Henry Núñez, la vida como representación teatral

The Enterprise version provides the ability to centrally monitor and manage multiple distributed eTrust detection engines, and to consolidate selected information in a common relational database.

This is achieved by installing eTrust agents on different segments of the network (local and remote), which are controlled by a central station from which the administrator can view and generate reports based on the consolidated information collected by the agents.

eTrust Intrusion Detection Central allows a single remote administrator to

monitor and manage multiple local and remote eTrust Intrusion Detection hosts. Using this capability, the administrator sees alerts on the console and has the ability to remotely control specific eTrust hosts as if they were local.

Figure 10 – eTrust: The console

The main Central component operates on Windows 95, Windows 98 or Windows NT/2000. It receives, sorts and displays alerts generated by one or more remote agents and allows the administrator to connect to and operate the agent.

Communication between the central console and remote hosts is achieved via Central Agents installed on all stations running Enterprise software. The Central Agent operates in the background on the remote host, receives alerts from the local eTrust ID, and sends these alerts to eTrust ID Central.

eTrust Intrusion Detection Remote allows remote control of eTrust

Intrusion Detection via dial-up or direct network connections

Finally, eTrust ID Log View allows users to monitor usage details over an extended period of time by targeting a specific database and browsing and viewing the archived information. Users can also consolidate session information from multiple eTrust stations in a relational database.

The system includes the database front end and distributed collection components that are invoked by events in eTrust Intrusion Detection based on eTrust Intrusion Detection rules.

The eTrust ID Log View consists of three main components:

The Data Client, which collects the data and transfers it to the archive.
The Log View Database Server component which controls the

archived data on the same or different computer utilising a relational database product (Oracle or SQL).

The Log View Viewer which can reside on any Windows NT system and provides the user with an interface for viewing the archived logs.

Installation

Installation is the usual straightforward Windows InstallShield routine. Inserting the CD brings up a menu of installation choices which provides the option to install a stand-alone engine or the eTrust Intrusion Detection Enterprise components.

The eTrust Intrusion Detection engine is installed as a native NT service and operates in stealth mode to make it difficult to detect on the wire. An on- line registration function finishes the installation routine, and this was our only gripe with installation, since if your network connection is down at the time of install it could cause problems.

Documentation could only be described as basic, with a Getting Started Guide in PDF format on the CD. However, it has to be said that eTrust IDS is fairly simple to get up and running, so more extensive documentation is probably unnecessary.

Configuration

Once installed, eTrust Intrusion Detection immediately starts its surveillance for intrusion attempts and suspicious network activity and begins logging all e-mail, WEB browsing, news, Telnet, and FTP activity using a default security policy. New rules can easily be added or the existing rules can be changed using menu driven options. All network activity that is not

associated with a rule is identified for statistical and real-time analysis, often identifying the need for additional rules.

When it comes to editing the various detection rule sets, anyone familiar with the FireWall-1 rules definition user interface will be quite at home with eTrust Intrusion Detection. It’s not that it is similar - it’s identical. CA has a development relationship with Checkpoint that allows it access to the actual FireWall-1 code for rules maintenance.

Any number of eTrust users can be defined to the system, each one authorised to perform only certain actions if required – one user may be allowed to create new rules, for example, whereas another might only be able to run reports.

Its just as well that rules definition is so straightforward, because there is a lot of it to do.

eTrust does a lot more than Network IDS, and there is a set of rules for each or its major functions:

Intrusion Detection

URL Access Monitoring and Control
Monitor/Block/Alert

Content Inspection

eTrust Intrusion Detection checks each session against the rules until either the session terminates or a match occurs.

The first place to start is to define the various network objects – specific hosts, networks, users, domains, workstation, and so on - that will be referred to by name in the rule sets – and those services which will be excluded from detection. For instance, you might decide that all NetBIOS services over TCP for the internal network need not be examined by eTrust.

Figure 11 - eTrust: Defining rule sets

Once you have this basic information entered, you can begin defining the rule sets for each of the above capabilities. What you would refer to as “signatures” in other products are “Rule Types” in eTrust, and the Intrusion Detection rule set contains just over 360 signatures at the time of writing, which is considerably less than some of the competition. CA is working hard to catch up in an area that is relatively new to it, and new signatures can be downloaded regularly from the CA Web site. Rule Types can be Service or Content-based, and a number of different parameters can be added instructing eTrust to check session content for “active” components, such as Java or ActiveX, or compare session data with strings or commands that are specified as part of the rule. It is incredibly easy to add new signatures of your own, making eTrust Intrusion Detection one of the most readily extensible products we have seen.

The actual rules are created from these Rule Types (attack signatures) combined with a source and destination, an action and a time when the rule is applicable. If any of the characteristics of the session correspond with the rule conditions, a match occurs. This match triggers an Action, which can include logging to file, blocking the session, raising an alert, writing to the NT event log, audio alert, NT message, running an external program, sending an e-mail, fax, SNMP trap, pager, syslog, and reconfiguring your firewall (eTrust, Cisco or any OPSEC-compliant firewall), amongst others. Any combination of these Actions can be triggered from a single event, and this is probably the widest range of alert types we have seen in a single product.

Rules can be turned on and off in the rule set by clicking on a check box, allowing them to be disabled temporarily on the fly for testing purposes without having to delete them.

When you choose to log details of an event in the Tree Window, you can decide whether the log should include the contents of the session and whether the contents should be encrypted or signed. If you choose to include the contents of the session, you will be able to see these details in the View window when you select the session in the Tree Window.

Figure 12 - eTrust: Suspicious Network Activity Detection Rules In addition to the high-level Intrusion Detection rules, there are also a number of lower-level predefined security violations, covered by the

Suspicious Network Activity Detection rule set. These cover such

activities as IP spoofing, SYN flooding, ping attacks, port scanning, WinNuke, Land, Teardrop, Smurf, distributed DoS attacks, and so on. When eTrust Intrusion Detection detects one of these violations, the Show Security Violations button in the toolbar blinks and clicking this button displays a window with details of the violation. There are less than thirty of these Security Violations currently defined in the product, and this is an area that needs improvement if eTrust is to be brought in line with the IDS market leaders.

eTrust Intrusion Detection offers a number of other useful features that are not normally found in “traditional” IDS’, and these are covered by a number of other rule sets.

Content Inspection Rules are used to check for active HTML components

and viruses in e-mail attachments, news group postings , FTP downloads and HTTP pages and binaries. In the Content Inspection Rules grid, the administrator can choose which components eTrust will search for, and the action that will be taken when one of these components is detected. eTrust Intrusion Detection also uses the InoculateIT scanning engine to detect and block network traffic containing computer viruses.

Figure 13 - eTrust: Defining Content Inspection Rules

One of the more advanced features in this section of the product is the ability to monitor e-mail traffic, right down to the point of being able to read the messages themselves or compare message content against a list of key words and phrases. This may send shivers down the collective spines of many corporate Directors, who may not like the idea that the network administrator can simply lift any message – incoming or outgoing – off the wire.

Of course, Director’s e-mail could always be serviced by a separate

segment not monitored by SessionWall or encapsulated within a VPN. Once you have set aside such fears, however, this capability can help to ensure that there are no corporate secrets, offensive material or mass mailing of CV’s going out of the organisation.

URL Access Monitoring And Control Rules monitor and log access to

sites that are deemed “unproductive” and have a specific rating. The administrator chooses which categories (i.e. games, dating services, gambling, sport) are not work-related and which sites eTrust Intrusion Detection will monitor based on their ratings. Four levels of extremity can be selected for sites categorised as violence, sex, nudity and language.

Finally, Monitor/Block/Alert Rules are used to log activity for all the protocols and to allow blocking of specific Web sites. eTrust can even be configured to block network games such as Doom and Quake automatically – a real killjoy package, this one! The administrator can view the logged and blocked events in the Tree Window.