The idea behind Dragon is quite simple: It's made by the hard-core, for the hard-core. Veteran security administrators and Unix jockeys will dig it, and most Microsoft Windows administrators will choke on it. Dragon's strengths lie in its deep signature set, its robust engine, and its ability to log and display a dizzying amount of data. Its weaknesses? The Web-based console is difficult to navigate and frustrating to use.
Enterasys is one of the few vendors that can realistically talk about watching over ISP links and other carrier-class networks. The engine is rock-solid, and once you have the sensor set up and talking to the console, it hums along. We ran into a few instances where the communications died, and we needed to log into the sensor to troubleshoot, but compared with the other IDS platforms, Dragon was pretty painless.
Other than dealing with a few mishaps and replacing old license keys, you shouldn't find yourself SSHing to the sensors too often. However, if the network link between the sensor and console goes down for more than 15 minutes, Dragon will give up trying to connect to the sensor. Thankfully, the sensor continues to function and capture all data, resyncing the databases after the Dragon Rider tool is restarted by hand.
Another issue users should consider is the number of signatures they choose to enable. Dragon has an open-signature format that lets users create their own signatures. In fact, it's so well-defined (and similar enough to the Snort signature format) that the Whitehats arachNIDS site exports all its signatures to Dragon format as well. The result is a massive signature set. At one point, we pushed out a very aggressive configuration. The Dragon infrastructure was able to keep up, but we were processing more than 2 GB of data per day! At this rate, we could hold only four days of data before we needed to start clearing out old info.
On the management side, Dragon's Web-based user interface leaves much to be desired. It can be confusing, though using it gets easier after a few days. Another problem is that there are too many different Web-based tools, including Dragon Fire, Dragon Console and Dragon Rider. The consoles are bolted onto the CLI (command-line interface) tools, which are still available by SSHing into either the sensor or the console. Most of the pull-down menus and filterable options are simply flags and arguments that are passed to the back-end CLI commands. The conceptual link to this impressive and powerful array of CLI tools is presented at the top of the queries that are created through the Dragon Fire tool. The display limits on the Web pages and the frequently inefficient methods of finding the right box to supply the desired filter will quickly encourage you to use the CLI. It's raw, but it works.
One of Dragon's particularly powerful tools is mksession, which re-creates the attack session that triggered the signature and lets you see exactly what went across the wire and when. From a data- and network-forensics standpoint, Dragon is unmatched. For example, you can create queries to search back through large data sets for specific IP pairs to see when an attacker started probing your network before his or her successful exploit. It takes a little practice and some CPU and disk resources on the console, but the capability is incredibly powerful.
Dragon 4. Available: Now. Enterasys Networks, (603) 332-9400. www.enterasys.com
Cisco Systems Secure IDS 2.5
To be blunt, Cisco's solution surprised us. In years past, Cisco was behind on signatures and behind on engine technology, and its management interface through Hewlett-Packard Co.'s OpenView was atrocious. In the past 12 months, however, Cisco has updated its engine technology, improved the number of signatures (though more are still needed) and leapfrogged rivals on the front-end interface.
Cisco's Secure IDS (formerly NetRanger) is a suite of products comprising the lower-end 4210 unit, the higher-end 4230 appliance and the IDS blade that fits into Catalyst 6000 switches. The 4210 and 4230 models are essentially Sun Microsystems Solaris x86-based PCs that are shipped as appliances. You can reimage them using the included CD, which will rebuild the box in about 30 minutes. In contrast, the IDS blade is a card installed in the switch. It will pull frames directly off of the Catalyst's back-plane. We tested version 2.5 of all three products and used CSPM version 2.3i to manage them.
CSPM is Cisco's network-management framework product that runs on Windows and uses a proprietary database on the back end. While it can administer firewalls and routers, we used it solely for IDS management. CSPM can be a pain in the butt, and getting everything up and running under it was a little tricky. However, once we got off the ground, it was smooth sailing. Secure IDS was the only set of products that never crashed -- not even once.
The strength of the Cisco solution lies not in one dominating characteristic but in a solid blend of strong components. The engine is robust enough to withstand the DePaul Bruisernet. Its signature coverage, while not as strong as that of Dragon or Snort, is superior to those of products from Intrusion.com and Symantec. Secure IDS' sensors are Unix-based, so remote administration was painless. But the biggest differentiator of the Cisco solution is that it made our lives easy via the CSPM event viewer.
The CSPM event viewer is simple by design, powerful and hard to describe. It is a lot like a giant, dynamic spreadsheet, complete with collapsible rows, and allows for sorting of information based on an assortment of variables, including sensor ID, source of attacker, destination of attacker, date, time and attack type. Using the viewer, we were able to sort and sift through thousands of events in seconds and pick out those we wanted. We were also able to do some interesting visual coordination. For example, we placed a second sensor on the Neohapsis DMZ (demilitarized zone), far away from DePaul's network. By sorting data based on attacking IP first and sensor ID second, we could easily pinpoint attackers that were hitting both networks -- a sure sign of Internet-wide probing.
The Cisco Network Security Database (NSDB) was also quite handy. One of the most useful fields of this alert database is "benign triggers," which tells you not only what kinds of nonmalicious traffic might be a false positive for this signature, but how likely they are to happen. Case in point: We were seeing several alerts for "TCP Hijacking Simplex Mode." TCP hijacking attacks are well understood, and there are even easy-to-use tools that allow hackers to launch these attacks. However, we were quite interested since these attacks are rarely seen in the wild. Once we noted the benign trigger "idle telnet session," we stopped looking at these alerts. The fact that Cisco has begun documenting these issues is a big plus for the overworked operator.
Secure IDS 2.5. Available: Now. Cisco Systems, (800) 553-6387, 408-526-4000; fax (408) 526-4100. www.cisco.com
REPORTS
ANALYTICS
Follow 
