This solution provides a network-based IDS, real-time session monitoring and internet/email content blocking. eTrust Intrusion Detection can be installed in standalone mode, or it can be distributed on separate machines. The intrusion detection program installs as a service under Windows NT/2000. As usual, the monitoring interface is a NIC in promiscuous mode, and therefore the presence of the IDS is concealed from the attacker.
Security policies are defined using rules. If any of the characteristics of a network session correspond with the rule conditions, an action is triggered. Configuration of the security policy to be applied consists of choosing, from the supplied pre-defined rule sets. Then you can fine-tune the rule set to save resources.
A supplied performance-monitoring utility called Network Load can be used to help tune the rules further. Manual tuning takes some time, but is necessary to improve performance. The pre-defined rules can detect intrusions and suspicious network activity and inspect content. If the rule sets do not suit your requirements, you can modify or create your own.
eTrust Intrusion Detection does more than just detect - it can also act as intrusion prevention by blocking network activity. The blocking mechanism works by spoofing the session and sending an RST to disconnect it. The client receives a blocking message, depending on the protocol, and the server believes it has been disconnected. It can monitor and block any session going across a UDP or TCP port, and also block active sessions based on content, header information and string matches.
Alerts can be delivered by displaying a message on the screen, by email, fax, pager or SNMP trap. It also includes OPSEC support, allowing you to define rules on Check Point FireWall-1.
Centralized management is provided by a utility called Enterprise Manager, which can monitor remote eTrust Intrusion Detection nodes and also deploy security policies. It also consolidates information into a relational database.
Report generation is easy and can be scheduled for automatic production. Reports can be viewed on any computer, even if eTrust Intrusion Detection is not installed on it, by using a small client application called Report Viewer.
A scalable system that integrates with CA's Unicenter platform.
Careful manual tuning of the security policy rules is required to achieve good performance. CA says that version 3 will address this.
CA's 'jack of all trades' approach goes against the trend, but says this is a strength, allowing more centralized security management.