ID-Trak uses a slightly different approach to monitoring a protected network than its rivals. Rather than inspect everything that traverses the wire, ID-Trak forces the administrator to define a list of hosts to watch over. AXENT includes a utility called "profiler" that lets you define a range of IP addresses in which to search for hosts. However, the profiler needs some work. We turned it loose on our range of target hosts, and while it did a decent job of recognizing common services, it misdiagnosed many of our OSes. Normally that's not a big deal, but the profiler also assigns OS-specific attack signatures on a case-by-case basis. For example, our Unix machines running Samba were assigned a set of NT-based attacks. Although we were able to fix the problem fairly easily, this adds to configuration time and complexity.

While ID-Trak has a smaller base of prebuilt attack signatures than its competitors (approximately 70), it surpasses all but NFR when it comes to customizability. ID-Trak includes a rule-building utility that can create custom inspection modules to examine certain types of traffic. Using these modules as building blocks, administrators can build more complex checks by dragging and dropping various components into the rule designer. This flexibility far exceeds the customizability of NetRanger and RealSecure.

In addition to some powerful customization tools, ID-Trak has other interesting features. One is its ability to easily snoop active sessions. ID-Trak keeps tabs on all open sessions, giving an administrator a visual, real-time display of what's transpiring on the network. Selecting any of the listed sessions launches a window that can be used to actively monitor the session without sifting through packet decodes. The view is identical to what the user sees for some session types (others still resort to raw packet dumps). Some would argue that this could be used as a privacy-invasion tool, but it saves Unix administrators the hassle of messing with utilities such as ttysnoop.

Another simple, but much appreciated, feature in ID-Trak is its packet-dropping statistic. While no one wants to see his or her IDS start choking, it's nice to know when it is getting overloaded. NFR and ID-Trak were the only two IDSes that offered this stat. We suspect NetRanger was overwhelmed at times, and we know RealSecure dropped some traffic, but we have no definitive way of telling just how pegged either of those IDSes were.

Unfortunately, ID-Trak's interface is rivaled only by NetRanger when it comes to compounded frustration. We were repeatedly lost in its configuration and monitoring screens, often staring at a submenu that looked familiar, but wasn't what we wanted. After living with the product for a few months, we became a little more familiar with its mazes of menus, but we hope AXENT hires some interface-gifted people to help clean it up.

We are eager to look at the upcoming merger of the two product lines, ID-Trak and Intruder Alert, as they offer an assortment of useful utilities. For now, however, Axent delivers a security tool that can be extremely useful in certain situations.

Network Flight Recorder NFR Intrusion Detection Appliance
NFR brings a unique approach to intrusion detection. Much like the open software movement, NFR has taken a very public approach to its product development. In fact, you can download the source code to the research versions of NFR from the company's Web site. This is the ultimate example of putting one's money where one's mouth is.

NFR has worked to develop a strong Unix- and Web-based back end with a powerful language called "n-code" that can be used for scripting attack signatures. However, it has spent less time populating the actual attack signature database than on the engine itself--the product ships with very few checks. Although NFR has delivered an intuitive and easy-to-use engine, IDSes witnessing attacks without signatures are about as useful as magazine editors on deadline without Mountain Dew--it's a bad scene. Some of NFR's resellers package NFR with a number of additional checks. But even with the additional components, NFR comes up short on the signature front compared with NetRanger and RealSecure.

Recently, however, NFR has teamed up with L0pht--one of the more talented crews on the hacker scene--to code some more advanced n-code modules. Unfortunately, until more signatures are produced, or until you employ a staff of protocol and code jockeys, NFR will not be as useful out of the box as RealSecure and NetRanger for mainstream administration needs.

In our lab we were able to preview an early beta of a new breed of IDS--an ID appliance or "toaster." NFR is completing development of a self-contained, self-installing and completely packaged IDS device. Popping a boot floppy and CD into a brand new Intel-based PC, we had an IDS operational in less than five minutes. And we must admit the unit as well as the concept is pretty damn cool.

We've also been watching the NFR mailing list for a few months, and we are continually amazed by the successful creation of knowledge bases based on a user community. If the level of expertise of NFR's user base is any testament to the product, NFR has a bright future ahead. NFR is less expensive, far more customizable, and growing in popularity. If you're willing to invest some time and expertise, the products NFR is producing are worth exploring.

Greg Shipley is a Chicago-based consultant. Send your comments on this article to him at gshipley@neohapsis.com.

Greg would like to thank Jeff Forristal, whose coding skills made advanced testing possible.