Network Computingwww.networkcomputing.com

We were excited to see that NetProwler has had a major face-lift since we last looked at it. The management program is a lot easier to use, and the reporting tools are more intuitive. Outside of the normal scope of packet-based inspection, NetProwler has some interesting features that are absent from other intrusion-detection products. For example, the "talkers" module lets you capture and display ongoing sessions in real time. Going beyond simple protocol decodes, NetProwler can translate and display telnet, ftp, SMTP, POP and IRC sessions in real time. We were able to watch sessions and drop in on them as they occurred. This capability may have an interesting legal ramification, as anyone eavesdropping on an intrusion attempt may become a witness.

Another interesting feature is in content and integrity checking. NetProwler can query the routing tables for changes via RIP I or II. This ability can serve as a sanity check for anyone attempting to stay on top of an unruly WAN. It can also pull down Web pages to check for hostile modifications, provided you do a baseline "snapshot." Although these features may fall outside of the traditional realm of intrusion detection, they are quite useful.

We were pleased with the number of attacks NetProwler accurately identified. It even nailed some of the CGI attacks that RealSecure and NetRanger missed. However, when we moved onto fragment attacks, it bombed. On several occasions, the NetProwler service just died. NetProwler also has an interesting way of configuring itself: Where most network-based IDS products inspect all packets they come across, NetProwler inspects only packets destined to known hosts. In this way, NetProwler can maintain accurate inspections at higher bandwidth rates. Using its profiler tool, NetProwler automatically will query, identify and configure itself to watch over a set of hosts. For the most part, this worked well for our dozen or so hosts, but we wonder how well it will scale with hundreds or even thousands of nodes.

However, we did run into a problem stemming from this approach. In a preliminary round of tests we launched a Winnuke attack against one of our Windows 95 workstations. NetProwler was the only product that failed to detect it. Convinced that we did something wrong, we began rechecking our configurations; we discovered that when we ran the profiler, the Windows 95 machine had been powered down. NetProwler didn't see it; therefore it didn't configure itself to watch over it. We reran the profiler, re-executed the attack and the problem was solved. The moral of the story? If you are using NetProwler, be prepared to reconfigure it every time you add something significant to your network.

Intruder Alert (ITA), the host-based product, like Centrax and RealSecure, performs the majority of its checks by pulling from event logs. ITA is probably the most flexible but least eloquent host-based product we tested. It's deployed in a console/agent fashion, so if you want to use it, your OS must be supported. ITA is especially flexible in event definition and incident reaction. You can configure ITA to perform an assortment of actions upon event recognition: alert via pager, alert via e-mail, execute a command or script, close a task or process, or disable a user account.

You can also instruct ITA to pull data from a wide range of sources beyond simple event logs, and report to an array of destinations. However, we found the interface difficult to work with, and the terminology a lot more confusing than in the other products. We found ourselves wading through a seemingly endless sea of similar icons as we sifted through an array of similar policies. Compared to the management console of RealSecure, ITA's usability is severely challenged. Integration of NetProwler into this interface is equally challenging.

Axent recently released NetProwler Turbo, an integrated hardware-software approach to network-based intrusion detection. Using technology supplied by NetBoost, NetProwler is supposedly capable of inspecting packets at 100 Mbps and greater rates. Unfortunately, NetProwler Turbo was not available for testing. If Axent delivers on integrating Intruder Alert and NetProwler into a single product, it may be able to give RealSecure a serious run for its money.

Intruder Alert, $1,995 Manager, $995 Agent (Console N/C); NetProwler, $7,995, Axent Technologies, (888) 442-9368, (301) 258-5043; fax (301) 670-3586. www.axent.com or info@axent.com