Internet Security Systems RealSecure 3.2
Internet Security Systems has long been a strong player in vulnerability-assessment and intrusion-detection. In our May tests, we found the vendor's RealSecure to be the most polished offering. ISS had achieved a balance between accurately detecting network-intrusion attempts and efficiently displaying that data in a usable format. Our biggest complaint was in customization: RealSecure was very limited in terms of flexibility.

In our latest round of tests, we investigated not only the recent advancements of the RealSecure network engine (version 3.2), but also the host-agent included in RealSecure. Although we still have some significant complaints about the RealSecure suite, ISS's integrated host and network intrusion-detection approach, combined with a solid method of data representation, keep the product a few notches above its competitors.

We tested the RealSecure network engine in our Chicago labs and it ruthlessly tracked the wide range of attacks we hurled its way. (See "How We Tested Intrusion Detection"). RealSecure caught almost every mainstream attack we unleashed (including remote buffer overflows, denial-of-service attacks and known CGI holes), but missed some of the more obscure ones (such as exploiting the more recent RDS/ODBC holes and some third-party CGI scripts). In RealSecure's defense, no product we tested was able to identify, or even catch, everything. ISS also added a solid set of customization options. You can examine packet payloads and use regular expressions to search for patterns within those payloads.

RealSecure's simple but effective management interface remains way ahead of its competitors in terms of overall design. The management console uses a hierarchical tree design, so administrators can view intrusions based on attack type, attacker or target host. Anyone who's ever done incident-response work knows how valuable it is to have this data at your fingertips. Information on just about any part of the interface can be called up in a second window simply by right-clicking on the item in question. As alarms and warnings popped onto the console, we were able to quickly look up all relevant information on the attack in seconds.

This may sound trivial, but you'd be surprised how cumbersome it is to gather detailed attack information from the other products. Even more trivial, but completely overlooked by products such as Centrax, is the ability to clear alerts. Thankfully, RealSecure now lets users clear most alerts from the console.

On the host front, ISS is one of three vendors boasting integrated host- and network-based intrusion-detection technology. The combined ability to watch network-based attacks (including port scans and remote buffer overflow-based attacks) with system-level events (such as failed login attempts and modified registry keys) in one interface is incredibly powerful. Unlike Axent's offerings, RealSecure's products are seamlessly integrated. We had no trouble installing the NT host agent, and quickly we were able to plug it into the management console. We tried to modify some system files and registry settings, and RealSecure caught us. It also flagged our additions to the administrator group, and some other trivial user games. It even caught us trying to use netcat as a back door, preventing us from getting into the machine unauthenticated. It was the only host-based IDS we tested that caught this. The system agent also boasts some 40 checks for Microsoft Exchange-, MS SQL-, LDAP-, Oracle- and Sybase-specific issues.

Our biggest complaints about RealSecure revolve around its inability to reassemble fragmented packets--a major flaw--and the lack of full event clearing in the management console event window.

RealSecure 3.2, $8,995, Internet Security Systems, (800) 776-2362, (678) 443-6000; fax (678) 443-6476. www.iss.net or mnorwood@iss.net