CyberSafe's Centrax is a mature HIDS product with a grossly immature NIDS engine. If you're looking for a AIX, HP-UX, Solaris and Windows host-based solution -- and nothing more -- Centrax might be a good option. On the network side, however, Centrax is way behind the competition. The signature coverage is the thinnest of the bunch, and the engine itself leaves much to be desired. Not surprisingly, Centrax didn't make it on the Bruisernet -- it didn't support a dual-NIC configuration, which was required for the IDSnet architecture.

CyberSafe is aware of the NIDS shortcomings of its product and teamed up with Network ICE to offer a new hybrid product: Centrax ICE. Using the much superior BlackICE engine and the Centrax console, the best-of-breed solution is definitely a step in the right direction. Unfortunately, by the time we had the product in our hands it was too late to test Centrax ICE on the Bruisernet. We did have a look at it in the lab, though, and it appeared to work OK. Whether Centrax ICE will survive now that ISS has acquired Network ICE remains to be seen. If it does Centrax will become an even more interesting option.

Centrax 2.4. Available: Now. CyberSafe Corp., (888) 391-9922, (425) 391-6000; fax (425) 391-0508. www.cybersafe.com

Computer Associates International's eTrust

Computer Associates' eTrust is an interesting product in that it's part content-monitoring system, part intrusion-detection device. Once you've navigated the dizzying array of security products offered by CA and decided to pursue eTrust, get ready to have your head spun around once again as you attempt to license it. Depending on which version of eTrust you have, you'll need to run a different licensing application -- and it's not as simple as typing in a license number.

Depending on your organization's security policy, the first thing you'll want to do is turn off the SMTP, POP3 and IMAP logging, which are on by default. If you don't, you'll soon find full copies of your users' incoming and outgoing e-mail messages in front of you. While powerful, this feature is invasive and may violate your company's privacy policy--or your state's privacy laws (see "Monitoring and Privacy: Is Your Head Still in the Sand?").

Host-Based IDS Features Click here to enlarge

Scalability is a weak point of eTrust. Tech support provided the following rule-of-thumb numbers for scoping your sensors: 2,000 active hosts and 5,000 concurrent sessions are the maximum for a single sensor. Tech support is quick and thorough with configuration recommendations that will help you get your eTrust sensor running at a reasonable level and not choking on a busy network link.

Wondering how URL blocking works in a product that doesn't integrate with your HTTP proxy or your firewall? So were we. It turns out that eTrust spoofs four reset packets, which appear to be from the remote Web server, to the local client. We found this clever, but kludgy.

While we can see how some of eTrust's features might be useful, eTrust is not an enterprise-class IDS. In fact, it didn't survive on the Bruisernet for more then a few minutes. Your mileage may vary.

eTrust. Available: Now. Computer Associates International, (800) 225-5224, (631) 342-5224; fax (631) 342-5329. www.cai.com

Greg Shipley and Patrick Mueller work for Chicago-based security consultancy Neohapsis. Send your comments on this article to them at gshipley@neohapsis.com and pmueller@neohapsis.com. Greg and Patrick would like to thank DePaul University's John Kristoff, who made this article possible.