Security in Spades

Windows NT security tools abound in today's market. To gain market share, one strategy that large firms pursue is to develop suites of security tools. For example, Internet Security Systems (ISS), Network Associates Incorporated (NAI), AXENT Technologies, and Cisco Systems each produce a suite of information-protection tools for the enterprise, and each vendor offers a distinct line of products that contain unique tools.

Internet Security Systems
ISS offers a suite of tools called SAFEsuite. SAFEsuite includes ISS's Internet Scanner (IS), System Scanner (S2), Database Scanner, RealSecure, and SAFEsuite Decisions (SD) products.

IS. IS detects vulnerabilities from a network perspective. The latest version, IS 5.8, performs over more than vulnerability tests on network devices. IS includes three basic modules: The first scans your intranet, the second examines your firewalls, and the third inspects your Web servers. A significant benefit of using IS is that the software can probe numerous types of devices, including Windows NT, Windows 9x, and UNIX systems, as well as routers and various Web server platforms. This capability makes the product useful in a mixed OS environment. IS runs on mixed NT/UNIX systems and has a great reporting interface.

IS was easy to install and use. The installation required a path and folder name, and I had to supply a demo license key for the product to work correctly. Testing a large network takes a while, and some tests that the scanner performs can render a server unable to communicate. Make sure that you run these types of tests after hours so the tests don't affect the company's workflow.

Scanning my test network took about an hour and a half and entailed checks of two NT Server 4.0 systems, one NT Workstation 4.0 system, one Linux server, and one Win95 workstation. The scanner lets you adjust various properties that affect performance. For instance, you can configure the number of worker threads with a higher value, which helps the scanner perform more tasks simultaneously.

After the scan completed, the test results adequately revealed each machine's vulnerabilities in an easy-to-read layout. IS's reports are concise and to the point, and the information is very accessible. The two report styles I like best are the executive and technical styles. The executive summary omits technical material and presents the company's security status in layman's terms. The technical reports are suited for the people charged with managing configurations and provide details about how to remedy your system's vulnerabilities. For more information about IS, see "Internet Scanner 5.2," October 1998.

S2. S2 is similar to IS except that it works at the machine level and looks into the security of a system from a local perspective. This perspective lets the product detect security risks not visible to a network-based vulnerability scan. S2 works by installing an agent on each machine it scans. A centralized console communicates with each installed module to report on the vulnerabilities found in the system. S2 runs on NT, Win9x, and UNIX systems, and the installation process is basically the same as IS's installation process. When S2 scans UNIX systems, it can automatically generate scripts to fix a wide range of security problems. This capability saves administrators from spending a significant amount of time correcting security oversights. Another benefit of S2 is that after you secure a system, S2 can generate a digital fingerprint for the system. This fingerprint makes unauthorized tampering easier to detect.

S2 comes in a server version for NT, Win9x, and UNIX, and a limited desktop version for NT and Win9x. Using the product was as easy as using IS, and I found S2's reports to be first-rate.

Database Scanner. This product scans Microsoft SQL Server and Sybase computers for vulnerabilities such as weak passwords, dangerous embedded procedures, Y2K noncompliance, and Trojan horses. Version 3.0, which includes Oracle server support, will be available by the time you read this article. Database Scanner has a look and feel that is similar to IS and S2 and produces similar reports that include details about how to remedy existing security problems. ISS is the only company that I know of that produces this type of tool.

RealSecure. This security product is one of my favorites for pure NT networks. ISS calls the product a network- and host-based intrusion-detection and response system. The product acts as a network sentry that watches network traffic and system logs from computers on the network. RealSecure detects and responds to suspicious activity and can shut down connections that are performing suspicious actions. For example, if you don't permit the use of Telnet on your network, RealSecure can enforce that policy with a simple rule definition. The rule can watch for Telnet traffic and, when detected, force that session to reset, which effectively breaks the Telnet connection. Adding to the usefulness of this product is its ability to record sessions in a log. The session logs can record everything that happens during a session, and you can play back those recorded sessions for analysis or for use in prosecuting an intruder. RealSecure can also reconfigure Check Point's popular Firewall-1 on the fly in response to attacks.

Installing RealSecure is a bit more complex than installing ISS's other products. RealSecure has three basic components: a system agent, a network engine, and a management console. The product also has an HP OpenView snap-in, but I didn't use that component during my tests. The system agent and the network engine look for signs of intrusion. The system agent watches system log files, and the network engine watches all the network traffic on one network segment. The management console provides the console interface for RealSecure and manages the network engines and system agents. To have RealSecure monitor several segments, you must install a network agent on each of the segments. Installing the console portion required only a path and a folder name, and my choice of encryption products to authenticate and ensure secure communication between the components. To install the network engine, I had to provide the same types of information.

I tested RealSecure on a small single-segment network by installing one network agent and two system agents. Using the RealSecure policy editor, I configured RealSecure to recognize a series of predefined attack signatures, track all access to a specific Web server on my test network, and not permit Telnet sessions on the network segment. I found that RealSecure stopped Telnet sessions cold and accurately tracked every Web page access for my test server. The product is flexible and integrates well into the network. For more information about RealSecure, see "RealSecure 1.0 for Windows NT," October 1997.

SD. SD is a security support application that lets you tie in data from various sources, such as RealSecure engines. This capability lets you compare all the data from a much broader perspective to produce useful consolidated or correlated security reports.

Internet Security Systems

Internet Scanner
Price: $2795 for a 30-device license
System Requirements: Windows NT 4.0 with Service Pack 3 or later, 64MB of RAM, 90MB of hard disk space

System Scanner
Price: $695 for a single-server license
System Requirements: 90MHz Pentium processor or better, NT 4.0, 64MB of RAM, 25MB of hard disk space

Price: $8995 per network engine; $750 per system agent
System Requirements: 300MHz Pentium II processor or better, NT 4.0 with Service Pack 4 or later, 128MB of RAM, 10MB of hard disk space

AXENT Technologies
AXENT offers a long list of security tools compared with the other vendors in this market. I counted 14 products, including Enterprise Security Manager (ESM), NetRecon, NetProwler, Intruder Alert, Raptor Firewall, RaptorMobile, Enterprise Resource Manager (ERM), Resource Manager for UNIX, Privilege Manager for UNIX, WebDefender, Defender, PCShield, PowerVPN, and Security Briefcase.

ESM 5.0. ESM is an enterprise-enabled security management system that not only scans for vulnerabilities but also lets users define their security policies within the software instead of the typical paper-based policies. The product uses a client/server architecture that employs managers and agents. You load ESM agents on the devices that you want ESM to security-scan. The agents perform the scan according to instructions from a manager, then communicate their data back to the manager. You can use a centralized interface to monitor managers and agents. ESM doesn't support Intel-based UNIX and Win9x systems. This shortcoming is serious for many networks, especially with the widespread use of Linux. ESM supports NT and is well suited for scanning platforms such as UNIX and Novell NetWare. These capabilities make the product a good choice for cross-platform environments. However, unlike ISS's IS and S2, ESM provides little information about how to manually correct any vulnerabilities that it finds. However, the product provides a limited amount of automated problem correction. If you plan to use this tool, make sure you know how to correct security vulnerabilities on your OS.

Installing ESM is an involved process because you must load an agent on each machine you want ESM to monitor. I found that I could install the agents remotely if the management software and target machine were running on the same platform. I used all NT systems during my tests, so this feature worked well for me. I also found that I could schedule scans at regular intervals. In some cases (i.e., with appropriate user rights at the ESM console), I could instruct ESM to correct policy violations on remote systems. For example, ESM detected and corrected file attribute problems on several of my test network's NT systems. However, these file and directory corrections are the extent of ESM's automated correction abilities for NT systems. You have to manually correct other NT system problems.

NetRecon 2.0. This AXENT product is a network-based security scanner that performs perimeter and internal network vulnerability checks. The product runs on NT and can probe NT, Win9x, Windows 3.1, NetWare, and UNIX OSs, as well as routers, gateways, and firewalls. You can import NetRecon reports into the EMS package for analysis. To update NetRecon, you can download new vulnerability checking modules.

Installation and use of NetRecon was straightforward. I had to provide only path and folder names, and the setup program copied the necessary files onto the system. Licensed versions require that you enter license information the first time you run the product. Scanning my test network revealed accurate results, and the scan for a test network of four NT systems and one router completed in less than an hour. The interface uses treeview controls and is easy to understand and navigate. NetRecon uses HTML format for reports, which gives you significant control over what information you include in a report. In general, reports offer information regarding the detected vulnerabilities, and a link to a description of the problem and a solution.

NetProwler 3.0. This product is a network defense system that watches network traffic, identifies attacks and unauthorized use, and logs sessions and produces reports regarding network activity. Two of the product's helpful features are its ability to define custom attack signatures and its ability to deploy the new signatures in realtime. Another important feature is the conversations mode in which NetProwler decodes network sessions in realtime. This feature let me see the traffic that NetProwler was watching.

Installing the product was simple, but using it was slightly more difficult than I expected. The user interface (UI) was confusing at first, but I soon got the hang of it. After configuring NetProwler, I tried some attacks on my test network. My first test was to simply ping-scan an IP address range. NetProwler noticed this scan instantly even though I was performing it very slowly. I had to adjust the software so it would ignore this type of pinging action because one of my network monitors performs ping scans to determine whether systems are listening on the internal network. Otherwise, NetProwler would consistently detect this harmless scan and treat it as a serious security violation. Other attacks I ran included various Denial of Service (DoS) attacks, such as SYN flooding and packet flooding an NT system. NetProwler detected and alerted me to all of these attacks quickly and accurately.

Intruder Alert 3.0. This product is similar to NetProwler but works at the host level instead of the network level. Intruder Alert can perform spot checks on network traffic, which adds to its detection capabilities. You can integrate the product into Tivoli, BMC Patrol, and OpenView.

Intruder Alert consists of three components: a UI, a manager, and agents. You install agents on each remote host you intend to monitor and use the UI and manager to configure rules for the installed agents. After I installed agents on my NT systems, I registered those agents with the manager. I found that I could arrange the registered agents into groups of logical domains, which helped me organize the systems for easier management. With the agents registered, I configured the agents with the product's built-in rulesets; however, I found that I could define custom rules if I needed to. Overall, I found that Intruder Alert worked well and is well suited for cross-platform environments.

PCShield. I reviewed PCShield in January. In this earlier review, I found PCShield to be a powerful addition to Win9x systems. PCShield gives you NT Workstation-like control over the security aspects of the system. For instance, with PCShield installed, a user can't press Esc to bypass the Win9x logon prompt. PCShield can also prevent booting from a 3.5" disk.

Resource access and control-related products. AXENT's ERM provides user and resource administration across an enterprise, as well as one-time authentication and single sign-on (SSO) across distributed computing platforms. Resource Manager for UNIX provides additional controls for user accounts and passwords. Privilege Manager for UNIX allows fine-grained control over delegation of root authority on UNIX systems. AXENT's WebDefender is an SSO access control system for distributed Web systems. WebDefender is a two-factor, one-time password authentication system that helps control access for remote users. PowerVPN is a VPN solution that works with Security Briefcase to secure remote and mobile users' information and connectivity.

AXENT Technologies

Enterprise Security Manager 5.0
Price: Manager is $1995; Agents start at $95
System Requirements: NT 4.0 or 3.51

NetRecon 2.0
Price: Starts at $1995 for 254-node license
System Requirements: NT 4.0 or 3.51

NetProwler 3.0
Price: Starts at $7995 and includes an Intruder Alert Manager and one Agent
System Requirements: 90MHz Pentium II processor or better, NT 4.0, 64MB of RAM

Intruder Alert 3.0
Price: Manager is $1995; Agents start at $95
System Requirements: NT 4.0 or 3.51

Cisco Systems
Cisco offers some hardware-based security solutions. The other vendors in this review provide only software solutions. One advantage of hardware-based security solutions is that they don't rely on third parties to provide an OS foundation. This advantage minimizes the risk of a third party introducing bugs into your solution platform. Performance can also be a major factor because standalone devices usually outperform software-based solutions that rely on an underlying third-party OS.

NetRanger. Cisco recently acquired the WheelGroup, which added NetRanger and NetSonar to Cisco's existing PIX firewall solution. NetRanger is Cisco's product for intrusion detection. The product has two basic components: a hardware unit that is a sensor in a rack-mountable chassis, and a software-based management interface called the director. The sensor performs traffic analysis and policy enforcement and reports its findings to the director.

A director can monitor numerous sensor units across an enterprise, whether the sensors are inside or outside the network perimeter. Inside the network perimeter, the sensor can enforce security policies to deal with intrusions that the firewall doesn't block. Outside the network perimeter, the sensor can be a front-line enforcement system for security policies, which has the additional benefit of offloading unwanted traffic from a firewall or other border protection devices.

To get a firsthand look at NetRanger in action, I visited the shop of a friend whose company uses the product. Installing NetRanger is complicated and includes setting several configuration parameters. NetRanger uses OpenView for its management interface, and my friend's company was running OpenView on a Solaris machine. I easily installed the NetRanger snap-in for OpenView by stopping OpenView and running the director's setup program, which copies the necessary daemons onto the system. I then restarted OpenView. For NetRanger to communicate with the sensors, I had to configure the director's background processes. This step involves stopping the director and running a simple script. The script presents a screen that asks for various information, including host ID, director IP address, organization ID, and organization name. Next, I restarted the director. You must initialize the sensor hardware with a configuration, which also requires a script. To do this, I set an IP address, netmask, default route, and network access control. After I had defined the configuration, a quick reboot put the sensor in action. The last step was to configure the sensor into the director interface, which involved running a director-based installation wizard in which I entered information into dialog boxes. Required information included the sensor's host IP address, logging parameters, and router information.

The default attack profile configuration for the unit provides adequate protection, and I found that I could even define custom attack signatures for use on the device. The sensor is flexible, and I configured it to ignore certain traffic that it might otherwise consider a possible attack. For example, I have a software package that monitors my systems and their installed services for availability. The probing that this software performs involves scanning the ports on each machine to see which machines are listening on the internal network. The sensor continually detected this activity as a port scan (a typical tactic of intruders), so I configured the unit to ignore that kind of traffic when it originates from my service monitoring system.

The director software has a great feature called the network security database (NSDB). The NSDB serves as a reference guide in the event of an attack. The feature provides descriptive details about attack patterns, hot links to more information, and descriptions of countermeasures to foil an attack.

NetSonar 2.0. This product is Cisco's security scanner offering, which runs on the NT and Solaris platforms. Cisco doesn't require users to register a specific set of addresses for use with this product. Instead, the company licenses the product by number of addresses. This means that if your network numbering changes, you won't have to contact Cisco to get a new license key, as is the case with other vendors.

NetSonar installs and operates easily. I ran the setup program, which required me to supply only an installation path. Next, I installed the demo key. The NetSonar interface is a Java application. Although the software runs slower than most NT desktop applications, it gets the job done just fine.

To run a test scan against four NT machines and one router on my test network, I added a new scan template and configured the IP address range for those systems. I then configured NetSonar to test for all vulnerabilities and set it to run immediately instead of at a regularly scheduled time. Performing a full scan of five test machines took about 50 minutes, and the product found eight vulnerabilities on four of the five systems. I included the router for my Internet connection in the scan and found that the scan knocked out the router's communications, which forced me to cold boot that device. Updating the vulnerability checks in NetSonar is simple, and Cisco makes new vulnerability checks available on its Web site for quick downloading.

NetSonar's reporting capability is respectable. The product produces three types of reports—executive, technical, and full—designed for different people in an organization. For example, technical reports include detailed problem analysis and information to help correct the problems. The reports are available in HTML format and include text, graphics, and chart formats. You can modify the report templates.

PIX. In addition to NetSonar and NetRanger, Cisco offers the well-known PIX Firewall system combined with a VPN solution to fill companies' security needs. PIX is a high-end hardware-based firewall that offers fast performance.

Cisco Systems
408-526-4000 or 800-553-6387

Price: Starts at $12,500
System Requirements: 400MHz Pentium II processor or better, 64MB or RAM, 4.55GB Fast UltraWide SCSI hard disk, NIC

NetSonar 2.0
Price: Windows NT version starts at $495
System Requirements: 266MHz Pentium II processor or better, 64MB of RAM, 2GB of hard disk space, CD-ROM drive, TCP/IP network protocol, Netscape Navigator 2.0 or Microsoft Internet Explorer 4.0 or later

Network Associates
NAI offers several items for your security needs, including CyberCop Scanner, CyberCop Monitor, CyberCop Sting, Gauntlet Firewall for UNIX and NT, pretty good privacy (PGP) encryption for files and email, and a PGP-based VPN solution. The company offers PGP-based products for files, email clients (including Notes and GroupWise), and data transfer.

CyberCop Scanner. This product is a security scanner that is available for NT and Linux and performs vulnerability testing on NT- and UNIX-based systems, firewalls, hubs, routers, switches, and many other TCP/IP-based devices. An important feature of CyberCop Scanner is its Custom Audit Scripting Language (CASL), which lets a user define custom security checks quickly. CyberCop Scanner also has an auto-update feature that keeps the vulnerability database and scanning engine current. I tested the auto-update feature, and it worked well. Updating my version of CyberCop took less than 1 minute.

I tested CyberCop Scanner on my network and found it to be an effective product. The interface is well designed and easy to use. During my tests, I found a minor bug in the CyberCop Scanner GUI. I contacted an NAI developer to report the problem, and he was very responsive.

The scanner installation was quick and required only a destination directory and folder name. After the scanner was running, defining a scan was a simple process. I defined a range of IP addresses to scan, configured a set of checks to perform, and clicked Start Scan; CyberCop went straight to work. I configured the product to perform all its checks, with the exception of DoS and password testing. I ran the scan against an NT 4.0 server with Microsoft Site Server 3.0 Commerce Edition installed. Testing this machine took 10 minutes and 58 seconds. CyberCop discovered a total of 10 vulnerabilities on the system—exactly the number I knew existed before I ran the scan. One thing missing from CyberCop Scanner is the ability to schedule automated scans and deliver reports to appropriate personnel. Nonetheless, I found CyberCop Scanner to be a good product with a fair amount of flexibility in its configuration.

CyberCop Monitor. An intrusion-detection system, CyberCop Monitor became available during the final phases of this review. According to the literature available at press time, CyberCop Monitor is available for NT, Solaris, HP-UX, and AIX platforms. I downloaded an evaluation copy and installed it on my test network. The installation process required that I run the setup program to update various system files on my NT Workstation 4.0 test system. After I rebooted, the installation finished copying the required files and I was able to use the product.

CyberCop Monitor runs as an NT service, and the management interface comes in the form of a snap-in for the Microsoft Management Console (MMC). I found the interface easy to use.

During my tests, I configured CyberCop Monitor to use one of the four built-in security policies (called All Signature Rules) that monitor for all attack types that the product can detect. With that policy, I tried several actions on my systems that an intruder is likely to perform: I used RedButton to gain administrative access, altered the audit settings on an NT system, brute-forced passwords on a POP3 server, used Telnet to attempt access on various systems, port-scanned, and accessed the Registry remotely. In every instance, CyberCop Monitor detected and logged the intrusion attempt.

I was impressed with the first release of this product. The online documentation is adequate and helped me get the product configured and running. Plus, the product comes with 20 built-in reports that are based on Seagate Crystal Reports 6.0. You can use Seagate Report Designer to customize these reports, but I didn't find a way to add custom attack signatures. The product currently ships with more than 160 attack signatures, but I'd like a way to add custom signatures in a future version.

CyberCop Sting. This product also came on the market close to press time. CyberCop Sting is a decoy host designed to lure intruders into its grasp by emulating an entire virtual network of decoy routers and servers. An important feature of CyberCop Sting is its ability to impersonate an OS. Tools such as nmap can determine an OS type based on certain details of TCP/IP traffic. This characteristic can aid intruders tremendously in their effort to penetrate security. According to NAI's literature, Sting can emulate several TCP/IP stacks to appear to be any number of OSs, effectively fooling nmap users. Although decoys are not a new idea in the security world, a product that can emulate an entire network is a novel approach. I can't wait to use this product.

Gauntlet. NAI's Gauntlet firewall offering is well known and respected. The product performs well and provides important features, including intrusion detection, Network Address Translation (NAT) support, URL screening, code blocking for ActiveX and Java, virus screening, and OS hardening.

PGP VPN and PGP Command Line: Batch Server. To protect data as it travels over a network, NAI offers PGP VPN technology and the PGP Command Line: Batch Server. NAI based the VPN on PGP's strong encryption with support for IP Security (IPSec) and Internet Key Exchange (IKE), and with a Gauntlet VPN server and firewall. The PGP Command Line: Batch Server provides the means to send data securely over a network without the use of a VPN. The product works in unison with one or more batch servers, and each server acts as a relay for encrypted data. In a typical scenario, one batch server uses a second server's encryption key to encrypt data destined for a machine that's located behind the second batch server. PGP Command Line: Batch Server sends the data to the second server for decrypting and forwarding to the specified destination. The product is well suited to securely move large amounts of data in an automated fashion.

Selecting a Suite
ISS, NAI, AXENT, and Cisco have loads of security products in their respective suites. Each company has a unique place in the market, and deciding which vendor's product line to choose depends on your overall security needs. ISS focuses exclusively on internal network security—the company doesn't offer a firewall solution or VPN technology. If you buy ISS's solutions, you'll have to find another vendor for your perimeter network and remote computing needs.

Cisco, AXENT, and NAI offer products for inside and outside the perimeter network and are better poised to become a company's vendor of choice for security needs. Of the three, AXENT has the most rounded suite of products.

As for scanners and intrusion-detection products, each company has a fair offering that contains products that perform as advertised. The choice of host and network security scanners comes down to your internal network structure and the amount of emphasis you place on security. If your internal network consists of a wide variety of OSs and network devices, you'll be better off with AXENT's products. AXENT places greater emphasis on cross-platform integration than the other software vendors. Although AXENT's scanner works with NT, the company pays close attention to UNIX and NetWare environments, which makes AXENT's solutions a great fit for diverse networks.

If your network is mainly Windows based, you'll probably be the most satisfied with products from Cisco, ISS, or NAI. All three companies' scanners work very well and have an adequate amount of flexibility. For me, the choice comes down to scanner update availability and the product's reporting interface. I need the most current vulnerability checks, and I need highly readable and flexible reports. All three companies provide update mechanisms in some form, which means I can get the latest updates from the companies' Internet sites whenever I need to. In the reporting capabilities category, ISS wins hands down. IS's reporting is superior to that of CyberCop Scanner and NetSonar, so ISS remains my personal vendor of choice for network and system-level security scanners.

The choice of an intrusion-detection product is different from choosing a security scanner. The job of this product type is to stop intrusion, so reporting isn't as important to me as the number of attacks a product can stop. In this product category, I make decisions based on network characteristics and a product's flexibility. If the network is mainly Windows based, I prefer ISS's RealSecure solution because ISS tailored the product for use on NT networks. But if the network includes NetWare or UNIX systems, AXENT's NetProwler/Intruder Alert combination is the obvious choice because these products support mixed platforms. Cisco's NetRanger is also a desirable solution for those who like hardware solutions. Cisco is a great choice for intrusion detection, especially in large enterprises.

Cost is always a factor in any buying decision, and security solutions don't come cheap. However, cost is a lesser consideration than network vulnerability. After all, if you lose your data or the data becomes inaccurate through tampering, your business might be at stake. Just ask yourself what minimizing that risk is worth before you start looking at security product prices.

Network Associates
408-988-3832 or 800-764-3337

CyberCop Scanner
Price: $7 per scanned node, based on 1000 nodes
System Requirements: 100MHz Pentium processor or better, Windows NT 4.0, 64MB of RAM, 48MB of hard disk space

CyberCop Monitor
Price: $8 per monitored device, based on 1000 nodes
System Requirements: 266MHz Pentium processor, NT 4.0 with Service Pack 4, Internet Explorer 4.0 with SP1, 128MB of RAM, 50MB of hard disk space