This solution is supplied as software, desktop or rack-mounted. Each network sensor is a separate appliance, handing high-availability, high-security 10/100 or gigabit monitored segments.Running on a hardened OS, based on Red Hat Linux, in a small installation it can be managed using a web-based interface, software or optionally as an appliance.
SecureNet Provider is recommended for centralized database and management purposes - the user interface is provided by Windows 2000 desktop client software. With typical traffic, a dual-processor version of the Provider management appliance can manage over 100 network sensors. It can be scaled almost indefinitely.
The stateful intrusion detection engine of the network sensor performs protocol decodes and detects anomalies. It reassembles fragmented IP, TCP packets and TCP streams to combat known IDS evasion techniques. It supports up to 100,000 concurrent connections. As the state tables fill up, heuristics are used to determine which conversations can be safely dropped to make room for new connections. Using heuristics it determines the least threatening connections. But, the system is configurable so specific connections to mission-critical resources are exempt from heuristics and are always tracked.
Intrusion SecureNet offers a network grep-based approach to intrusion detection - the advantage is that it is less processor intensive on a heavily loaded network than protocol decode. Conversely, it is more prone to false positives so you might choose to deploy the grep-based IDS on the DMZ while using protocol decode inside the firewall.
There are over 960 protocol decode signature and 800 network grep signatures built in, and they can be updated from Intrusion's web site. You can add to these with your own custom signatures, and also use those derived from open-source Snort at their web site.
The Provider management platform offers policy definition and distribution, real-time monitoring, reporting and forensic analysis. It is based on a Windows 2000 server application and Microsoft SQL2000. SecureNet Provider comes as a separate appliance comprising of a policy editor, policy distribution module and the main client for monitoring and reporting alerts.
Alerts can be displayed using SMTP in email or text, on pagers or on a mobile phone. SNMP traps can also be set automatically. Events are easy to view using a 'tree' representation of the network nodes; it is also possible to 'drill down' and set up filters. Communications between this management platform and the sensors are authenticated and encrypted.
Scalable almost indefinitely.
The GUI didn't integrate the features of alerting, policy editing and policy distribution as expected.
Combines both protocol-decode and network-grep in one, to tune for speed or accuracy.