ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




Returning fire with Network ICE

October 11, 1999
Web posted at: 2:54 p.m. EDT (1854 GMT)

by Tere Parnell

Network World Fusion

(IDG) -- You're under fire from network intruders trying to steal information or wreak havoc. Your priorities are clear:

  • Alert: Detect the intrusion immediately.
  • Contain collateral damage and repel attack: Stop the attack by ceasing all communication with the intruder.
  • Launch counteroffensive: Find the identity of the intruder and prosecute.

We used these battle plans to evaluate four of the hottest intrusion-detection systems available. BlackICE and ICEcap from Network ICE win the Silver Star for valor in combat and a World Class Award for their excellent tracking and alerting capabilities.

BlackICE is a specialized detection product - an agent-based system that does one thing and one thing only: detect intruders. When BlackICE finds uninvited guests, it reports the intrusion to ICEcap, a management module that analyzes intrusion information gathered from all agents and uses it to spot widescale attacks on the network.
Getting the drop on network intruders

The other products we tested were no slouches, either. Intruder Alert from Axent Technologies is like a toolbox for security experts, with great flexibility in designing network security policies. Centrax from CyberSafe is one-stop shopping: It includes security auditing, monitoring, intrusion detection and alerting all in one.

By contrast, while eTrust Intrusion Detection from Computer Associates offers real-time alerts, its strong suit is security monitoring and policy management, though it does some intricate decoding and detective work.
  Network World Fusion home page
  Free Network World Fusion newsletters
  Start-up puts hackers on BlackICE, 4/21/99
  Getting the drop on network intruders, 10/4/99
 Reviews & in-depth info at
 *'s bridges & routers page's hubs & switches page
 *'s network operating systems page's network management software page
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for network experts
  Search in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute

Sounding the alert

Hackers rarely approach your network with weapon in hand. Instead, they test backdoors and forgotten windows. They quietly record traffic patterns and IP addresses and make seemingly innocuous inquiries of devices and users.

To identify these slippery foes, you must employ an intrusion-detection system with sophisticated sensibilities. The product must be able to alert you not only to obvious break-ins, but also to suspicious events that may seem innocent, but could hide a hacker.

For example, discovering a password-cracking program hard at work is definitely cause for alarm. But suppose a machine receives a pcAnywhere ping. The event could just be an honest remote pcAnywhere user - or it could be a hacker looking to connect to unprotected pcAnywhere clients. Either way, the situation merits an alert for further investigation.

The alerts issued by BlackICE are very specific, even straight out of the box. For example, it displays messages such as "BackOrifice attack," "pcAnywhere ping" and "Unix scan." When you see an alert like that, there's no doubt in your mind what event has occurred and - in most cases - no doubt as to its significance. If you want to custom configure alerts for other situations, you can, but you probably won't need to.

A nice feature of the Network ICE products and Axent's Intruder Alert is the online downloads for the latest attack signatures by which intruders can be identified. We had trouble finding specific attack signatures on the Intruder Alert site, but we found it easy to find exactly what we wanted on the Network ICE site.

Intruder Alert and CyberSafe's Centrax have great alert capabilities, but they're effective only after you've set security policies, configured alerts and written alert messages properly. In other words, the products provide the tools for you to build your own intrusion-detection system.

Whether you have the talent in-house to build such a system - or the budget to hire consultants for the job - is another issue. Intruder Alert's Users Manual states: "Rules can be linked together to detect sophisticated attacks such as a network probe or SYN attack." We questioned why you should have to design and build a mousetrap from scratch for such common pests.

While all the products were fairly easy to install, we found Intruder Alert and Centrax somewhat cumbersome to manage. For example, if Centrax sends you an unknown or unclear alert message, as happened to us in our tests, you may have trouble figuring out what's going on - especially if you must turn to its audit logs for clarification, as we did. Although its audit logs are excruciatingly thorough, the product tends to assume that mere humans can spot illicit activity with very few hints.

In Centrax's logs, an alert is described but not identified. So you see what is happening in terms of ports queried or other actions, but not what this means. This function compromises the value of its real-time alerts because it takes considerable savvy to know whether the event description constitutes a true security crisis or just a bit of extra scrutiny. This is bad news if you don't have trained security staff. Though, for a price, CyberSafe - as well as Axent and Network ICE- offer professional security consulting services.

CA's eTrust Intrusion Detection is more than a monitoring system and provides something other than full-fledged intrusion detection. For example, the product does more than decode network protocols and service traffic; it actually captures all packets and presents them in their original formats. ETrust monitors all TCP/IP traffic and alerts the network administrator to violations of established policies. However, eTrust doesn't support the very finely grained policy crafting of Axent's Intruder Alert.

But don't dismiss eTrust. Because it presents captured packets in their original formats, network managers could use eTrust to read e-mail, see the content of Web pages that users viewed or identify documents accessed by users. These abilities make for easy surveillance of suspicious characters on your network. Though for garden variety intrusion detection, it means you need to spend a good deal of time upfront developing bulletproof security policies and entering them into eTrust.

In the heat of battle

We launched a variety of nasty attacks on each of the systems to assess their ability to detect and defend against hostile forces. The only products that caught every attack we made and sent the appropriate alerts were Network ICE BlackICE and ICEcap. All other products missed some intrusions due to our poor crafting of the policies.

In a BackOrifice attack, for example, CyberSafe's Centrax and Axent's Intruder Alert never knew what hit them because we had not adequately configured policies to detect this type of attack. In fact, the two products were extremely cumbersome to configure. BlackICE and ICEcap however, caught the attack and alerted us immediately.

We admit that all missed attacks were due to our lack of expertise in using these complicated systems correctly, and after a few attempts, we were always able to mend our software shields. But in the real world you don't have the luxury of getting it right on the second or third try, especially when you're dealing with a new type of deadly attack. That's why we were so pleased with Network ICE's product; it was ready for battle from the moment it was installed.

In the throes of battle, it's easy to become preoccupied with the safety of the enterprise proper. However, you can't afford to forget about the safety of your scouting parties. That's why we loved the personal firewall afforded by BlackICE for remote dial-up users. Remote access presents an increasingly large security hole, and BlackICE is unique in providing thorough intrusion detection for remote and mobile users.

The product displays alerts on a remote client's screen rather than attempting to send the alerts back to an enterprise management console. This allows a remote user to respond to the attack directly. In future releases, we would like to see a reporting feature that sends information about a remote attack back to a central management console as well, so information about the attack can be analyzed to prevent future attacks.

Detecting an intrusion and alerting the network manager to the fact is only half the battle. You have to stop the attack and launch a counteroffensive.

The most impressive defensive work we observed was accomplished by Axent's Intruder Alert and CyberSafe's Centrax. While Network ICE's products and CA's eTrust Intrusion Detection immediately terminate offending sessions, Intruder Alert and Centrax do that and more. For example, you can configure Intruder Alert to issue strings of commands based on the type of attack - to reboot a system experiencing a denial-of-service attack, for instance.

Once you've repelled an attack, how do you launch a counterattack? BlackICE and Centrax turn the tables on hackers by tracking them back to their lairs and identifying them. Network ICE was particularly good at tracking attacks despite our evasive maneuvers. We especially liked the ability of Network ICE to track hackers inside or outside the network.

Furthermore, we liked eTrust for its ability to reach so far into the (supposedly) private workings of each and every user on the network. It provided the most thorough (and perhaps legally delicate) information on intruders and their workings.

In fact, we suggest using BlackICE to track the alleged hackers inside your network, then using eTrust to trap them.

Finally, speaking of trapping, CyberSafe can employ a "decoy file" method that leaves a dummy file with a tantalizing title, such as "PAYROLL.DAT" lying around unprotected in the open. We found this a bit obvious, but it could be useful for entrapping users who are just browsing the network for sensitive information.

Each program produces reports noting questionable activity. The two standouts for excellent and easy-to-use reports were Network ICE's ICEcap and CA's eTrust Intrusion Detection. The latter was particularly flexible, probably due to its origins as a protocol decoder. For example, you can view network usage by just about any type of resource you want, including protocol, client and server.

ETrust offers a variety of canned report formats, with well-organized information to aid in finding and prosecuting abusive users.

Post mortem

Each of the tested products has its strengths and weaknesses, and we recommend them accordingly.

For switched networks, we recommend the agent-based systems from Network ICE, Axent and CyberSafe. CA's eTrust Intrusion Detection is a product ideally used for alerting you of violations of business practices, such as the use of forbidden terminology in an e-mail. Axent's Intruder Alert and Centrax's CyberSafe are excellent tools for security consultants and shops with large, highly-trained, up-to-date security staffs.

But for shops that don't have, and can't afford, resident security experts, we recommend Network ICE's BlackICE and ICEcap. They're as close to a security consultant in a box as we've seen.

Your PC may be tapped
September 23, 1999
Automated fingerprinting comes of age
September 9, 1999
Government faces security skills shortage
August 16, 1999

BlackICE Defender protects your PC against hack attacks
(PC World Online)
Start-up Network ICE takes the stage with security applications
Start-up puts hackers on BlackICE
(Network World Fusion)
Getting the drop on network intruders
(Network World Fusion)
Intrusion detection: a matter of taste
(Network World Fusion)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Network ICE
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.