NetForensics is the most well-rounded of the products we tested, though it doesn't excel in any one area. Its reporting is good, but not stellar. Its interface is functional, but not as crisp as neuSecure's. However, NetForensics did the fewest number of things wrong, and that was enough to give it our Editor's Choice award.
NetForensics will appeal to a large organization that requires a scalable SIM solution that supports hundreds of devices, and provides a reporting tool for both high-level and granular reporting. Its Web-based interface will give security personnel enough tools to investigate security incidents quickly and efficiently. However, organizations that require a real-time monitoring console will want to investigate solutions from e-Security, GuardedNet and Intellitactics. While robust, netForensics is more of a reporting and investigation tool than a real-time monitoring console.
NetForensics was one of the early players in the SIM game, and it shows. The product's documentation is by far the best, the agent installation process is virtually flawless, and the depth of the devices supported is substantial. NetForensics also scores points for its advanced architecture. On the back end of the system lies an Oracle database, and in the middle tier netForensics uses its own ActiveEnvoy technology -- an XML-over-TCP solution that avoids many of the UDP-based pitfalls of SNMP and syslog. The product also supports the Cisco Secure IDS POP natively, which made our IDS integration efforts a lot easier.
Like neuSecure and Dragon Squire, netForensics has a Web-based front end. Unfortunately, the Web interface is probably the product's weakest point. We weren't thrilled with its design, and the huge number of canned reports is a bit staggering. We found ourselves wondering where to start when it came to reporting. There are dozens of reports from which to choose, buried under a menu of more than 100 options. After a few weeks of use, navigating it becomes easier, but an effort to group things more logically with intuitive names would go a long way to making this easier. We got a peek of version 3.0, which will ship by the time you read this; fortunately, it solves a number of our interface concerns.
This system can archive and purge data on a per-device basis. For example, if you want to archive four months of perimeter firewall logs but purge your internal IDS data every three weeks, you can. You can even do this on a per-device basis, allowing for an extremely granular logging process. Long-term data storage requirements become a bigger issue for large organizations, especially those that are regulated and bound to keeping audit records. Many organizations don't think about this but will have to start to consider it as regulations mandate it.
If netForensics continues to improve its interface, expands its real-time monitoring capabilities and builds on its substantial list of supported devices, it may keep ahead of the SIM pack. However, the vendor needs to watch its back: With a few improvements, products from GuardedNet and Intellitactics could quickly take the lead.
netForensics 2.3. netForensics, (732) 393-6000; fax (732) 393-6090. or www.netForensics.com or info@netForensics.com
GuardedNet NeuSecure 1.5
NeuSecure is a Linux-, MySQL-, Apache- and Java-based SIM solution. It supports a respectable list of clients and will appeal to organizations that are focused on monitoring and reporting on perimeter routers, firewalls, and IDSs. NeuSecure's combination of real-time capabilities, trouble-ticket tracking and report generation makes it a flexible and cost-effective solution. The only real downsides we saw to the product were the lack of support for custom agents, being restricted to MySQL on the back end, and the product support policies of GuardedNet.
GuardedNet shipped us version 1.5 on a prebuilt system, and we had the unit up and running within minutes. NeuSecure supports a wide range of devices, but only three methods of gathering data: SNMP, syslog and OPSEC. GuardedNet does not support agents, which became a problem with our recently updated Cisco Secure IDS sensor. Because our Cisco IDS deployment was CSPM (Cisco Secure Policy Manager)-based, SNMP was not an option. Without agent support or speaking the Cisco POP natively, neuSecure was one of the few solutions that could not support our Cisco IDS 3.0 deployment. However, we could use syslog and SNMP with our other devices to transport our device data to neuSecure's aggregation engine.
NeuSecure has, by far, the cleanest Web interface of the products we tested. The layout is intuitive, the menus are crisp and the terminology is clear. Unlike netForensics, neuSecure is also useful for both trend reporting and real-time monitoring. Users can monitor real-time threat information by viewing raw event data or consolidated alerts through the use of the event filtering rules. NeuSecure also makes good use of graphical user aids. By performing whois lookups against ARIN, APNIC and other address directories, neuSecure can plot potential attackers on a world map, giving operators another attribute to use when prioritizing investigation efforts. We found the functionality, while crude, to be quite useful. For example, when a set of vectors appeared from China on our real-time console, it immediately caught our attention, whereas the IP address range of 211.22.0.0 would not have.
Another differentiating feature of neuSecure is the built-in trouble-ticketing system. Operators can take the data from any given alert event and immediately use it to open a ticket item. This provides for a centralized point from which to conduct further investigations. This functionality is a no-brainer for security-operations personnel, and we wouldn't be surprised to see other SIM vendors follow suit.
Our two biggest concerns with neuSecure revolve around scalability and GuardedNet's operational practices. While a number of basic performance tests have been published on the use of MySQL, little has been done publicly to test the database's performance with massive record numbers. Adopters of SIM technology who plan to populate their tables with millions of records should make sure MySQL can perform well under such conditions.
Our other concern has little to do with the product and more to do with GuardedNet's procedures. During our testing, the company made clear to us that it doesn't grant access to the machines it deploys at customers' sites. Imagine this worst-case scenario: The vendor deploys a unit that's somehow vulnerable to a worm. The unit then gets contaminated and can't be patched, then it starts to attack your network. And you can't do anything about it. Needless to say, this didn't sit well with us. This policy behind the times, especially for a company selling to the security community. Any time a vendor places a unit on a customer's network, it adds a point of liability. Unless GuardedNet plans on being in the business of rapid patch deployment and system support, we think this is a foolish practice. However, if neuSecure continues to evolve and proves to be scalable in extremely large environments, it will continue to be a product to watch.
NeuSecure 1.5, includes Central Management System, 25 monitored network devices and one Event Aggregation Module. GuardedNet, (404) 442-9909. or www.guarded.net or info@guarded.net
Intellitactics Network Security Manager 3.3
NSM offers some of the standard trend-based reporting functionality found in products like netForensics, but its configuration and real-time monitoring components use a unique, Java-based visualization tool that provides for some interesting data-representation possibilities. It's definitely designed to be enterprise-class, and starting with an MSRP of $60,000 for the central server alone, it had better be.
The product is offered in both Sun Microsystems Solaris and Microsoft Windows versions; however, we opted to deploy NSM on a Windows 2000 server running Microsoft SQL Server 7 simply because we have an abundance of Intel hardware. NSM also supports Oracle, which extends some flexibility to corporations when it comes to database and OS platform decisions. The installation process wasn't simple, but the documentation was accurate for getting the main components (the back-end database and front-end console) up and running. Configuring our endpoint devices (such as firewalls and IDSs) was a bit trickier.
NSM uses a combination of Web-based interfaces and Java-based consoles for user interaction. The Web interface is used for reporting, while the Java-based console applets are used primarily for configuration tasks. Bringing endpoint devices into the NSM fold involves two fundamental steps: configuring the device and deploying any necessary agents, and setting up NSM through the rules-configuration tool. We chose to use syslog as our lowest common denominator, which let us tie in our firewall and IDS devices easily. NSM also supports a staggering number of endpoint devices -- the largest set of any product we tested (see the features chart).
NSM's main console is a bit awkward and a little too retro for our liking. Memories of Commodore 64s, Geos, big hair and Camaros were conjured when we tried to negotiate the monster-sized icons of obscure pictures. NSM also uses its visualization tools for configuration tasks. The visualization tool attempts to give the user a "fly through" feel when navigating menus and submenus.
We found using this interface for basic configuration tasks to be a bit annoying. Maybe we're just too old-fashioned, but we'd rather use a simple "debug on" text box than be forced to drag and drop arrows to connect icons.
Once you get past the '80s motif and configuration tasks, the visualization interface does open the door to some impressive real-time monitoring experiences. For example, using its asset-classification process to identify critical systems, NSM can dynamically identify, plot and rate events and attacks against critical systems -- through graphical means. Users will see attacking systems and graphical depictions of the alerts generated by those attacks.
Such functionality can let operators determine which events warrant further investigation; if an icon representing a single IP address is graphically depicted as attacking critical machines, that's probably going to get your attention. NSM is the only product we tested that has graphical functionality at this level.
With NSM, Intellitactics has targeted the NOC (network operations center) operator more than the hard-core security professional. Its designers obviously spent a lot of time working on the product's graphical interface, but they neglected some behind-the-scenes features, such as speaking Cisco's POP natively.
However, we found that with some digging, NSM could produce as much detailed data as the other SIM solutions we tested. If Intellitactics can streamline some of the product's configuration tasks, improve and centralize the user interfaces, polish some the agent issues, and make sure NSM continues to be scalable, the company will secure its position as one of the strongest SIM solution providers.
Network Security Manager 3.3. Intellitactics, (888) 495-4355, (519) 743-0144; fax (519) 743-9558. www.itactics.com or sales@itactics.com
e-Security e-Sentinel 3.1
E-Security's e-Sentinel is another SIM solution that offers both reporting and real-time monitoring functionality, though its strengths are more on the real-time side. E-Sentinel is an interesting combination of Solaris-based back-end and front-end components with a Windows-centric aggregation model. Like netForensics, e-Sentinel has an Oracle-based back end that serves as the main data store. However, the front-end components are X Windows- and Win32-based. We found the solution functional and parts of it intriguing, but we got the sense that e-Sentinel is simply a bunch of standalone programs bundled as a SIM solution.
We deployed e-Sentinel on one of our Solaris machines and placed the e-Wizard application (part of the aggregation component) on an Intel-based machine running Windows NT Server 4. E-Sentinel relies almost exclusively on SNMP for receiving data. Tying our Cisco PIX into the solution was painless, though we did run into the same problems with our Cisco Secure IDS that we encountered with NSM: e-Sentinel wasn't equipped to handle version 3.0 of Cisco's product, either.
The front end of e-Sentinel is a hodgepodge of X Windows applications, each serving a slightly different purpose. Some are for monitoring; some are for creating rules; others are for creating various views of incoming data. E-Sentinel lets administrators plot devices as icons on a virtual canvas. While some admins may enjoy this kind of flexibility, we found ourselves simply wanting an alert console without striving for a Hewlett-Packard OpenView-style interface. Fortunately, e-Sentinel has a separate application that simply pops text-based alerts onto the screen. We used this view for most of our testing.
The one area where e-Sentinel is ahead of the pack is with the customization of device agents using the included Win32 GUI-based e-Wizard. E-Wizard sports a slick interface and scripting language that lets operators build their own rules for handling incoming device data. Operators can customize what events are dropped, prioritize events and even send event data to multiple destinations. While e-Sentinel natively supported all the device types we were testing (outside of the Cisco Secure IDS), we can certainly see how e-Wizard could be helpful at rapidly creating and customizing new agents.
In the end, we were impressed with e-Wizard and the potential of the e-Sentinel product. But we quickly grew weary of digging through numerous tools, interfaces and add-ons to accomplish what we considered to be basic tasks. In short, the infrastructure is there, but the body needs an overhaul.
e-Sentinel 3.1, with e-Wizard 3.1, starter package includes 20 devices to be monitored. e-Security, (800) 474-9191, (321) 394-2600; fax (321) 394-2620.
www.esecurityinc.com or info@esecurityinc.com
Enterasys Networks Dragon Squire
Most people know Enterasys' Dragon line for its high-speed, robust intrusion-detection capabilities. While the distinction is well-earned, Enterasys is beginning to dabble in the aggregation and correlation space by supporting agents for firewalls, Web servers, vulnerability-assessment scanners and other devices. Out of all the IDS vendors, Enterasys is arguably the farthest down this path, but the product is still more of an IDS solution than a SIM tool. If you're an existing Dragon customer, building out your current IDS solution to manage some of your correlation needs might make sense. However, Dragon is not the route to pursue for those seeking an enterprise-class SIM solution.
Dragon relies on its Dragon Squire host agents to parse incoming data. It then sends this data to aggregation points using a proprietary transport mechanism. While the solution is proprietary, the model is quite scalable. Dragon allows for multiple tiers of aggregation, all feeding back into one or more storage facilities using encrypted transport tunnels. In fact, if Enterasys is smart, it might consider using Dragon's model to tie communications paths together for all its products.
Dragon relies on its IDS signature engine to correlate attack data, but this heritage is Dragon's blessing and its curse. It's a blessing because Dragon handles IDS data well, and signatures are nothing new. The curse is that Dragon is not built to manage alerts and general log data pouring in from hundreds of non-IDS devices, and it has no capability to normalize data and run non-IDS specific reports.
Dragon is tied to having IDS signatures for performing correlation activities, and it lacks a real correlation engine. The aggregation tier is there, but until Enterasys builds in the ability to normalize incoming data, it will be a step behind the SIM pure-plays.
Dragon Squire. Enterasys Networks, (603) 332-9400. www.enterasys.com/ids
IBM Tivoli Risk Manager 3.8
We tested IBM Tivoli Risk Manager 3.8 on a Windows NT 4-based system. Tivoli has two SIM offerings: Risk Manager, which runs on top of the Tivoli network-management framework, and Intrusion Manager, which is a standalone product. We were told that Risk Manager is the more functional of the two, so we opted to go that route. We found that Risk Manager, while painful, is a scalable method of getting all your logs under one roof if you're an existing Tivoli customer. But if you're looking for an enterprise-class, standalone correlation tool, Risk Manager isn't there yet.
IBM was kind enough to ship us Tivoli's rapid-deployment CDs, which greatly streamline the framework-deployment process. While the CDs are primarily used for getting evaluation and pilot efforts off the ground, we estimate that they saved us at least a week's worth of work, guiding us around the complexities of database integration, framework installation and the myriad other challenges one faces in integrating Tivoli, DB2 and Intrusion Manager components. Even with the rapid-deployment CDs we faced time-consuming problems getting our devices to feed data back into Risk Manager.
The Tivoli support staff was extremely helpful in addressing all our questions, and after we struggled through some painful device integration issues, we were able to take the Java-based interface for a test drive. We're concerned that, like those at Intellitactics, Tivoli's developers spent a few too many days in parachute pants, watching Menudo; the management and configuration interfaces are clunky. However, they do provide a centralized view of all the alert data coming into the system, as well as multiple ways to sort it. Unfortunately, that's all the product does.
To our disappointment, Risk Manager does not possess native correlation capabilities. It's very effective at presenting security alerts in a clear and concise manner, and one could use its infrastructure and DB2 back-end to develop correlation tools, but right now it's essentially an enterprise-class aggregator and little more.
IBM Tivoli Risk Manager 3.8, includes a centralized management system, 20 managed devices and an IBM DB2 database. IBM Corp., (877) TIVOLI1, (512) 436-8000. www.tivoli.com
Greg Shipley is the CTO for Chicago-based security consultancy Neohapsis. Please send your comments on this article to him at gshipley@neohapsis.com.
REPORTS
ANALYTICS
Follow 
