SECURITY ZERO is happy to offer its reader a new subscription service: if you don't like ATOM/RSS feeds or MSN Alerts, you now can receive blog updates by email.
Note: email could be dropped by your antispam filters, so double-check for a period after your subscription.
Sunday, April 23, 2006
Friday, April 21, 2006
Tracking Microsoft ISA Server versions
A lot of Microsoft customers have difficulties in correctly recognize installed version of their ISA Server installations.
Versions numbers are not so easy to find online so here the full list for ISA Server 2000 / 2004 / 2006:
Note: The list will be updated with further releases.
Versions numbers are not so easy to find online so here the full list for ISA Server 2000 / 2004 / 2006:
- ISA Server 2000 RTM = 3.0.1200.50
- ISA Server 2000 SP1 = 3.0.1200.166
- ISA Server 2000 FP1 = 3.0.1200.235
- ISA Server 2000 SP2 = 3.0.1200.365
- ISA Server 2004 RTM (Standard) = 4.0.2161.50
- ISA Server 2004 RTM (Enterprise) = 4.0.3439.50
- ISA Server 2004 SP1 (Standard) = 4.0.2163.213
- ISA Server 2004 SP2 (Standard) = 4.0.2165.594
- ISA Server 2004 SP2 (Enterprise) = 4.0.3443.594
- ISA Server 2006 RTM (Standard/Enterprise) = 5.0.5720
Note: The list will be updated with further releases.
Wednesday, April 19, 2006
Check Point 2000/NG/NGX port list
Quite every student attending my courses and preparing for Check Point exams asks for TCP/UDP ports used by various daemons in a Check Point infrastructure. This information is vital also in troubleshooting old installations.
AERAsec, a Check Point Silver Partner, compiled a needful list of ports used by VPN-1 (formerly Firewall-1), dividing them by platform generation:
A must have for every security professional handling Check Point environments.
AERAsec, a Check Point Silver Partner, compiled a needful list of ports used by VPN-1 (formerly Firewall-1), dividing them by platform generation:
A must have for every security professional handling Check Point environments.
Understanding Check Point license features
Check Point has one of the most complex ever licensing scheme (still nothing compared to Microsoft), which is updated (and often radically changed) every 2 months.
Every feature you want to license is recognized by a special code which will appear inside the license signature (or inside the SmartUpdate client):
Troubleshooting a customer installation one big problem is reversing the license signature to exactly understand what is licensed and should work and what will not work in any case.
To help in this task a Check Point Silver Partner, AERAsec, assembled a wonderful list of features code, divided in:
Note that at the moment the list is updated for Check Point NG family up to Application Intelligence [R55]. Expect an update for the new NGX family.
Every feature you want to license is recognized by a special code which will appear inside the license signature (or inside the SmartUpdate client):
Troubleshooting a customer installation one big problem is reversing the license signature to exactly understand what is licensed and should work and what will not work in any case.
To help in this task a Check Point Silver Partner, AERAsec, assembled a wonderful list of features code, divided in:
Note that at the moment the list is updated for Check Point NG family up to Application Intelligence [R55]. Expect an update for the new NGX family.
Tuesday, April 11, 2006
The (today) need for IPv6
Every day more potential customers are asking for IPv6 support in security products. It's a raising trend that vendors are not ignoring.
But it's a trend we should try to interpret.
Just few corporates today decided to allow time for testing or pilot implementations and it's unlikely the large majority of them will seriously start implement IPv6 networks for another couple of years at least. So there is no pressure but it's still a feature many are requiring. Why?
Because it helps reducing choices drastically. It helps to recognize vendors more oriented to R&D. It helps to recognize which vendor will have stronger experience tomorrow.
In a word: it's strategy.
It's pretty evident looking at some vendors like Check Point and Cisco, pioneers in IPv6 support but offering something seriously limited and far from being useful.
And while vendors are starting a ride to appear as much forefronted as possible the underground community is already ahead, as usual.
An IPv6 Attack Toolkit from the famous The Hacker's Choice (THC) group is out and includes:
One more reason for customers to ask for IPv6 support but wait for stronger kernels before real implementation.
But it's a trend we should try to interpret.
Just few corporates today decided to allow time for testing or pilot implementations and it's unlikely the large majority of them will seriously start implement IPv6 networks for another couple of years at least. So there is no pressure but it's still a feature many are requiring. Why?
Because it helps reducing choices drastically. It helps to recognize vendors more oriented to R&D. It helps to recognize which vendor will have stronger experience tomorrow.
In a word: it's strategy.
It's pretty evident looking at some vendors like Check Point and Cisco, pioneers in IPv6 support but offering something seriously limited and far from being useful.
And while vendors are starting a ride to appear as much forefronted as possible the underground community is already ahead, as usual.
An IPv6 Attack Toolkit from the famous The Hacker's Choice (THC) group is out and includes:
- parasite6 - icmp neighbor solitication/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite)
- alive6 - an effective alive scanng, which will detect all systems listening to this address
- fake_router6 - announce yourself as a router on the network, with the highest priority
- redir6 - redirect traffic to you intelligently (man-in-the-middle) with a clever icmp6 redirect spoofer
- toobig6 - mtu decreaser with the same intelligence as redir6
- detect-new-ip6 - detect new ip6 devices which join the network, you can run a script to automatically scan these systems etc.
- dos-new-ip6 - detect new ip6 devices and tell them that their chosen IP collides on the network (DOS).
- fake_mld6 - announce yourself in a multicast group of your choice on the net
- fake_mipv6 - steal a mobile IP to yours if IPSEC is not needed for authentication
- ake_advertiser6 - announce yourself on the network
- smurf6 - local smurfer
- rsmurf6 - remote smurfer, known to work only against linux at the moment
One more reason for customers to ask for IPv6 support but wait for stronger kernels before real implementation.
Check Point IPv6 support
Some customers asked for Check Point policy in supporting IPv6 protocol. They usually receive a positive answer from vendor partners but few of them knows that at today supporting IPv6 doesn't really mean providing complete set of features actually applied to IPv4.
This leads to a lot of confusion, unnecessary expenses and painful troubleshooting.
Check Point is offering a very limited IPv6 support in its flagship product, the VPN-1 firewall, since the release NG [R54], aka VPN-1 NG with Application Intelligence.
The product has already embedded the kernel but to enable it you have to request a special license from the UserCenter portal (automatically and immediately issued) and import it into the Check Point Configuration (manually or by the Smart Update client).
Since the release of new products family dubbed NGX [R60], this IPv6 support has been extended with a special IPv6Pack, to be downloaded separately but still free of charge.
It still misses a lot of features. Among others:
To survive in this partially-supported nightmare be sure to read the whole set of documents Check Point released for IPv6Pack:
All downloads will require authentication.
This leads to a lot of confusion, unnecessary expenses and painful troubleshooting.
Check Point is offering a very limited IPv6 support in its flagship product, the VPN-1 firewall, since the release NG [R54], aka VPN-1 NG with Application Intelligence.
The product has already embedded the kernel but to enable it you have to request a special license from the UserCenter portal (automatically and immediately issued) and import it into the Check Point Configuration (manually or by the Smart Update client).
Since the release of new products family dubbed NGX [R60], this IPv6 support has been extended with a special IPv6Pack, to be downloaded separately but still free of charge.
It still misses a lot of features. Among others:
- No support for Microsoft Windows 2000 / 2003, Sun Solaris 10 and Linux (excepted the Check Point SecurePlatform) platforms
- No support for the RSH protocol
- No support for Client Authentication in Nokia IPSO platforms
- No strict Security Policy Verification
- Obligation to define IPv4 addresses for objects
- Problems at various levels with log filtering
- Problems at various levels with object creation within the GUI
- Problems at various levels with SmartDefense
To survive in this partially-supported nightmare be sure to read the whole set of documents Check Point released for IPv6Pack:
All downloads will require authentication.
Friday, April 07, 2006
How the firewall was born
Network World just published an article giving credits to Check Point guys for creating the firewall.
Dave Piscitello believes the history is slightly different, giving credit to Cisco.
In any case the Cisco article about the born of firewall and its evolution, Evolution of the Firewall Industry, is really worth to read since it describes the most common accepted definition of firewall generations (many vendors have their own theory about how many firewall generations exist and how to call them).
Dave Piscitello believes the history is slightly different, giving credit to Cisco.
In any case the Cisco article about the born of firewall and its evolution, Evolution of the Firewall Industry, is really worth to read since it describes the most common accepted definition of firewall generations (many vendors have their own theory about how many firewall generations exist and how to call them).
Sunday, April 02, 2006
Review: StillSecure Strata Guard 4.5 Free - Conclusion
StillSecure Strata Guard Free is a great tool. Even if it's the first public release it demonstrated solid and reliable, with some space to mature in the reporting facility.
It simplifies and speeds up IDS deployment and management lifecycle.
Be aware anyway: using it will show you how complex managing IDS can be, raising awareness that to master intrusion detection a handy console will not be enough.
Investing on know-how is mandatory even with Strata Guard Free.
Very soon you could decide to upgrade to a commercial license which is priced depending on your needs:
Even if this Strata Guard version is free, StillSecure offers its customers an online support forum, a public knowledge base, FAQs, documentation and a urgent updates email notification.
Also StillSecure staff merits a mention too, which positively impressed me for highly certified and deeply competent personnel.
A last word about the recent news of SourceFire acquisition by Check Point: at the time of writing the request has been retired but a chance Snort will become property of other companies, dropping its GPL license, is always possible.
Since StillSecure bases Strata Guard on Snort, customers have rights to ask what would happen to them in this scenario.
StillSecure management has answered this question saying they already contemplated this eventuality and assure customers an immediate forking of last available GPL-licensed source code, granting continuous commitment in offering a secure and reliable product as ever.
< previous
Table of Contents
It simplifies and speeds up IDS deployment and management lifecycle.
Be aware anyway: using it will show you how complex managing IDS can be, raising awareness that to master intrusion detection a handy console will not be enough.
Investing on know-how is mandatory even with Strata Guard Free.
Very soon you could decide to upgrade to a commercial license which is priced depending on your needs:
- SMB - $1,667
- Enterprise - $4,000
- GigE - $10,000
Even if this Strata Guard version is free, StillSecure offers its customers an online support forum, a public knowledge base, FAQs, documentation and a urgent updates email notification.
Also StillSecure staff merits a mention too, which positively impressed me for highly certified and deeply competent personnel.
A last word about the recent news of SourceFire acquisition by Check Point: at the time of writing the request has been retired but a chance Snort will become property of other companies, dropping its GPL license, is always possible.
Since StillSecure bases Strata Guard on Snort, customers have rights to ask what would happen to them in this scenario.
StillSecure management has answered this question saying they already contemplated this eventuality and assure customers an immediate forking of last available GPL-licensed source code, granting continuous commitment in offering a secure and reliable product as ever.
Table of Contents
Review: StillSecure Strata Guard 4.5 Free - Reports
Strata Guard Free offers some reporting facilities with an online graph or list of attacks in chronological order, and an exportable plain-text format.
The product offers one-time and scheduled reporting, with advanced filtering capabilities.
This is the weakest product aspect, still missing multiple graphical presentation layouts, advanced statistical analysis and an exporting option able to generate reports in popular formats like PDF, Microsoft Excel, OpenOffice Calc or XML for further manipulation.
< previous next >
Table of Contents
The product offers one-time and scheduled reporting, with advanced filtering capabilities.
This is the weakest product aspect, still missing multiple graphical presentation layouts, advanced statistical analysis and an exporting option able to generate reports in popular formats like PDF, Microsoft Excel, OpenOffice Calc or XML for further manipulation.
Table of Contents
Review: StillSecure Strata Guard 4.5 Free - Firewall interaction
Apart Gateway Mode, Strata Guard Free has another way to block attacks interacting with third parties firewalls.
For Snort this is a concrete possibility since years with the open source package SnortSam, which permits Snort to interact with several kinds of open source and commercial firewalls.
In the same way Strata Guard Free offers a sensor operational mode called Firewall Mode able to block attackers in real-time when a wave of attacks is discovered.
The Firewall Mode permits to interact with:
Being a Check Point instructor, for this review I configured my Strata Guard Free with the latest Check Point VPN-1 NGX [R60].
StillSecure is a Check Point OPSEC partner (under the name of Latis Networks) and VPN-1 already has correct configuration in the database, so the Check Point part of configuration is really simple.
Also the Strata Guard Free configuration part is simple even if you absolutely should avoid using firewall interaction button which is not working correctly in this release and will be fixed in the next one.
When an attack is discovered and the sensor asks for blocking, automatically or by administrator intervention, Strata Guard Free interact with VPN-1 OPSEC APIs, generating fw1_sam packets to block the offending source.
< previous next >
Table of Contents
For Snort this is a concrete possibility since years with the open source package SnortSam, which permits Snort to interact with several kinds of open source and commercial firewalls.
In the same way Strata Guard Free offers a sensor operational mode called Firewall Mode able to block attackers in real-time when a wave of attacks is discovered.
The Firewall Mode permits to interact with:
- Check Point VPN-1
- Cisco PIX
- Juniper NetScreen
- Linux IP Tables
Being a Check Point instructor, for this review I configured my Strata Guard Free with the latest Check Point VPN-1 NGX [R60].
StillSecure is a Check Point OPSEC partner (under the name of Latis Networks) and VPN-1 already has correct configuration in the database, so the Check Point part of configuration is really simple.
Also the Strata Guard Free configuration part is simple even if you absolutely should avoid using firewall interaction button which is not working correctly in this release and will be fixed in the next one.
When an attack is discovered and the sensor asks for blocking, automatically or by administrator intervention, Strata Guard Free interact with VPN-1 OPSEC APIs, generating fw1_sam packets to block the offending source.
Table of Contents
Review: StillSecure Strata Guard 4.5 Free - Intrusion detection
Since Strata Guard intrusion detection engine is based on Snort, adding on top a denial of service governor to prevent DoS attacks against the sensor itself.
StillSecure has also streamlined the Snort detection capabilities enabling Frag3 and Stream4 pre-processors:
Snort, and then Strata Guard Free, can analyze sniffed packets when deployed as network sensor on a network switch monitor interface (or a tap device, on as last resort on a hub) or, since 1 year and a half, can act as an inline sensor, analyzing all traffic going through interfaces and blocking attacks on the fly.
The first configuration is called IDS Traditional Mode while the second is called Gateway Mode.
In the first case your sensor should have 2 network interfaces (1 automatically put in stealth mode for traffic sniffing and another for remote management), but you can work even with just one (strongly discouraged).
In the second case you'll need 3 network interfaces (2 for inline gateway role and 1 for remote management).
Note that in both configurations all network interfaces but the management one sniff traffic without the need of a TCP/IP stack, preventing an attacker to reach the sensor directly.
When a new attack is detected 3 things can happen:
These 3 options can be configured for categories of rules or per single rule.
Sensor administrator can also choose to completely disable a category of rules to lower amount of alerts or false positives.
It's worth to mention that Snort included in Strata Guard Free isn't just powered by worldwide available rules.
StillSecure has an internal Security Alert Team, creating their own rules and merging them with ones available from standard sources like Bleeding Snort, the Open Source Snort Rules Consortium (OSSRC) and SourceFire VRT, since they are licensors.
Although a network IDS is a passive device, just recognizing attacks and reporting them, when you configure Strata Guard Free in Gateway Mode you are morphing the product in an intrusion prevention system (IPS).
At that point your sensor is able to produce so called Responsive Firewall Policies and Pre-emptive Firewall Policies (available only with the commercial version of the product).
While responsive policies act blocking offending source at the attack moment, pre-emptive policies remain dormant until an attack is detected, at which point they automatically drops traffic from the offending source in the usual way.
< previous next >
Table of Contents
StillSecure has also streamlined the Snort detection capabilities enabling Frag3 and Stream4 pre-processors:
Snort, and then Strata Guard Free, can analyze sniffed packets when deployed as network sensor on a network switch monitor interface (or a tap device, on as last resort on a hub) or, since 1 year and a half, can act as an inline sensor, analyzing all traffic going through interfaces and blocking attacks on the fly.
The first configuration is called IDS Traditional Mode while the second is called Gateway Mode.
In the first case your sensor should have 2 network interfaces (1 automatically put in stealth mode for traffic sniffing and another for remote management), but you can work even with just one (strongly discouraged).
In the second case you'll need 3 network interfaces (2 for inline gateway role and 1 for remote management).
Note that in both configurations all network interfaces but the management one sniff traffic without the need of a TCP/IP stack, preventing an attacker to reach the sensor directly.
When a new attack is detected 3 things can happen:
- No further action is taken
- An automatic block of ongoing connection is performed (whenever is possible)
- Security administrator decision is required to proceed
These 3 options can be configured for categories of rules or per single rule.
Sensor administrator can also choose to completely disable a category of rules to lower amount of alerts or false positives.
It's worth to mention that Snort included in Strata Guard Free isn't just powered by worldwide available rules.
StillSecure has an internal Security Alert Team, creating their own rules and merging them with ones available from standard sources like Bleeding Snort, the Open Source Snort Rules Consortium (OSSRC) and SourceFire VRT, since they are licensors.
Although a network IDS is a passive device, just recognizing attacks and reporting them, when you configure Strata Guard Free in Gateway Mode you are morphing the product in an intrusion prevention system (IPS).
At that point your sensor is able to produce so called Responsive Firewall Policies and Pre-emptive Firewall Policies (available only with the commercial version of the product).
While responsive policies act blocking offending source at the attack moment, pre-emptive policies remain dormant until an attack is detected, at which point they automatically drops traffic from the offending source in the usual way.
Table of Contents
Review: StillSecure Strata Guard 4.5 Free - Management
Strata Guard Free provides 2 administrative interfaces: SSH and HTTPS and comes with 3449 Snort rules by default.
Preceding per single rule or per groups you can specify 7 different actions:
Every single rule can be edited online and triggered, thanks to the Attack Profile feature, to work just in some particular conditions, like timeframe, number of suspicious packets, source or destination, etc.
Also, every rule is linked to online referencing services (like Arachnids), providing related attack explanation, packet diagram, and IDS detection signature.
On the free version of Strata Guard rules can be update only manually while on commercial alternatives it's available a daily scheduling (up to 1 check per hour). In any case new rules names are logged.
The whole configuration can be easily backed up (database can be backed up too but requires some efforts).
What if Snort or PostgreSQL need to be updated for a critical vulnerability? StillSecure grants immediate notification by email for all users (even ones just using Strata Guard Free) and patching by an update feature.
During this review a severe vulnerability was discovered in Snort by ISS X-Force bug hunters and disclosed in every major security portal.
StillSecure provided a timely patch, downloaded directly from their site in the IDS sensor and installed flawless.
The process is relatively uncomfortable cause obliges you to connect the IDS to the Internet, but you could already do so to verify attacks signatures references as reported above.
< previous next >
Table of Contents
Preceding per single rule or per groups you can specify 7 different actions:
Every single rule can be edited online and triggered, thanks to the Attack Profile feature, to work just in some particular conditions, like timeframe, number of suspicious packets, source or destination, etc.
Also, every rule is linked to online referencing services (like Arachnids), providing related attack explanation, packet diagram, and IDS detection signature.
On the free version of Strata Guard rules can be update only manually while on commercial alternatives it's available a daily scheduling (up to 1 check per hour). In any case new rules names are logged.
The whole configuration can be easily backed up (database can be backed up too but requires some efforts).
What if Snort or PostgreSQL need to be updated for a critical vulnerability? StillSecure grants immediate notification by email for all users (even ones just using Strata Guard Free) and patching by an update feature.
During this review a severe vulnerability was discovered in Snort by ISS X-Force bug hunters and disclosed in every major security portal.
StillSecure provided a timely patch, downloaded directly from their site in the IDS sensor and installed flawless.
The process is relatively uncomfortable cause obliges you to connect the IDS to the Internet, but you could already do so to verify attacks signatures references as reported above.
Table of Contents
Review: StillSecure Strata Guard 4.5 Free - Configuration
The sensor initialization is a highly critical operation. On this process depends sensor healthiness and number of false positives you'll have on daily basis.
Luckily the operation is fully guided by a first time configurator and can be invoked at any time during sensor life.
During the process will be asked to configure database content expiration time (as already said limited to 7 days in the free edition of Strata Guard), payload logging (which highly increase storage requirements), monitored network details and time synchronization (which is a fundamental step), email and SNMP notifications when an attack is detected, rule updates policy and thresholds the for console warning system.
The procedure will also to choose about sensor operational mode (see Intrusion detection section of this review), including special firewall interaction (see Firewall interaction section of this review) with most common open source and commercial firewalls.
< previous next >
Table of Contents
Luckily the operation is fully guided by a first time configurator and can be invoked at any time during sensor life.
During the process will be asked to configure database content expiration time (as already said limited to 7 days in the free edition of Strata Guard), payload logging (which highly increase storage requirements), monitored network details and time synchronization (which is a fundamental step), email and SNMP notifications when an attack is detected, rule updates policy and thresholds the for console warning system.
The procedure will also to choose about sensor operational mode (see Intrusion detection section of this review), including special firewall interaction (see Firewall interaction section of this review) with most common open source and commercial firewalls.
Table of Contents
Review: StillSecure Strata Guard 4.5 Free - Installation
Requirements, as usual in traffic analysis tools of any kind, depend on your environment characteristics and how much traffic you are planning to log.
Anyway StillSecure recommend a machine powered by an Intel Pentium 4 2.0 GHz and 36GB disk space.
Strata Guard Free tested on this review is internally labelled as version 4.5-1072.
It's based on Red Hat 3.4.2-6.fc3 (kernel 2.6.11) featuring among others PostgreSQL 7.4.6, Apache Tomcat/4.1.27, OpenSSH 4.2 and obviously Snort, version 2.4.1
(in any case all distribution packages are listed in the Diagnostic part of the web interface).
The underlying operating system is automatically hardened by SELinux and it supports also IPv6 over IPv4 tunnels.
The operating system is also defended by a local IPtables 1.2.9 firewall, limiting inbound access to management network interface.
As already reported in the introduction the product will boot by CD and will re-format your hard drive, delivering a complete installation in few minutes.
The standard installer will also check if you are running in a virtual machine, warning that this configuration isn't supported (and I can confirm it performs badly).
But StillSecure recently released a special version of Strata Guard Free inside a VMware virtual machine, to be run totally for free on any computer where VMware Player or upcoming VMware Server is installed.
(to know more about VMware Player, Server and virtual appliances read my other blog about virtualization: virtualization.info)
< previous next >
Table of Contents
Anyway StillSecure recommend a machine powered by an Intel Pentium 4 2.0 GHz and 36GB disk space.
Strata Guard Free tested on this review is internally labelled as version 4.5-1072.
It's based on Red Hat 3.4.2-6.fc3 (kernel 2.6.11) featuring among others PostgreSQL 7.4.6, Apache Tomcat/4.1.27, OpenSSH 4.2 and obviously Snort, version 2.4.1
(in any case all distribution packages are listed in the Diagnostic part of the web interface).
The underlying operating system is automatically hardened by SELinux and it supports also IPv6 over IPv4 tunnels.
The operating system is also defended by a local IPtables 1.2.9 firewall, limiting inbound access to management network interface.
As already reported in the introduction the product will boot by CD and will re-format your hard drive, delivering a complete installation in few minutes.
The standard installer will also check if you are running in a virtual machine, warning that this configuration isn't supported (and I can confirm it performs badly).
But StillSecure recently released a special version of Strata Guard Free inside a VMware virtual machine, to be run totally for free on any computer where VMware Player or upcoming VMware Server is installed.
(to know more about VMware Player, Server and virtual appliances read my other blog about virtualization: virtualization.info)
Table of Contents
Review: StillSecure Strata Guard 4.5 Free
At today the world standard in open source intrusion detection systems (IDS) is Snort.
It's powerful, flexible and free. But it lacks of complete, enterprise ready, mature management tools.
In the whole market there are just 4 products to compete with: BASE (born from the obsolete ACID project), Sguil (which lacks of management features), Anvaal and IDS Policy Manager (which lacks of reporting features).
Even if you are satisfied by features provided by these tools, you need to admit none of them provide a fully working Snort-based IDS sensor without much effort.
Sure, following the growing enthusiastic community trend launched by VMware, anybody can assemble a Linux distribution, pre-install and configure one of these tools, and re-distribute the work as a VMware Player virtual machine.
But this solution has a couple of problems at least:
Strata Guard Free comes with some limitations:
The following review is based on the first release of Strata Guard Free, launched on the market on February 2006.
next >
Table of Contents
It's powerful, flexible and free. But it lacks of complete, enterprise ready, mature management tools.
In the whole market there are just 4 products to compete with: BASE (born from the obsolete ACID project), Sguil (which lacks of management features), Anvaal and IDS Policy Manager (which lacks of reporting features).
Even if you are satisfied by features provided by these tools, you need to admit none of them provide a fully working Snort-based IDS sensor without much effort.
Sure, following the growing enthusiastic community trend launched by VMware, anybody can assemble a Linux distribution, pre-install and configure one of these tools, and re-distribute the work as a VMware Player virtual machine.
But this solution has a couple of problems at least:
- the whole thing isn't supported, not even commercially, by anybody
- if you need to change underlying OS configuration (and you almost will) it can become painful
Strata Guard Free comes with some limitations:
- 5 Mbps maximum throughput
- Database content expiration maximum 7 days (you really would have this set to 30 days at least)
- No high availability bypass switch (in a certain operational mode, if Strata Guard has a problem it forwards packets to a stand-by physical switch, not filtering anything, as soon as Strata Guard recovers the switch forwarding is stopped)
- No auto-discovery
- No multi-node management
The following review is based on the first release of Strata Guard Free, launched on the market on February 2006.
Table of Contents
Subscribe to:
Posts (Atom)