• United States
Neal Weinberg
Contributing writer, Foundry

Tenable Network Security and netForensics

Feb 05, 20042 mins
NetworkingSecurityWeb Search

* The Reviewmeister continues to take a look at security information tools

Continuing our jaunt through the world of security information management or security event management, today we’ll look at Tenable Lightning and netForensics.

* Tenable Ligthning

This product from Tenable Network Security only focuses on vulnerability assessment and intrusion-detection system (IDS ) logs. We found that Lightning 2.0 is an excellent investment for small organizations getting started in SEM. It is less expensive than the other, more complex products and much easier to set up.

In terms of licensing, Tenable Lightning 2.0 is licensed by the number of IP addresses active on your network.

At the most basic level, SEM products aggregate security logs from various devices. Taking SEM to the next level, these products add correlation, which lets you create alerts for any combination of log entries. For example, you can create an alert if you see a port scan and an attempted attack (seen through IDS logs) for your Web server if the source IP address is the same.

The next step, which Tenable supports, provides correlation between vulnerability assessment and IDS. You do not get an alert on an IDS log unless the targeted system is vulnerable to the attempted attack. This feature is beneficial because it can help reduce IDS false positives.

* netForensics 3.1

NetForensics 3.1 has a lot of potential, but the user interface, SIM Desktop, could be improved.

In terms of the pricing model, NetForensics 3.1 is licensed by the number of devices being monitored.

Each company, with the exception of Tenable, sent us pre-configured hardware. The installation team came in to configure the device for our lab environment and set everything up so alerts and events were being sent to their system from three initial devices in our test bed – a NetScreen Technologies firewall, a Cisco  VPN Concentrator and a Cisco Catalyst switch – which all logged directly to syslog. The netForensics install took just two hours for initial setup, device configuration and a quick tutorial.

Several of SIM products include case management functionality to track and record incidents as they are investigated. Events can be tagged and added to incidents just about anywhere in the GUI. NetForensics includes a collaboration area – a screen where users can type messages and have them visible to all other users – and the ability to attach any file to a case.

For the full report, go to