Choosing an Intrusion Detection
`System that Best Suits your
`Organization
`
`Dennis Mathew
`GSEC Practical v1.4b
`Option A
`
`1
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2002,
`
`As part of the Information Security Reading Room.
`
`Author retains full rights.
`
`© SANS Institute 2002, Author retains full rights.
`
`Juniper Ex. 1021-p. 1
`Juniper v Finjan
`
`

`

`Table of Contents
`
`I.
`
`ABSTRACT ........................................................................................................3
`II. WHAT IS AN IDS?........................................................................................3
`
`PRIMARY PURPOSE .................................................................................................................3
`
`NETWORK INTRUSION DETECTION SYSTEM .........................................................................4
`
`HOST-BASED INTRUSION DETECTION SYSTEM ....................................................................4
`
`COMMERCIAL IDS’ ON THE MARKET......................................................................................5
`
`APPROACHES TO INTRUSION DETECTION............................................................................5
`Statistical-Based Intrusion Detection (SBID)............................................................................5
`Rule-Based Intrusion Detection (RBID)....................................................................................5
`III. ORGANIZATIONAL STEPS PRIOR TO MAKING A
`DECISION............................................................................................................6
`
`PERFORMING A RISK ASSESSMENT OF YOUR ORGANIZATION..........................................6
`Quantitative Analysis...............................................................................................................7
`Qualitative Analysis.................................................................................................................7
`Octave Analysis ......................................................................................................................8
`
`ORGANIZATIONAL REQUIREMENTS.......................................................................................8
`
`UNDERSTANDING YOUR TECHNICAL ENVIRONMENT ..........................................................9
`
`COST-BENEFIT ANALYSIS .....................................................................................................10
`IV. CHOICES, CHOICES, CHOICES….............................................10
`
`CHOOSING THE RIGHT IDS....................................................................................................10
`Network/Host Based blends: .................................................................................................11
`Network Based Options.........................................................................................................12
`Host Based Options ..............................................................................................................13
`V. CONCLUSION ...............................................................................................13
`VI. APPENDIX A - REFERENCES........................................................15
`
`2
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2002,
`
`As part of the Information Security Reading Room.
`
`Author retains full rights.
`
`© SANS Institute 2002, Author retains full rights.
`
`Juniper Ex. 1021-p. 2
`Juniper v Finjan
`
`

`

`
`Choosing an Intrusion Detection System that Best Suits
`your Organization
`
`
`I. Abstract
`
`There is a wide variety of Intrusion Detection Systems currently available, from
`network based IDS’ to host based IDS’, commercial and freeware. Its difficult to
`determine exactly what best fits your organization. To establish what you should
`be using, as with anything else, is a process. If this is your first attempt at
`securing your organization it may take more time and effort than for one that has
`made security a priority over the years. The technology, however, is only as
`effective as the people and processes that support it. Security is not simply a
`technology, but a mindset that must pervade the organization.
`
`Choosing an intrusion detections system (IDS) can be a complex and time
`consuming project. This is especially true if the organization does not have a
`corporate security program. It is important to note that an IDS is in no way an all
`inclusive security solution, but if implemented correctly it can assist in detecting
`unauthorized activity and alert personnel to take action in the event of a security
`breach. In the following pages I will delve into exactly what an IDS is. This
`includes the various types of IDS’ on the market and approaches taken to detect
`intruders. I will also identify key steps an organization should undertake prior to
`implementing an IDS solution. Performing a risk assessment of your
`organization and understanding existing controls and control deficiencies is a key
`step in securing the organization. Implementing a tool such as this is most
`effective when there is a grounded understanding of the organization as a whole
`and the critical processes within the company. Additionally, the organization
`should invest time and money into developing their personnel to ensure they are
`appropriately equipped to utilize the tool in a manner that will make full use of the
`systems functionality. Finally I will take a look at various commercial IDS’ on the
`market today and the ever-evolving functionality of this technology. Although
`freeware tools are a very real and practical alternative I will limit the scope of this
`paper to the commercial market.
`
`II. What is an IDS?
`
`Primary Purpose
`A security breach occurs when an individual gains unauthorized access to your
`systems. This unauthorized access can be further divided into two primary
`categories, intrusions and misuse. Intrusions occur when the security breach
`originates from outside the organization whereas misuse is an attack that
`originates from the inside, i.e. employees, intruders, etc. This unauthorized
`access can be for something as critical as stealing proprietary data or as trivial as
`
`3
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2002,
`
`As part of the Information Security Reading Room.
`
`Author retains full rights.
`
`© SANS Institute 2002, Author retains full rights.
`
`Juniper Ex. 1021-p. 3
`Juniper v Finjan
`
`

`

`utilizing your systems to play resource intensive role-playing games. Intrusion
`Detection Systems (IDS) is a security monitoring system that will gather and
`analyze data from various areas within a system or network to identify/detect
`possible intrusions and/or misuse. Intrusion Detection Systems perform a wide
`array of functions, which include:
`– Monitoring and analyzing both user and system activities,
`– Analyzing system configurations and vulnerabilities,
`– Assessing system and file integrity,
`– Ability to recognize patterns of typical attacks,
`– Analysis of abnormal activity patterns, and
`– Tracking user policy violations.
`The system can be a key asset in pinpointing where attacks are coming from and
`when they are being made. It will also indicate the primary targets of the attack
`and the types of attacks being utilized. The IDS can be your eyes and ears into
`your system and/or network.
`
`Network Intrusion Detection System
`NIDS monitor the network wire and attempt to detect an attacker targeting
`company systems. An attacker may attempt to break into your system or may
`cause a denial of service attack. NIDS utilize raw network packets as its data
`source. A basic example of a monitoring technique is a system monitoring TCP
`connection requests (SYN) to a wide range of ports on a target machine to
`determine if someone is attempting a port scan. A NIDS can run on a host
`machine, monitoring all traffic to that machine or on an independent machine,
`promiscuously monitoring network traffic. The system can be configured to
`analyze traffic passing through a network segment to pinpoint patterns and
`trends that may be indicative of an attack. These systems provide near real-time
`event monitoring to a centralized console.
`
`NIDS, in general, are less expensive than their host-based counterparts, but are
`very different in nature. The NID sensors generally will not monitor or identify
`activity at the host level.
`
`Host-based Intrusion Detection System
`Host-based IDS (HIDS) typically monitor event, and security logs at the operating
`system level. When any of these critical files change, the IDS compares the new
`log entry with attack signatures to see if there is a match. If there is a match, the
`system will respond with various types of administrator alerts to initiate incident
`response procedures. Some also monitor activity and issue alerts if specific
`ports are being accessesed. This technology continues to develop, but
`managing HIDS’ have become simpler than the past. Agents can be installed on
`multiple hosts and monitored from a central console. HIDS can be critical in
`determining whether or not an attack was successful. The HID data can also be
`used should legal matters arise and the altering of data needs to verified.
`
`
`4
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2002,
`
`As part of the Information Security Reading Room.
`
`Author retains full rights.
`
`© SANS Institute 2002, Author retains full rights.
`
`Juniper Ex. 1021-p. 4
`Juniper v Finjan
`
`

`

`
`
`
`Commercial IDS’ on the market
`There are an array of Intrusion detection systems on the market as this space
`continues to grow. Free ware tools have been known to be very effective and if
`configured and managed properly are powerful tools. Since it would be difficult
`to discuss both free and commercial tools in the limited size of this project I will
`focus my attention on the commercial tools. Some of the leaders in this space
`are listed below:
`
`Host Based IDS
`Network Based IDS
`Internet Security Systems Real Secure
`Internet Security Systems Real Secure
`Network Security Wizards Dragon IDS Symantec Intruder Alert
`Symantec Net Prowler
`Cyber Safe Centrax
`Cisco Systems Net Ranger
`Tripwire
`Network Flight Recorder Intrusion
`
`Detection Appliance
`Network Ice Black Ice Defender
`CyberSafe Centrax
`
`Approaches to Intrusion Detection
`There are multiple approaches taken to perform intrusion detection. The primary
`methods are rule-based intrusion detection (RBID) and statistical-based intrusion
`detection (SBID).
`
`Statistical-Based Intrusion Detection (SBID)
`SBID systems will attempt to identify security violations by systematically
`analyzing audit trail data. The system will compare log activity with typical or
`predicted attack profiles. This eliminates the need to manually sift through log
`files to try and identify unusual network traffic or system activity. The system
`automates this process and will perform this analysis in a structured manner. For
`this analysis to be effective there must be a preexisting classification of system or
`user activity that is considered to be normal. This characterization is usually
`called a profile. This profile is based on a series of events found in system audit
`data and can be used to configure expected behavior. User profiles can be
`customized to each user and are maintained dynamically. This allows the user’s
`profile to change as the user’s behavior changes. Administrators should be able
`to review these profiles to ensure that they make sense for their organization.
`This method of using profiles is not used by RBID’s. Statistically significant
`deviations above the predefined profile are considered intrusion attempts.
`
`Rule-Based Intrusion Detection (RBID)
`RBID systems are considered expert systems that will analyze extensive log files
`to differentiate between intrusive and normal day-to-day behavior. The system is
`centered on the assumption that it is possible to identify intrusion attempts based
`on a specific sequence of user activity that typically resembles activities that lead
`to system compromises. RBID expert system properties will initiate pre-defined
`rule sets when log data and system files indicate what appears to be
`
`5
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2002,
`
`As part of the Information Security Reading Room.
`
`Author retains full rights.
`
`© SANS Institute 2002, Author retains full rights.
`
`Juniper Ex. 1021-p. 5
`Juniper v Finjan
`
`

`

`unauthorized activity. These rule sets will attempt to compare patterns in audit
`data to patterns customarily seen during a penetration attempt. Systems can be
`configured to alert specified individuals if a penetration is in process or has
`occurred. The systems can provide details surrounding the alert as well as user
`specific information of the suspected intruder.
`
`There are two primary types of RBID systems, state based and model based.
`The state based approach will code the rule base with terminology or wording
`found in the audit trails. Intrusions are defined by sequences in system state, the
`system will systematically analyze the states the system takes on. These system
`states are defined by audit trail information. The system is initially considered to
`be in a limited access state and, if compromised, is then considered to be in a
`final compromised state. The model based approach uses known intrusion
`attempts and models them as sequences of user behavior. These events are
`then modeled and matched to an event in an audit trail or log file. The IDS will
`determine how user behavior translates into the audit trail.
`
`III. Organizational Steps Prior to Making a Decision
`
`Performing a Risk Assessment of Your Organization
`Prior to implementing an effective security-monitoring program, which can
`include the utilization of an IDS, a systematic risk assessment of your
`organization should be completed. This will assist management personnel in
`gaining a comprehensive understanding of the organization, the IT environment
`and the potential risks involved.
`
`Risk is inherent within any organization and industry. The first step is
`understanding the risk unique to your environment. Risk varies from industry to
`industry, i.e. the risks associated with a banking institution vary from that of an
`automobile parts manufacturer. Information is widely available on the internet, in
`the news, etc. as to who and what have been targets of hackers in recent days
`and weeks. It is difficult, however, to ascertain an accurate picture of who has or
`has not been hacked because most companies that have been compromised are
`not always ready to divulge that information.
`
`In any event, just because your industry is obscure or your company is low profile
`does not mean you are out of the woods. Most hackers are not targeting specific
`companies or industries, but are simply scanning the internet for vulnerable
`systems. An FBI study revealed that there are approximately 4000 denial of
`service attacks each week. The overwhelming majority of these attacks are
`neither publicized in the media nor prosecuted in courts. Of the survey
`respondents 90% said they have detected computer security breaches in the last
`12 months. This puts most everyone at some level of risk.
`
`
`6
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2002,
`
`As part of the Information Security Reading Room.
`
`Author retains full rights.
`
`© SANS Institute 2002, Author retains full rights.
`
`Juniper Ex. 1021-p. 6
`Juniper v Finjan
`
`

`

`Before completing this assessment there needs to be a sound understanding of
`what exactly falls into the category of a risk. Risk is defined as the potential for
`harm or loss. This is best addressed in the context of these four questions:
`• What could happen? (What is the threat?)
`• How bad could it be? (What is the impact or consequence?)
`• How often might it happen? (What is the frequency?)
`• How certain are the answers to the first three questions? (What is the
`degree of confidence?)
`
`
`Completing a risk assessment can often times be a complex and subjective
`process. A primary objective of the security risk assessment should be to build
`the foundation of this process on objectivity and not subjectivity. There are a
`number of approaches that are utilized to perform a risk analysis; I will discuss
`two that are the benchmarks and an additional methodology that has been
`gaining popularity.
`
`Quantitative Analysis
`This approach factors together two primary elements: the probability of an event
`occurring and the likely loss should it occur. These two elements are multiplied
`together to produce the ‘annual loss expectancy’, the basis for this analysis. This
`equation allows us to theoretically rank events in order of risk and come to
`“sound” conclusions. There are some fundamental problems with this approach;
`one being unreliable and inaccurate data. Probabilities are difficult to quantify
`into an exact science and are seldom precise. Additionally, multiple interrelated
`events and potential existing controls that may be in place complicate the
`equation and are difficult to factor in. Given the uncertainties involved, the
`numbers can at least be a general guideline to be used and the exercise of
`developing this analysis will allow personnel consider critical assets and possible
`events.
`
`Qualitative Analysis
`This is the most widely utilized risk analysis methodology. In this approach the
`organization will use estimated potential loss and not incorporate probability.
`This methodology will use a number of elements, including the following:
`• Threats;
`• Vulnerabilities; and
`• Controls.
`Threats are defined as things that can or may go wrong with the system or attack
`the system. Threats are constantly present for every component of your network
`architecture; fires, hackers, viruses, theft, are examples of threats. Threats are
`essentially the vehicle by which a vulnerability may be exploited. Vulnerabilities
`make a system more prone to attack or more likely to be compromised if
`attacked i.e. a laptop that is not secured is more likely to be stolen than one that
`is chained to the desk.
`
`
`7
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2002,
`
`As part of the Information Security Reading Room.
`
`Author retains full rights.
`
`© SANS Institute 2002, Author retains full rights.
`
`Juniper Ex. 1021-p. 7
`Juniper v Finjan
`
`

`

`Controls are countermeasures to vulnerabilities and can reduce risk levels
`substantially if implemented appropriately. Controls can be subdivided into three
`primary categories: pervasive, specific, and monitoring controls. Pervasive
`controls are controls that facilitate reducing risk (such as unauthorized access)
`over the span of a process, i.e. strong passwords that will assist in protecting an
`AP system. Specific controls are controls that will facilitate reducing risk within
`the process, i.e. field checks that will only allow data of a specified format to be
`entered into the AP system. Finally there are monitoring controls; these controls
`are usually reports and reviews that are done to ensure specific and pervasive
`controls are working appropriately. Controls can either be preventative or
`detective. Preventative controls, such as NIDS will provide alerts prior to an
`incident occurring, detective controls such as file integrity checking will alert you
`of an incident once it has occurred. A combination of these controls will greatly
`reduce risk within the organization.
`
`Octave Analysis
`Another methodology used to perform an organizational security risk analysis is
`the Octave method developed by Carnegie Mellon University. This method
`utilizes a three-phased approach. The first phase consists of building asset
`based threat profiles. The organization must identify the most critical assets to
`the organization and what is currently being done to protect those assets. To do
`this effectively discussions must be held with senior management, operational
`management and staff level personnel. Once this data has been compiled it can
`be analyzed to select critical assets, set security parameters around those assets
`and begin identifying potential vulnerabilities. The next phase will analyze key
`information infrastructure to identify technology vulnerabilities that can lead to
`unauthorized activity on critical assets. This will include analyzing key systems
`and components for technology related weaknesses. At this point vulnerability
`tools are utilized (software tools, scripts, etc.) to systematically identify potential
`security holes that may adversely affect the organization’s IT environment.
`During the last phase of this approach the organization can now identify key risks
`to the organization’s critical assets and decide what mitigation activities should
`be utilized to effectively protect these areas.
`
`
`
`
`
`
`
`Whichever method your organization decides to utilize the key is ensuring a
`structured approach is used throughout the risk assessment process. This will
`allow management and IT personnel to gain a clear understanding of the
`company’s environment, critical infrastructure, and critical data. This will also
`focus security efforts around key areas and divert attention away from non-
`essential data and infrastructure. This will allow the implementation of an IDS
`solution to be immensely more effective than simply purchasing and
`implementing a tool in and ad hoc manner.
`
`Organizational Requirements
`As with all other IT related initiatives there must be buy in and support from top-
`level management for a company’s security initiative to be successful. At the
`
`8
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2002,
`
`As part of the Information Security Reading Room.
`
`Author retains full rights.
`
`© SANS Institute 2002, Author retains full rights.
`
`Juniper Ex. 1021-p. 8
`Juniper v Finjan
`
`

`

`time of deployment management must understand, in at least at a high level, the
`threat of hackers and their ever increasing advanced methodologies utilized to
`compromise company systems. This will spur support for funding to acquire
`necessary tools and to implement appropriate methodologies, but in addition to
`funding there must be an investment in time and effort to develop associated
`policies and procedures around the ongoing usage and maintenance of the IDS.
`Once the tool is deployed, if it is not properly monitored and maintained, it will lull
`the company into a false sense of security. If security has not been a priority in
`the past a change in corporate culture will be required in addition to the
`implementation of the IDS to facilitate securing the organization.
`
` person or persons will need to be properly trained in configuring and
`maintaining the IDS to ensure optimal and successful usage. Training should
`include understanding potential threats and common attacks; these threats may
`originate externally or internally. An emphasis should be placed on monitoring
`both areas of threat to obtain maximum coverage. In addition to initial
`configuration, attack signature updates will need to be performed on a regular
`basis to detect new vulnerabilities. The individual will need to be diligent in
`identifying new vulnerabilities and attacks that may be a threat to their
`organization. They will also be required to tune the IDS properly to appropriately
`classify the severity of alert events and eliminate false positives.
`
`Understanding Your Technical Environment
`Throughout the Risk Assessment process a thorough understanding of your
`organizations technical environment should be attained to ensure all critical
`assets are being secured. This is especially necessary prior to implementing an
`IDS solution. This is the only way to strategically place IDS sensors in such a
`way that paths into the organization and critical assets are being monitored. If all
`access points are not identified, one weak link could jeopardize the entire effort.
`A rogue modem, wireless access point, old web or email server, etc. could be the
`weak link in the perimeter defense. This process will also identify critical hosts
`that would require monitoring at a host level. This will allow the company to
`focus its time and resources on the appropriate systems.
`
`Audit tools are now available that can survey an organizations environment and
`identify technical infrastructure. Commercial tools as well as freeware tools will
`crawl the network to identify servers, workstations, routers, etc, basically
`anything with an IP address. This is a vital asset in large organizations or in
`companies with technically savvy users who have installed systems and
`equipment on their own. Identifying rogue modems is also a key step in securing
`the organization. Companies should analyze their switches to determine if any
`lines have been configured as analog lines and if so why. The use of analog
`lines should be well controlled because this could be a hole into the organization
`that circumvents all other security efforts if not properly monitored and controlled.
`Companies may also want to consider utilizing war-dialing techniques, on an
`
` A
`
`9
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2002,
`
`As part of the Information Security Reading Room.
`
`Author retains full rights.
`
`© SANS Institute 2002, Author retains full rights.
`
`Juniper Ex. 1021-p. 9
`Juniper v Finjan
`
`

`

`annual or bi-annual basis, against the organizations block of assigned numbers
`to identify any analog carriers.
`
`Cost-Benefit Analysis
`Before deciding on exactly which IDS the company should acquire the
`organization should perform a cost/benefit analysis. Cost is a very real and
`important factor in the decision making process of all management personnel.
`Someone is always worried about answering to someone else as to exactly why
`funds were allocated in the way they were. This analysis can be performed
`effectively once the organizations risk analysis has been performed. This risk
`analysis will give the organization a very real sense of the costs associated with
`down time, data corruption, data theft, and loss of reputation. A financial
`institution has a heavy cost associated with being compromised by a hacker,
`whereas a small manufacturing firm may not deal with the same types of costs
`and issues.
`
`There are many CBA methodologies that can be used; I will discuss one that
`puts some structure behind the process. The analysis may be performed by one
`person, but should include the input of many from the organization. Individuals
`familiar with IT systems development and operation, budget, finance, statistics,
`procurement, and IT architecture should be included. The process should
`determine and define objectives for the IDS initiative. This will clearly
`communicate to management the thought process behind implementing a
`solution such as this and how it relates to the company. Identify and quantify any
`future considerations that may be required. For an IDS system this will be limited
`to upgrades, maintenance, etc. From here cost data should be compiled.
`Several sources of data are historical organization experience, current system
`costs, market research, publications, analyst judgment, and special studies.
`Multiple alternatives should then be sought out. The search can be narrowed at
`a future time, but it is essential that management feels that they are being
`presented with the full picture. At this point there should be an estimate of all
`costs associated with this project. There should be an understanding of
`equipment costs as well as time and resources costs, direct and indirect costs,
`etc. This will hopefully take all cost factors into consideration. At this point the
`benefits associated with an IDS should also be examined. Benefits such as
`increased security, the ability to respond to unauthorized activity, the ability to
`prevent reputation defamation are all critical factors to consider. This cost benefit
`analysis will help make the process of deciding whether or not to implement an
`IDS and which IDS to choose a more straightforward decision.
`
`IV. Choices, Choices, Choices….
`
`Choosing the Right IDS
`Before choosing an IDS it is important to realize that this is not the answer to all
`of your security issues. It is simply a piece of the overall security solution. For a
`security initiative to be truly effective there needs to be a movement to alter
`
`10
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2002,
`
`As part of the Information Security Reading Room.
`
`Author retains full rights.
`
`© SANS Institute 2002, Author retains full rights.
`
`Juniper Ex. 1021-p. 10
`Juniper v Finjan
`
`

`

`organizational culture. The policies, and associated tools are only as effective as
`the people utilizing them. With this being said there are a number of IDS’ to
`choose from that may suit your needs. Once the risk assessment has been
`performed and a clear understanding of the organizations risks, critical data,
`network infrastructure, etc. has been attained the IDS selection process can
`begin. A combination of host-based and network based IDS systems will provide
`the optimal coverage, but again that decision is based on the risk assessment
`and cost benefit analysis performed for your organization.
`
`Network/Host Based blends:
`
`
`1. ISS was one of the first companies to release a commercial intrusion
`detection system and their network intrusion detection system,
`RealSecure, is still considered to be the standard by many security
`professionals. Real Secure consists of the following components, the
`workgroup manager, the console, the network sensor and the OS sensor.
`The network sensor is considered the network intrusion detection piece of
`the tool and the OS sensor is considered to be the host-based intrusion
`detection piece of the tool. A single console can monitor multiple sensors
`and a sensor can report back to multiple consoles. In the 2nd scenario
`only one console is granted master status and has the capability to adjust
`sensor settings. There are multiple policies that are pre-defined that come
`with the system, but the system administrator must take some time to
`consider the level of coverage required for the organization. Policies that
`provide ‘maximum coverage’ may employ an excessive amount of
`resources. Defining custom policies is a very straightforward process; you
`can simply rename and customize existing policies to provide you with a
`starting point. For various events that are flagged there are a number of
`responses that can be defined, i.e. log, send email, kill session, view
`session, etc. You have the option of viewing alerts on a real-time basis or
`after they have been logged. Once activity has been logged reports can
`be generated in text and in graphical format.
`
`
`2. Cybersafe Centrax provides many solutions in one package. Centrax has
`host-based capabilities, network-based capabilities, and basic vulnerability
`assessment capabilities. The tool is particularly strong in the host based
`area as well as its audit policy management across the entire enterprise.
`The centralized management console is an added bonus to the product
`that allows you to define security policy, control target agents, as well as
`monitor and respond to real-time results and perform high-level
`vulnerability assessments. The console consists of three part