With new applications such as VoIP appearing on networks run by engineers with limited time and resources to make them secure, intrusion prevention technology is rising to the challenge. One answer, the brand new NFR Sentivist IPS, is raising the bar in the intrusion prevention system (IPS) category. The NFR Sentivist IPS is available as an appliance.
Reliability, greater control, and greater trust in the IPS technology are major themes of the product. For example, a unique feature to it is the patent pending Confidence Index technology, a user-adjustable control that can increase detection accuracy. This feature enables attack prevention based on a confidence score.
When we reviewed the device, it took less than ten minutes to set up the standalone Sentivist sensor in a lab environment. The basic configuration can be achieved in short order by a non-security specialist, such as a network engineer or administrator, with a fundamental understanding of network security.
The Sentivist IPS consists of a distributed architecture with Sentivist sensor computers reporting up to Sentivist servers, which in turn report to a central console. The server stores sensor configurations, processes alerts and reports up to the console client, and optionally reports up to an Enterprise Console in large deployments.
The vendor recommends that the servers are installed inside the internal network, while remote console connections must be done through a customer-supplied VPN connection.
The Enterprise Console consists of two parts. The first is a Java-based Enterprise Console client component that pulls its information from an Enterprise Console Server. This component is a Java-based application that runs on Windows 2000 Professional with SP1, Windows XP Professional with SP1, RedHat Linux v9.0, Enterprise Linux v3 (ES /AS), and Solaris 8 or 9. The Sentivist Enterprise Console server component supports Oracle 9i and PostgreSQL v7.3.x running on Red Hat Linux 9, Enterprise Linux v3 or Solaris 8 or 9.
In the case of an enterprise deployment, the Enterprise Console components can be distributed out to separate computers for greater scalability.
Sentivist, deployed inline with traffic flow, offers low latency due to the use of layer 2 kernel bridging. Availability is designed in to the appliance via a custom NIC, which allows network traffic through the IPS even during power failures. Depending on your perimeter security network architecture, this means network traffic will continue to flow, even though the IPS is in a graceful failure mode.
The appliance features three operating modes – Passive IDS mode, Pass Through log-only mode, and Full IPS mode, which actively blocks attacks. If you are not sure of the kind of traffic you should be blocking, it is recommended that you enable pass through mode first. Pass through mode will log all attacks that could have been prevented, as a sort of user training mode.
It employs a combination of anomaly detection, attack signatures, and blacklisting with time-based session blocking, protocol analysis, and contextual deep packet inspection as detection mechanisms. Self-inflicted denial of service, caused by your pen-testing team for example, is prevented by its whitelisting capability. IPv6 is among the many protocols supported, including IPv6 encapsulated in IPv4 which allows the detection of various tunnel-based attacks using the IP protocol.
Alerting support includes email, SNMP, OPSEC SAM protocol, and various enterprise security management systems such as ArcSight. An interesting post-alert process called Alert Correlation normalizes multiple instances of the same alert and provides summaries to the console alert viewer.
After double-clicking on the summarized alert, alert details for individual alerts are then viewable, including the raw packet capture, if needed. Also included in the alert is useful advisory information to assist remediation and diagnosis.
Communication between the distributed components is protected by symmetric encryption, AES-128. The pastel colored Sentivist sensor face plate is lockable to prevent physical tampering. Part of the initial sensor configuration is a password change to ensure default password threat protection if someone tries to break into the sensor. Role-based user management allows for separation of duties with the roles of Normal and Administrator.
Normal users can view alerts and create views, with the alert screen content visible on the alert console. Normal users can also be granted the privileges of being able to restart a sensor and/or accessing the audit list, an audit of the IPS's internal security, for any Sentivist management server that this person has access to. Other reliability and self-protecting security features include cluster configuration options for all IPS components, consoles, servers, and sensors.
Sentivist comes with 42 report templates for use with customer-supplied Crystal Reports software. The alert viewer can be customized to show just the alerts you want, with timeline and graph views available. Although fairly intuitive, the management console lacks any contextual help outside of the PDF help document included on the install CD.