Network Associates Detects Intrusions

Over time, network administrators have come to see the value of intrusion-detection systems. Best defined as a solution that leverages hardware and software to detect intruders or electronic break-ins, intrusion-detection systems offer a method for busy administrators to monitor for security events that would otherwise go unnoticed. But many security experts say intrusion-detection systems leave much to be desired in combating the malicious hacker. Much like a house alarm, an intrusion-detection system sounds an electronic alarm upon a break-in, but it does nothing to prevent unwanted entry in the first place.

This is where intrusion prevention comes into play. An intrusion-prevention system is to an enterprise network what an iron window gate is to a home: It is designed to keep intruders out.

Firewalls, although designed to protect networks from intruders, are often slow to react and have difficulty preventing intrusions in today's high-bandwidth world. They often lack the policy rules, reporting capabilities and the ability to be fine-tuned to act as completely effective intrusion-detection and -prevention systems, especially as more Internet attacks are created to circumvent firewall technology.

All of those elements spell opportunity for solution providers, who can solve myriad security problems by implementing an intrusion-detection and -prevention system.

CRN Test Center engineers took at close look at what just may be the ideal intrusion-control solution for securing networks from malicious intrusions: McAfee IntruShield from Network Associates. IntruShield is designed from the ground up to prevent and mitigate intrusions and attacks and consists of several hardware and software components.

The primary piece of hardware is the IntruShield Sensor, a rack-mountable appliance that focuses on monitoring and controlling network traffic. The sensor also acts as the gatekeeper for the network and can scale for throughput as high as 2 Gbps, depending upon the model. Test Center engineers selected the IntruShield 1200 for testing, as the unit is aimed at midsize businesses and can handle loads of throughput up to 100 Mbps.

The IntruShield Sensor provides multiple levels of support. Numerous units can be installed to provide failover, while single units can be configured to fail in either an open mode, which allows all traffic to come through, or a closed mode, which prevents suspect traffic from entering.

The sensors also offer multiple ways to monitor traffic. A span, or tap, mode allows them to selectively look at network traffic, while an inline mode forces all traffic to flow through the unit. That flexibility allows solution providers to install the unit with a multistage approach,first by monitoring and recording traffic, then by selectively detecting some traffic, and finally by combining full detection with prevention controls. Solution providers will be comforted in the fact that all of the IntruShield Sensors offer the same feature set, differing only in number of ports and rated throughput.

Another key part of the overall solution is the manager console, which consists of a Windows 2000 system running the IntruShield Manager and is responsible for connecting to and controlling the sensor appliance. The Manager application uses the MySQL database, with an Oracle database available as an additional cost option. Network Associates recommends the manager system be a multiprocessor workstation or server with at least 512 Mbytes of RAM and ample disk space. The manager system gathers all traffic statistics and provides browser-based access to the IntruShield solution.

Solution providers will find the browser-based console intuitive. The console runs on any system using Microsoft Internet Explorer 5.5 and above. After initial login, administrators are presented with a concise dashboard view of the system status. From that screen, administrators can drill down into any traffic element, create management and detail reports and define policies.

The product's true strengths lie in its policies, which can be defined to block or allow traffic based upon several criteria, including known and unknown attacks or detected anomalies. Wizard-based policy creation eases management tasks for administrators.

IntruShield offers outstanding reporting capabilities, executive summary reports with graphics and detailed diagnostics reports, which are easily created and can be scheduled to automatically run and be delivered via e-mail in either PDF or HTML format.

CHANNEL PROGRAM SNAPSHOTS
>NETWORK ASSOCIATES MCAFEE INTRUSHIELD 1200
PRICE: $10,995
WARRANTY: 90 days
DISTRIBUTORS: Direct from vendor
TECH RATING:

CHANNEL RATING:

CHANNEL OVERVIEW: Santa Clara, Calif.-based Network Associates acquired IntruVert Networks and its McAfee IntruShield in mid-2003, and is currently merging the channel programs. Field-based channel account managers provide on-site sales and technical training and participate in joint sales calls. Network Associates also provides sales materials and other support. Marketing funds vary based on a partner's sales revenue.

Note: Vendors can earn up to five stars for technical merit and five for their channel program. If the average of these two scores is four stars or greater, the product earns CRN Test Center Recommended status.