RealSecure is an intrusion detection system that uses both network-based and host-based approaches.

Detection is carried out by three types of sensor, which comprise low-level software that monitors activity on operating systems, servers and network segments. Network sensors monitor network packets and look for activity that could indicate an attack against your network. Operating system (OS) sensors monitor activity on an individual host, through the operating system log files and through port activity. Server sensors include OS sensor functionality as well as network traffic monitoring, intelligent alerting and blocking capabilities. Server sensors block suspicious traffic and intercept packets before they reach the operating system.

The system is controlled using the Workgroup Manager GUI, which includes the RealSecure console, and runs under Windows NT4 on a minimum of a 300MHz Pentium with 128Mb RAM. Microsoft database access component (MDAC) is also required for operation of the console. There is extensive online help, which requires Internet Explorer 4.0 or later for access.

Network sensors are machines running either Windows NT4 or Sun Solaris Sparc and which have a network card running in promiscuous mode to monitor each network segment. It is recommended that a machine is dedicated to this task and, for Windows, the minimum system requirements are a 300MHz Pentium with 128Mb RAM. Network sensors must be installed in every segment (collision domain) that it is desired to monitor and protect. On a switched network, this means on every port that requires protection. However, often it is sufficient to monitor WAN links and interdepartmental connections at the firewall - it really depends how paranoid you are about internal hackers. It would be nice if RealSecure directly supported and co-operated with common makes of switches as these can have a wider view of what's going on from a single monitoring point. However, this would require integration with the firmware of each switch.

Stealth mode can be used for network sensors to make the promiscuous mode network interface card (NIC) invisible because it simply doesn't have an IP address in this mode. This is achieved by using a separate NIC in each network sensor machine to communicate with the console over, usually, a physically isolated secure network. Stealth mode makes it more difficult for a hacker to attack the network sensor itself.

Operating system sensors can run on Windows NT4, Sun Solaris Sparc, IBM AIX or HP-UX, but server sensors are restricted to Windows NT4 and Sun Solaris Sparc only. There are no specific system requirements for these latter two kinds of sensors over and above that required to run the operating system and applications already on the machine. OS sensors should be deployed on critical workstations, such as network and security managers' machines, and server sensors should be deployed on critical servers, such as file servers containing confidential data and web servers that are particularly vulnerable to outside attacks.

For secure operation of the system, you are advised to enable authentication. This uses public/private key pairs to authenticate each component of the system to each other. And, of course, there are comprehensive logging and reporting facilities.

The response to a suspected intrusion is generated by the sensor itself and can include: record the event and/or session in the log; send an email alert and/or an SNMP trap; terminate the user's session; reconfigure Lucent or Check Point firewalls; other user-definable action. If you choose an OPSEC response, RealSecure sends a message to the firewall to prevent an intruding source address crossing the firewall boundary for a user-specified period of time.

Installation requires separate installations of each component (sensors, console, etc.) on separate machines, so takes some time in extensive deployments. However, there is an Autoinstall feature that enables you to record the configuration data from the first installation of any sensor type and replay these configuration responses for subsequent installations of the same type of sensor. After installation of the console, you can import any policies you may already have from a previous version of RealSecure, or create policies afresh.

Policies must be applied to each sensor and the graphical user interface of the console makes this particularly easy. There are many pre-configured policies supplied with RealSecure, but these can be edited to form the basis of custom policies. This approach makes it much quicker to create custom polices as you don't have to tick every option required - you merely modify a copy of a pre-configured policy. Policies determine what each sensor regards as suspicious and what responses are required.

Updating is achieved by subscribing to the RealSecure's X-Press Updates mailing list. When an update is issued, you can easily download it and update RealSecure sensors with the latest signatures, product upgrades and service releases. Remote sensors can be upgraded from the console.

The number of sensors that can be controlled from a single RealSecure console is unlimited, but there are practical limitations based on the power of the hardware being used - the more sensors, the more powerful the hardware you need to run the console. There are also some performance issues relating to the ability of network sensors to monitor every packet - on a lightly loaded 100Mbit/sec network segment, the minimum system requirements are sufficient up to about 30 percent utilization. More powerful hardware should be used to stretch the capabilities up to a heavily loaded 60 percent utilization.

RealSecure combines the advantages of host-based and network-based intrusion detection in a single software product. Its modular approach allows sensors to be distributed, and means that it is expandable without limit. However, its central management console enables you to control a very a large deployment with the minimum of effort.

SC On-Line
SC Magazine
www.scmagazine.com