Axent nabs intruders on host and network

It’s important for a company to have both host-based and network-wide intrusion detection systems (IDSs), according to security analyst Diana Kelley of the Hurwitz Group in Framingham, Mass.

“You should have both because they serve very different purposes,” Kelley said.

“It depends on what you’re trying to do. If you don’t want a telnet to happen from one box to another but that box is telnet-enabled, that’s the stuff where you really have to look at a network picture. But there are also certain things happening on the host that you want to keep track of,” Kelley explained.

Those host events to keep track of include multiple failed login attempts or attempts to monitor a password file on a Unix server, according to Scott Gordon, director of intrusion detection systems for Axent in Campbell, Calif. He said having both host and network security is a good idea, but not completely necessary for everyone.

“Like any other security thing, it’s how much money do you have and what type of risks do you want to reduce? It’s a judgement call. A multi-tiered defence strategy is the best one,” Gordon said.

Hurwitz’s Kelley said while most IDSs are similar in functionality due to the extreme competitiveness of the industry, Axent’s NetProwler 3.0 network-wide IDS is set apart by its integration with Axent’s host-based Intruder Alert.

Gordon said the integration is still a first-stage communications link, with further integration to come in the future. Right now, the link allows administrators at an Intruder Alert console “to monitor, enterprise-wide, not only Intruder Alert agent security events, but also NetProwler security events. So if there’s a network attack or a host-based attack, we’re able to pick that up and not only respond at the scene, but we can also forward that information on to the Intruder Alert console,” Gordon said.

Gordon explained NetProwler 3.0 works by sitting on a designated Unix or Windows NT server that is placed on a network segment.

“[NetProwler] puts the NIC in promiscuous mode and it just listens to…all the packets going by. It reassembles the packets and maintains what they call a session. It understands the source address, the destination address, the application being invoked, and the dialogue of commands between the source and destination address. It’s caching this information and comparing this dialogue to a database of known attack signatures,” Gordon said.

“If a source address starts to execute these sets of commands, it’s trying to exploit a known vulnerability. We can nail them right there in real time,” and alert the administrator by e-mail, pager or other forms of notification, Gordon said.

“The other thing we can do is reset the session, so we can terminate them actually trying to exploit that vulnerability. That’s the big difference [compared to] host-based which is running on the host and more often than not is identifying a threat after it occurs,” he said.

NetProwler did not have a Version 1.0 or 2.0, Gordon explained, because the product resulted from Axent’s acquisition in January of a company called Internet Tools. NetProwler is a rewritten derivative of Internet Tools’s product called ID-Trak, which Gordon said was at Version 2.2 at the time of acquisition.

One of the new features brought into NetProwler in the rewrite is called the Profiler.

“When you install the system, you provide an IP address range, and it goes in that range and does some minor port scans and determines what hosts are running and what applications are running on those hosts. Then it dynamically loads the attack signatures that relate to protecting just those hosts and applications. Basically, it autoconfigurates,” Gordon said.

“That gives us efficiency, since we’re only going to monitor for the applications we’re protecting.”

NetProwler also features a custom attack signature definition wizard for internally designed applications. Gordon said the drag-and-drop interface with keywords allows users to create signatures without any programming knowledge.

“Our product doesn’t require any programming. Anyone who has a good working knowledge of networks and of their application would be adept enough to create their own attack signatures,” he said.

Another feature is on-the-fly signature updates so the system does not have to be shut down for updates.

NetProwler has a suggest price starting at US$7,995.

Axent in Rockville, Md., is at (301) 258-5043 or on the Web at