ISS’s RealSecure Keeps Watch on Network

• 12/08/1999

The third generation of RealSecure from Internet Security Systems Inc. (ISS) is the next phase in network security violation detection and reporting. RealSecure sits on the server or another designated location and watches the network. The tool looks for suspect activity, patterns of hostile traffic, and other data streams that may appear as an intruder. From past attacks, ISS has obtained the signatures of attackers and implemented them into its policies. These policies range from Windows NT network examinations, watching for denial of service attacks, CHARGEN system floods, and a host of other nasty situations.

We used a two segment network to evaluate RealSecure 3.2: One segment had our production servers running with firewall protection that prevents every type of traffic inbound to it, yet allows outbound traffic from internal users. We used the internal network to host several monitors and traffic generators to send bad packets to the test network. The second network segment was on the other side of the router. We mixed good and bad data alike to see if RealSecure could differentiate the data. We then used a NetXray Pro sniffer on the second network segment -- the one under the test -- to see if RealSecure could detect when we reversed the flow of data and manipulated TCP/IP packets to create spoofed streams of data.

RealSecure installed in less than 15 minutes, including installation of the test key for our evaluation product. The daemon running on NT Server uses miniscule amounts of memory, and we used some 15 MB??b of disk space in generating reports from the log files that were created. All in all, this is a lightweight product in terms of resource needs.

A significant number of policies are used to define network activities. These include, but are not limited to, Windows NT networks, attack detector, DMZ detector, and Web analysis and detection. If these do not meet your needs, you are free to define additional setups. A word of warning, though: Individuals defining new policies or intrusion monitors should be well trained in the art of intrusion detection or they could create a monster that may bite them.

Defining a new policy, or editing an existing one, is a matter of making a copy of a predefined policy, and then adjusting the types of information that you want to observe. These policies are loaded automatically when the RealSecure daemon loads on the server.

The product has excellent reporting and notification systems. We enabled e-mail and pager settings so we could be quickly alerted of an attack. The product’s reports include critical information such as the IP address of an attacker or the unspoofed ones from the Internet. The watch dog showed the destination of the attack, type of attack, and if the machine was being compromised from a specific attack or just being flooded into submission, which many attacks seem to do.

We used our sniffer to generate bogus packets sent across the network. These TCP headers were manipulated with the proper destination but included a wildly incorrect source address. We also generated SYN attacks against our test Web server. RealSecure recorded the attack as we expected. We then ran Back Orifice 2000 against the test system on an isolated network with RealSecure. Back Orifice 2000 was heavily laden with multiple Trojan viruses. RealSecure handled this attack, as well.

During the testing, some heavy-duty network intruders were thrown at RealSecure 3.2. We were pleased with how well the product performed in our Windows NT networks that include a few Linux and Berkeley servers, as well. The product did its job very well, presenting us with few problems.

RealSecure 3.2
Internet Security Systems Inc.
Atlanta, Ga.
www.iss.net
Price: $8,995 per network engine; $750 per system agent

+ Excellent reporting and notification systems
+ Does not require much disk space