In June, ISS acquired Network ICE, makers of the BlackICE products. While many of ISS' marketing announcements focused on BlackICE's desktop utility, anyone who has used RealSecure and BlackICE Sentry in an enterprise will tell you that BlackICE Sentry is strong on the corporate NIDS front. Unfortunately, it also suffers from some of the same problems that plague RealSecure, namely management- and console-related headaches.

BlackICE Sentry is Network ICE's standalone NIDS. It has the same appearance as the well-known BlackICE Defender desktop IDS/firewall product but reports its alerts to the ICEcap Manager. Alerts are also forwarded to the console and displayed on the GUI.

BlackICE uses "protocol analysis" to better detect intrusions. Essentially, the engine tracks state, reassembles TCP streams and applies some degree of protocol "intelligence" when inspecting traffic. This has allowed BlackICE to address many of the evasion techniques that trouble other NIDS solutions. For example, BlackICE has preprocessors for protocols such as HTTP that help detect many of the evasion techniques used in CGI scanners, such as RFP's Whisker. While other products have addressed these issues in various fashions, we believe BlackICE's approach to be a bit more mature then most. Unfortunately, BlackICE had some problems during our testing. Our FTP and IMAP attacks flew past it on our busy network without tripping alarms, even though the sensors should have detected them.

While we still believe that the BlackICE engine is fairly robust, the ICEcap Manager console leaves much to be desired. The Web-based user interface makes logging in remotely a simple matter, but doing detailed configuration tasks from a distance can prove taxing. Watching alerts from a few sensors is doable, but if you're rolling out a large installation, dealing with loads of alerts in ICEcap will be painful.

If ISS can figure out a way to integrate BlackICE Sentry into the existing RealSecure alerting framework, we wouldn't be surprised to see BlackICE replacing RealSecure network engines in the future. Both products are in need of a scalable back end and front-end management framework, however.

BlackICE Sentry 2.5, Available: Now. Internet Security Systems. (404) 236-2600; fax (404) 236-2626. www.iss.net

NFR Security NFR Network Intrusion Detection

NFR has long been attempting to create an evasion-resistant NIDS offering. Unfortunately, this has often come at the cost of performance. While we initially had high hopes for the 1U appliance-based monster that NFR submitted for the test (a two-way Pentium III 1-GHz box with 1-GB RAM), our first deployment of the unit resulted in a time of death at hour 24. To NFR's credit, the company finally came through, but it still has a fair amount of work to do to get the product humming on busy networks. With NFR's acquisition of Anzen in June and some renewed vigor, it will be interesting to see if the company can close the gap.

NFR is a snap to deploy: Spec out your hardware per your requirements and pop in the CD. The software automatically installs itself, and much of the operating system runs directly off the read-only media of the CD. This feature prevents modification of system binaries in case an attacker manages to break into the box.

Unfortunately, NFR quickly tanked in our network. It consumed all real and virtual memory, and started dropping packets -- all packets. After extensive work with technical support, NFR decided to submit an unreleased beta product for the NFR IDA (intrusion-detection appliance). This turned into several submissions, spread across many weeks. Throughout our testing, NFR submitted new code revisions of the software for us to test. At each turn, problems prevented the system from working -- that is, until the final round. NFR's latest rev kept up with the Bruisernet, even managing to pick up seven out of the nine test exploits that we ran against it. We were impressed.

On the engine side, it looks as though there may be hope for NFR. However, NFR, like most of the NIDS offerings, struggles with management issues. The console itself is Windows-based, and we found that on busy days memory-leak problems would regularly crash the console. Correlation issues are a problem, and sifting though thousands of events is painful. NFR has much work to do on this front, but it appears to be making progress.

Those in high-bandwidth environments will want to do plenty of testing to make sure that this solution will work for them, though the platform is showing some promise. We were about to write off NFR but this latest rev is going to keep it around.

Originally, Anzen OEMed the Flightjacket engine from NFR and was writing its own protocol-anomaly-based signatures, which look for network traffic that is out of spec for a given protocol (if this sounds more like protocol decoding and verification to you, you're not alone). (Since then, NFR has aquired the Flightjacket product from Anzen and will be incorporating it into the NFR lineup). For example, if someone sends a user name that is 1,000 characters long to your IMAP server, chances are that something has gone wrong, whether it be a bug in a mailer or a malicious user. Given the track record of IMAP vulnerabilities, agile security administrators will perk up when Flight Jacket alerts them to such an event.

Flight Jacket's trump card is that it does tricks that few of the other players can, like integrating with the rest of your security infrastructure. Anzen provides hooks into Check Point Software Technologies' FireWall-1 via Check Point's OPSEC API, as well as reporting to a Check Point management console. You can configure individual signatures to trigger a session termination via your Check Point firewall (this is a bad idea, however, based on the number of false positives we witnessed in almost all the products).

Unfortunately, we were unable to run Flight Jacket on DePaul's network because of NFR's recurring problems. It will be interesting to see how fast NFR can adopt Anzen's technology.

NFR Network Intrusion Detection. Available: Now. NFR Security, (240) 632-9000; fax (240) 632-0200. www.nfr.com