“DE NIÑOS SOÑADORES A COMBATIENTES DE LA VIDA”

Once the Command Console has been started, it will automatically display all host machines that have a Target Agent installed, each of which will have a default detection policy applied and running automatically at install time. By right-clicking individual Targets or groups of Targets it is possible to apply Audit, Detection and Collection policies to each target as required. Policies are selected from a drop-down menu of available policies which have been previously defined, and it is also possible to select no policy if required.

Once policies have been applied in this way, real-time alerts will appear in the Alert Manager window as soon as they are detected. Alerts extracted from the Batch detection policies are displayed in the Alert Manager window when they are collected by the Collection Service at intervals defined by the Collection Policy. It is also possible to force an immediate collection from one or more Target Agents, as well as trigger an immediate assessment. One nice feature – of the utmost importance in large-scale enterprise-wide deployments – is that whenever a source policy is amended in the

Command Console, Centrax will examine all Target Agents to see which ones have that policy applied. It will then provide the option to have the new policy applied automatically to all the appropriate Targets – if only all IDS worked that way.

Scheduler

The Scheduler service provides the means for the administrator to force a number of events to be run at regular intervals:

Assessment – run regular vulnerability assessments to track security posture over time

Audit Policy – reapply audit policies at regular intervals to ensure that all Targets have the most up-to-date policies

Report - have suspicious activity reports run overnight and written to disk or sent to the printer

Tripwire scan – for sites with Tripwire installed, this option will force file integrity checks to be run as specified intervals.

Figure 19 - Centrax: Scheduling regular Audit Policy changes

For each type of event, it is possible to restrict the scheduled operation to a single Target, a group of Targets or apply the event to all Targets.

Reporting and Analysis

Bearing in mind the volume of information that can be collected by Centrax, it is important to be able to filter and report on this in an intelligent manner. The ubiquitous Crystal Reports provides the reporting engine.

A number of predefined reports are available, and these can be filtered by Target Agent or by individual users, and run for a specific data range. An “Advanced” tab provides a list of all available attack signatures and events, allowing the administrator to home in on particular type of suspicious activity.

Output can be to the screen, printer or disk file, and disk file output can be in a range of formats, including plain text, Microsoft Word or HTML.

The latter option would allow reports scheduled overnight to be published directly to an internal Web site for access by a number of users if required. Once all the report parameters have been selected, they can be saved as a report template, which can then be run from a drop-down menu of available reports in the main Command Consol GUI.

Figure 20 - Centrax: Network Activity report

Completed report templates can be run regularly by adding them to the Scheduler service, and a number of data management tools are provided for housekeeping and archiving of data.

Verdict

At first sight, Centrax can appear to be complex product with a less-than- intuitive interface. However, it is worth getting to grips with that complexity for the power it offers the administrator in providing Intrusion Detection cover for the largest organisation. In fact, one of the nicest features is the fact that once the various policies have been defined, the Collection and Scheduler services will automate most of the day to day tasks, providing a system that virtually runs itself – Centrax refers to this as “hands-free IDS”. Its most powerful features are clearly in the areas of Host IDS and audit policy management across an enterprise, and with the latter feature Centrax has a unique and valuable advantage over its competitors. The ability to create and deploy audit, IDS and Vulnerability Assessment policies across a corporate network from a single, central location is incredibly useful. This centralised management, plus a combined real-time and “store and forward” architecture for host-based alerts, also makes it very scalable.

It is less strong in the area of Network IDS, where it currently offers a fairly limited range of signatures, and the Vulnerability Assessment capability is best thought of as a “bonus”. In its present incarnation, you would certainly not purchase Centrax solely as a Network IDS product – although this feature is improving quickly with each new release, it still has some way to go.

On the other hand, take a look at the top Network IDS products – how many of those include Host IDS and Vulnerability Assessment products out of the box? They are usually provided as completely separate offerings.

If your main concern is to protect your network from the infamous “70 per cent of attacks which are internal” that is regularly reported by the FBI, then Centrax is a powerful and flexible product, with advanced Host IDS and Audit Policy management capabilities.

Contact Details

Company name: CyberSafe Corporation E-mail: [email protected] Internet: www.cybersafe.com Address: 1605 NW Sammamish Road Issaquah WA 98027-5378 USA Tel: +1 425-391-6000 Fax: +1 425-391-0508

For additional contact details, see the CyberSafe Web site at http://www.cybersafe.com/company/contact.html