, such as IP addresses sorting in the wrong order and events being mismatched to their labels during our testing. We even managed to crash the SecureNet Provider client when we used it for forensics research.Intrusion recently upgraded it's software, but it was released too late for our testing.

Internet Security Systems (ISS) also supplied a three-tier architecture (sensor, management server and management client). ISS sent two Proventia A201 systems, its new appliance-style sensor. On the sensor side, ISS had more than its fair share of bugs that resulted in the appliances shutting down several times during the test period. Complementing the sensors were three other rock-solid ISS products: SiteProtector, Security Fusion and Internet Scanner. ISS' architecture is centered on SiteProtector, its tool for managing and analyzing information from an entire suite of security tools.

Internet Scanner is ISS' vulnerability analysis tool. Fusion helps to correlate IDS alerts with vulnerabilities and operating system detection information, upgrading or downgrading alerts as they flow in.

With Barbedwire Technologies, we received two appliance-style sensors and nominated one as the central management system. Barbedwire doesn't provide a client; driving its GUI around requires only a Web browser. Two things quickly became apparent: first, Barbedwire spent a lot of time building an elegant interface on top of Linux, and second, the systems provided were underpowered even for our small network. Once the system ran for a few weeks, it came to a near-halt because it had collected too much data. Configuration pages would take more than a minute to display, reports tens of minutes to run, and on occasion even simple things (such as "15 most recent alerts") would just timeout, returning only error codes.