Yvette Seifert Hirth<[EMAIL PROTECTED]> pinged the List:
>Today in the mail I received a copy (unsolicited, unless I am suffering from
>Early Onset of Alzheimer's) of NFR's Intrusion Detection Appliance v4.1 on
>CD-Rom. I did *not* receive a physical "appliance", and as I'm not familiar
>with this product ...
Lucky Lady! In the real world, the NFR "Appliance" is priced at
$3,400. Someone with influence put you on a fairly selective distribution
list. Mass mailings of NFR CDs are not the norm;-) As others have noted,
the NFR (Network Flight Recorder) "Appliance" is one of the top two or three
state-of-the-art, network-based, Intrusion Detection Systems. (See:
<www.nfr.net>)
NFR prez Marcus Ranum is one of the best-known alumni of this list
-- the primary architect of Digital's SEAL, TIS' FWTK, and NAI's Gauntlet, I
think -- and still (FWs are an addiction!) the moderator of the
Firewall-Wizards mailing list sponsored by NFR. Famously helpful to
newbies, Ranum is a charming and stirling fellow. (Unfortunately, he is
also young enough to make me feel ancient when he is introduced as the
"Godfather of Firewallers" or sumsuch.)
"Appliance," in the NFR context, refers to a purposely
function-starved rebuild of a BSD OS from the bootstrap up. An IDS is
designed to support only the core needs of NFR's hungry TPC/IP vacumn.
NFR's IDS is a cross between a super sniffer and a threat-analysis engine
(with a backend database of "known exploits" and vulnerability filters; and
equipped with sundry burglar alarms, smoke-bombs, and other whiz-bangs.)
Although NFR appliances can be run in stand-alone mode, probably
most of the 15,000-plus NFR devices installed today are managed as
distributed sensor stations -- scattered throughout a corporate networked,
but overseen from a Sparc-based NFR Central Station.
>Does anyone know of NFR's stuff? Is this product worth "reviewing", or
>should I simply return it from whence it came?
There were a couple of reviews that highlighted the strengths of
this new generation of NFR appliances. Check out InfoWorld and Network
Computing:
<http://www.infoworld.com/cgi-bin/displayTC.pl?/reviews/991101nfr.htm> and
<http://www.networkcomputing.com/1023/1023f1.html>.
In addition to its budget pricing -- compare vs. ISS -- the notable
strengths of NFR's appliance have always been its speedy data-capture
interface, and its infinitely maluable, customer-extendable, filter set.
(The NFR IDA boasts a handy scripting language, N-code, that allows local
Admins add new alarms for pending threats, and to otherwise configure the
backend filters to enforce local corporate policy.)
Until recently, the NFR IDA seemed designed for ubertechies like
Ranum and the core heavyweights on this List. Early NFR appliances required
buyers to either hire a consultant or to commit local staff with the time,
talent, and network savvy to code and configure most of their own the
backend filters.
When NFR's v4.0 IDA was released last fall, however, it sported a
breakthrough in "ease of use." NFR's appliance was finally transformed from
a Rocket Scientist's toy into a useful network-operations utility for me and
thee.
That CD you received *is* the IDA -- drop it in the CD drive on a
speedy Pentium with 128M of RAM, answer a page of questions, and you've got
a fully-configured working IDS. Presto! The NFR CD stays in the drive. The
IDS actually works off the CD, safe from attack and corruption in its
read-only laser burn. (To upgrade, you simply swap CDs and reboot.)
The 4.1 CD that landed on your desk also has a library of attack and
vulnerability filters ("signatures" in the parlance of IDS culture) that is
roughly double the size of the previous (v4.0) IDA from NFR -- and it has a
gloriously gray-hat heritage.
The L0pht, a fabled Boston-based hacker collective -- recently
incorporated into a $10M venture-funded firm of infosec consultants called
@stake (perhaps with the Cult of the Dead Cow as wholly-owned subsidiary;-)
-- spit-polished their proverbial hats with a 1999 contract from NFR.
Most of the 800 attack sigs included in the 4.1 NFR appliance were
crafted and scripted by the L0pht, and they illuminate a fascinating mix of
known "exploits," but also an array of potential vulnerabilities -- often
things no one has figured how to attack thus far. In IDS terms, this
somewhere beyond the traditional categories of "anomaly detection" and
"misuse detection," it's closer to "protocol-boundary checks."
The intelligence with which NFR's appliance manages the TCP data
flow complements this depth of review. For the past year or so, I think
only NFR's IDS has been able to reassemble jumbled and fragmentary TCP
packets to recognize subtle "FragRouter" attacks.
> I'm still a newbie, and as we have a firewall in place, I'm afraid of
>"downgrading".
>
> If anyone has any experience with this, I'd appreciate hearing about it,
> either on the listserver or via direct email.
FWs and IDS operate in different dimensions; complementary but never
one and the same -- as I'm sure many helpful folks have told you by now.
I've been a consultant to NFR as the IDA has evolved, so my opinions on
NFR;s technology should be taken with a grain of salt. For a newbie, maybe
a graybeard's overview would be more helpful:
I think of Intrusion Detection Systems (IDS) as the security
industry's inevitable reaction to the socio-economic shifts and new
technology that has brought proprietary corporate networks (including
firewalls) under seige from a constantly-mutating range of attacks that come
at us over the Internet, and even hit us from within.
Firewalls are defined by what they block. Unfortunately, our Users'
demand broad access to Internet-based services and online resources, and
Management requires extended extranets and e-commerce options. To meet
these needs, corporate network managers are often forced to open huge
tunnels through the firewall, and often backdoors into the network as well.
These almost irresistable pressures have also forced the one-time
Gatekeepers to permit and license large numbers of "outsiders" -- employees
of partners, suppliers, big customers -- to roam nominally-proprietary
networks with minimal access controls and less oversight. Internal
firewalls were often taken down to foster easier communications, shared
resources, and groupware development efforts.
The hunger for PKI (crypto locks on all internal resources) and
PKC-based digital services (digital signatures, etc.) are one reaction to
the crisis of confidence that afflicts savvy network infosec managers. IDS
sensors scattered though the new "open" corporate networks are yet another.
Firewalls on what is left of the local "perimeter" will always be
necessary, but never again will they be considered sufficient. An IDA is
almost surely part of the layered solution that is today required to secure
the new network paradigm.
Suerte,
_Vin
Vin McLellan
The Privacy Guild
> "Who *are* those guys?"
> --Paul Newman, "Butch Cassidy and the Sundance Kid"
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
