Review: RealSecure Network Sensor

By on

RealSecure 7.0 is the result of the integration between RealSecure and the BlackICE NIDS sensor technology. It runs on a dedicated machine and acts as a NIPS sensor to monitor a network segment, looking for intrusions or suspicious activity. If an intrusion is suspected, it can respond by recording details of the event. It can notify the network administrator, reconfigure the firewall, or terminate the event.

RealSecure 7.0 is the result of the integration between RealSecure and the BlackICE NIDS sensor technology. It runs on a dedicated machine and acts as a NIPS sensor to monitor a network segment, looking for intrusions or suspicious activity. If an intrusion is suspected, it can respond by recording details of the event. It can notify the network administrator, reconfigure the firewall, or terminate the event.

This solution understands more than 60 different application-layer protocols, which it analyses to recognize context, and uses pattern-matching techniques to identify intrusions. It can also perform IP packet defragmentation, as well as TCP and HTTP session reassembly, and is designed to combat evasion techniques. Network Sensor also allows users to write their own custom attack signatures. It runs on Windows 2000, RedHat Linux, and will shortly include Sun Solaris 8 and Nokia IP series.

Network Sensor 7.0 has more than 1,200 signatures, that are automatically updated from ISS. This wide coverage has resulted from combining the BlackICE and RealSecure signature libraries. It also imports most of the published rules from Sourcefire's Snort, enabling users to write their own custom signatures.

RealSecure Site Protector provides the central management for the system. The console includes the policy editor, which determines the policies that configure the sensors, including how to respond to attacks. The Site Protector Event Collector (EC) receives events from the sensors, stores them in the enterprise database for later analysis, and delivers real time alerts to the console. The Site Protector can be configured to use MSDE 2000 or Microsoft SQL Server 2000 as its database. If the communication to the EC goes down, the Sensor will cache the events detected and deliver them to the EC when online.

The console displays events with three priority levels: low, medium or high. Events are sorted by source address, destination address or event description. RealSecure monitors both directions of the conversation, including any return codes and other data from the host, and this may help determine whether the exploit was successful. SiteProtector's Fusion module provides event correlation across multiple sensors and vulnerability assessment tools. This reduces the number of critical alerts to a more manageable level. The Site Protector runs on Windows NT4/2000.

It also offers host-based IDS which integrates with NIDS.

For:

Policy definition is easy compared to rival products.


Against:

Professional services and a training course would be necessary for most customers because the documentation is not detailed enough.


Verdict:

RealSecure 7.0 has an excellent user interface and one of the best-performing and accurate sensor engines on the market.

Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?