This is a network-based IDS, supplied as an appliance. There are four versions of the NID-300 series - the difference being in the number and speed of the Ethernet interfaces. The top-of-the-range model has two 10/100Mbit and two gigabit network interfaces. One of these interfaces is always reserved for management, but the remainder can be used for monitoring. In this way, a single NID-300 can monitor load-balanced or failover WAN connections. By separating the management and monitoring interfaces, NID-300 can operate in stealth mode, as the monitoring interface does not respond to any network traffic or requests from any service on the monitored network.
NID-300 uses signature analysis and stateful protocol analysis to detect known attacks, plus anomaly detection to identify buffer overflows, polymorphic shell code attacks, and denial-of-service attacks. It also reassembles packet fragments to combat IDS evasion techniques, such as fragroute. There is a database of attack signatures built in, and this can be updated periodically from NFR.
NID-300 is particularly tamperproof because, although the appliance contains a hard disk for storing alerts and events, the OS and software are not loaded onto that hard disk. At boot-up, it loads the hardened UNIX OS and application software directly from the read-only environment of a CD. Configuration information is loaded from a floppy disk, which can also be write protected.
There is a Central Management Server (CMS), which runs on RedHat Linux 7.3 or Sun Solaris 2.7 and 2.8. It runs on a separate hardware platform to the NID-300. The CMS provides configuration data for each NID sensor, and processes the alerts generated by the sensors. It can automatically request Check Point VPN-1/Firewall-1 to take specific actions when certain types of attack are detected. Two CMSs can be set up to provide redundancy, if required.
The Administration Interface is the GUI used to define security policy and control the sensors, as well as viewing alerts, but it does nor communicate directly with the sensors - it does so via the CMS. The Administration Interface also controls how often log files are collected, and how frequently reports are run. It runs on a Windows NT/ 2000/XP workstation, and is easy to install from the supplied CD-ROM.
There are four types of alert: informational indicates that a routine system event had occurred; warning means that something unusual happened; error indicates that something is degrading the ability to collect information; and attack means that a potential threat occurred. Rules can be set up to take action automatically based on alerts but using non-NFR programs. It also integrates with IBM Tivoli, Arcsight, and HP Openview, and can generate SNMP traps automatically. Filters can be used to sort and prioritize alerts.