Network Computingwww.networkcomputing.com

Like RealSecure, NetRanger uses an engine/console model. The NetRanger appliance or "sensor" is a turnkey solution--a Pentium II PC in a rack-mountable case running Solaris x86. Cisco shipped us a sensor, a Solaris-based director (console) and a Cisco 2621 router with the new integrated IDS/firewall IOS (Internetwork Operating System) build (version 12.0.5T). During our tests, the NetRanger kept up with almost everything we had in our arsenal, except fragmented attacks. It set off alarms warning us that it had spotted fragments on the network, but could not determine what those fragments contained.

What really sparked our interest was the inclusion of intrusion-detection technology in Cisco's family of routers. Although NetRanger has its shortcomings, Cisco is in a unique position that could turn the network-based IDS space on its head: The firewall builds of IOS (the OS that runs Cisco switches and routers) from 12.0.5T onward will have intrusion-detection technology built in.

One of the largest problems with network-based IDS involves scalability. In a switched 100-Mbps or faster environment, most network-based intrusion-detection systems just can't keep up. If Cisco delivers on integrating intrusion-detection technology into its family of switches, it may be able to go where no IDS vendor has gone before--into the heart of fast networking.

We tested a 2621 router with the firewall IOS build, and it worked without a problem. We configured the router to report directly into the NetRanger console, alarming right next to the NetRanger sensor unit. We were able to redirect the output to Unix syslog, which afforded us even greater flexibility. Although the IDS IOS build has only around 60 attack signatures, those 60 worked quite well.

Unfortunately, the OpenView problems we faced in our earlier tests came back and bit us again. By executing an nmap FIN scan we unknowingly generated hundreds of scan warnings. OpenView was nice enough to shrink all the icons as it attempted to populate a single window with hundreds of alarms. The result was an indigestible collage of annoyingly small icons. Taking this to the next level, we figured we could probably run a visual denial-of-service attack and overwhelm the poor sap stuck clearing a seemingly endless array of alarms out of OpenView. Making matters worse, NetRanger is the most difficult product we've ever had to configure. Anyone thinking about reconfiguring these units should get his or her head examined first.

Fortunately, Cisco has some solutions in the works. We were given a tour of Cisco's new security manager, which cleans up the interface fiasco and eliminates NetRanger's dependency on OpenView. HP has released a Windows NT version of NetRanger, possibly opening the door to non-Unix shops. The current IOS IDS builds represent an intriguing start down an interesting path. If Cisco delivers, the company's network-based intrusion-detection products may retake the spotlight. But until that happens, NetRanger will remain an overpriced network-based IDS, with no host-based modules in sight and many competitors closing in fast.

Cisco Secure Intrusion Detection System/NetRanger, $12,500 for the Sensor, $9,500 for the Director, Cisco Systems, (800) 553-6387, (408) 526-4000; fax (408) 526-4100. www.cisco.com/netranger