There was a lot of buzz a few months back about Intrusion.com's announcement of gigabit speed. Putting aside harsh claims that the testing methodology was severely flawed, we notice that one relevant issue was never addressed: completeness of signatures. SecureNet Pro, a relative newcomer in the NIDS space, is an intriguing product, but its lack of maturity on the management and signature front knocks it a few steps back from the competition.
SecureNet came to us as a pair of appliances, one management unit and one sensor unit. Built on a standard Linux platform that uses X Window, SecureNet Pro will make Unix admins feel at home. However, those same admins will most likely find themselves in our shoes if their network is a busy one: SecureNet Pro's console works well for a few alerts but goes downhill from there. Enabling or disabling "modules" (signatures) is also taxing. If your network is anything like DePaul's, you'll realize this soon enough since a relatively high number of sigs cause false positives in the console.
We also had problems in getting the sensors and console to communicate. Reducing the encryption quality of the sensor/console communications to "exportable" helped solve the problem. Depending on how paranoid you are about someone sniffing this traffic, you may want to turn the encryption level back up to a more secure setting once (if?) the issue is resolved.
SecureNet Pro also misses the mark at what may be the most critical issues for a NIDS: signature coverage and signature quality. Coverage is slim for a pure-play NIDS solution, causing SecureNet Pro to miss most of our attacks (including older exploits). Intrusion. com will need to invest some energy creating and testing new sigs before it can compete with the best in the field.
On a more positive note, one of SecureNet Pro's strong points is that it handled network outages better than most of its counterparts. Even with three-minute outages between the sensor and the console, the product would resynchronize communications, launching a pop-up window informing us that the outage had occurred. If Intrusion.com can beef up the product's signature set, it might be an ideal product for targeted deployments. The console/management shortcomings will be a bigger hurdle to jump, however.
SecureNet Pro 3.2. Available: Now. Intrusion.com, (972) 234-6400; fax (972) 234-1467. www.intrusion.com
Symantec Corp. NetProwler 3.5
Symantec offers a seemingly integrated HIDS and NIDS solution. While there appear to be a few improvements in the HIDS offering, Intruder Alert, NetProwler doesn't seem to have changed a lot since we last reviewed it. There's a new and improved console, some signatures have been updated and the product appears to be a bit more stable, but it still has some serious shortcomings in monitoring larger networks. For starters, we were never able to get NetProwler up and monitoring DePaul's entire network. Per Symantec's recommendations, we could monitor only one Class C network (10.10.1.x) out of our entire Class B (10.10.x.y) network. Bruisernet 1, NetProwler 0.
One way to increase the performance of the network agent is the "profiling" option, which will port-scan all hosts in the network and create a database of the available services. The engine can then cut down on the number of packets it needs to process. For example, FTP attacks against a Web server are ignored. While this is a neat feature, it's going to be applicable to a limited number of environments. Ours wasn't one of them. Not only did we have 10,000 or so active hosts, but port-scanning is way too invasive.
Although NetProwler dropped most of the traffic that the others were forced to watch, it missed a number of important attacks. Two of the more critical ones were the IIS unicode and RDS (Remote Data Services) attacks. False positives were also a major issue. Not concerned about "HTTP Session Splicing" attacks? Neither were we.
On the management front we preferred limited interaction with the sensors and performed most tasks through the central console. However, we found ourselves checking a few useful pieces of data available on the sensor GUI, namely dropped packets and TCP session statistics. NetProwler has some neat tools and might be useful for environments that it can survive in. The combination of NetProwler and Intruder Alert can give organizations a more unified IDS model. However, we recommend that you investigate Intruder Alert and make sure your network is NetProwler friendly first. The Bruisernet ate NetProwler for lunch.
NetProwler 3.5. Available: Now. Symantec Corp., (408) 253-9600; fax (408) 253-3968. www.symantec.com
REPORTS
ANALYTICS
Follow 
