Strengths: Good job integrating vulnerability and IDS features into a single interface.
Weaknesses: Compliance marketing pitch distracts from a good set of features
Verdict: Much to like for smaller SME systems without a grip on IDS or vulnerability assessment
Avanton’s ReadyARM is an IDS appliance aimed at SMEs. It is based on open-source IDS and vulnerability-scanning software and has custom wrappers to hold it together, a web GUI and prepackaged reports.
While technically you could just download Snort and Nessus, the ease-of-installation, administration, integration and reporting are what make appliances based on free software such a good fit, and this is a good example.
Our first impressions were not good, however. The product is pitched as a “security compliance appliance,” despite offering a fairly standard set of IDS and scanning software. There are a couple of reports with a compliance slant, but the idea you can buy GLBA or SOX compliance in a box is not realistic. This pitch is not doing Avanton many favors, and the product would stand up pretty well on its own merits anyway.
The appliance is a Linux-based device with two ethernet ports. One connects to the regular LAN and is used for management, while the other passively monitors a span/mirror switch port for malicious traffic. This is unusual: most IDS appliances at this level run inline, with “in” and “out” ports, especially when (as with ReadyARM) it is intended to sit immediately behind the firewall in a smallish network. Avanton might be assuming too much networking capability on the part of its customers here, but our concern is minimal: a network tap is an easy option, despite the extra cost.
Initial configuration must be done through a serial connection, which might put off SMEs. The text interface is slick, though, and we were up and running in no time. We would prefer the system to demand a new password at this stage, and the option to require secure https connections should have been on by default.
Once on the network, the system is managed through a web GUI that does a very good job of presenting a complicated set of topics to its target audience: admins without specialized IDS experience. But a separate configuration step is required to tell the system what its “home network” is, which should be already known from the interface setup.
The internet net config is used to stop IDS rules firing on malicious traffic that does not target internal systems. This avoids unnecessary alerts, but we would want to know if a trojan inside the network is launching outbound attacks. This should at most be an optional facility, but with a health warning. An easy management panel allows IDS signatures to be turned on or off. This is very useful to keep false positives under control, but this is where the friction between a non-specialist audience and a complex task is a problem: managing IDS is not at all easy, and trying to simplify it too far might dilute its effectiveness. But Avanton has done a good job here. A vulnerability scanner can be set to scan the network on demand or at regular intervals, looking for known flaws with controls to govern whether risky scans should be attempted. Reports showing vulnerabilities are good and well-presented, but the most useful feature is one that offers ongoing comparisons, showing changes over time as vulnerabilities are closed or new systems added.
The vulnerability scanner and the IDS work in concert: an IDS event targeting a system known to be vulnerable is flagged as a higher priority than just the event on its own, a great touch that really makes a difference. IDS events in general are well-presented with plenty of information about the incident, the expected severity and suggested remediation.
The device dabbles in network management too, and can poll systems to check for availability and monitor syslog and SNMP messages – a useful addition, despite blurring the role of the box.
Alerts can be sent depending on different types of events and thresholds, and multiple administrators can be configured with different thresholds for alerting.
Reporting is probably the part of the software to which Avanton has added the most obvious value. Reports on network usage, vulnerability, IDS levels and trend data are all clear and easily understood.
The compliance angle becomes visible here with some data presented specifically as relevant to the likes of HIPAA or GLBA, such as risk analysis evaluations based on correlated events. The data will be useful to firms needing such compliance reports, but this is only a small part of compliance.
The device can be upgraded manually by uploading new system files over the web or on an automatic schedule. The web update worked, but gave us no feedback of what was happening. This was confusing, but we suspect most users will simply set the box to update automatically.
The user manual is well laid out and clear, and PDF versions are available via the GUI. We would have liked better context help in the GUI itself, but the interface is good enough that very little will be required of the documentation.
For what it offers, the system is not terribly expensive, but still at the upper end of its price bracket. A live CD with the same software and GUI would cost a fraction of the price, but do the same job. After all, the appliance format is justifying the margin. If the market takes off, there is certain to be price-based competition so some customers might simply wait for prices to come down or for the same features to be bundled into firewalls and routers.
The product is a good one and we like the end result, but dealing with some of the more obvious rough edges would make a big difference. Overall, ReadyARM has plenty of potential.