The first step toward dealing with a security breach is understanding that your security has been compromised. The McAfee IntruShield 2600, part of Network Associates’ family of network protection solutions, is an IDS (intrusion detection system) that uses a central management console application to collect information from sensors deployed at various locations throughout the network.
IntruShield is a capable IDS, able to keep up with high-volume data flow and a wide variety of network exploits. However, it does have limitations in its signature libraries and user interface, which potential customers will need to keep in mind when considering this IDS for their organisation.
Setting up sentries
The IntruShield 2600 sensor acts as the interface between the IDS and the network, while IntruShield Manager software takes care of management tasks. The 2600 contains two GbE (Gigabit Ethernet) detection ports, six 10/100 Ethernet detection ports, three 10/100 response ports with built-in taps, a dedicated out-of-band management Ethernet port, and serial and auxiliary console ports.
Physical installation was simple. Connections were made from router span ports to the GbE ports and from the server hosting IntruShield Manager to the sensor’s management Ethernet port. There was some difficulty establishing the necessary trust relationship between sensor and management software, but after a field software update suggested by Network Associates’ technical support, the system was quickly configured and began monitoring network traffic.
Specifications show that IntruShield 2600 should support data flows of up to 600Mbps; in this test, maximum data flows topped 300Mbps, and the IntruShield kept up with that amount of data without difficulty. Reviewing IntruShield alerts is a straightforward task, thanks to IntruShield Manager, which can manage and display alerts from up to three sensors. The standard display shows a tabular list of alerts and warnings colour-coded by severity, along with charts indicating the most frequent types of incidents, source addresses, and destination addresses.
Unfortunately, each alert must be acknowledged to be cleared — a task that could be daunting considering the thousands of alerts generated during a single weekend of testing. If a user locks the display, however — which stops the display software from accepting new input so that the lists can be sorted and filtered — alerts can be sorted and acknowledged by groups, making the process quite rapid. IntruShield also handled port scans of servers very nicely, aggregating an entire port scan attack into a single incident rather than generating a separate alert for each scanned port.
While the information display is generally easy to use and understand, three issues reduce an overall favorable impression. First, the user interface is Java-based and seemed to take a long time to refresh, despite being the only application running on a server with a 2GHz Xeon processor and 2GB of RAM.
Next, while Manager readily displays various sorts of incidents, getting to a display of the packet contents responsible for the alert took eight to 10 mouse clicks. Often a quick look at a packet’s contents can show an administrator whether an incident is malicious or not; being able to produce the contents with a mouse click or two would make the management interface much friendlier to the busy network administrator.
Finally, when the network packets were decoded, it was via Ethereal, an open source network decoding package commonly used for this purpose. While I don’t fault IntruShield for using Ethereal (many companies do), I found no place in the documentation pointing to the need for Ethereal before I tried to look inside a packet, causing further delays while I acquired and deployed Ethereal.
WebDAV gets missed
During more than a week of network monitoring, IntruShield’s combination of attack signature matching and port/behaviour scanning caught many attacks and suspect behaviours, including several that were missed by another IDS currently in place at the test site, the University of Florida’s Network Services Interoperability Lab. The multifaceted approach should prove useful as new attacks and exploits are placed into service by hackers.
On the other hand — and this is a big red flag — IntruShield completely missed one exploit commonly used against large institutions: the WebDAV exploit, which uses exceptionally large URL strings to overflow buffers on a Web server and gain access to command privileges.
In the first weekend of testing, a WebDAV attack was launched and picked up by the test site’s existing IDS, but IntruShield did not display any alarms. I wondered whether something unusual had kept IntruShield from recognising the behaviour, so I launched two test WebDAV attacks against secure servers. IntruShield didn’t pick up either one — not a good sign.
The missed WebDAV attack is disconcerting, despite otherwise solid scanning performance, and some functions, especially packet decoding, are buried too deeply in command trees. Nevertheless, IntruShield’s ability to set different rule sets for its different ports means that a single sensor could provide monitoring for multiple network segments with varying needs and vulnerabilities. Overall, this is a good, enterprise-level IDS that will be comfortably at home in large networks.
The IntruShield 2600 sensor was connected via GbE (Gigabit Ethernet) to a span port on a Cisco 6509 router within the UF production network. The network traffic monitored was the bulk of Internet and Internet2 traffic coming to and from the university over more than a week’s time. The IntruShield 2600 was configured for maximum alerts — no alert filtering was in place during the tests.
IntruShield Manager software was deployed on a Windows 2000 Server base, on a 2GHz Intel Xeon processor with 2GB of RAM. The management server connected directly to the management Ethernet port of the sensor.
The Network Services Interoperability Lab, part of the university’s office of information technology, was begun to test and verify network equipment that was eventually placed into production to support faculty and students. The lab, sponsored in part by contributions from Cisco Systems, Ixia and Spirent Communications, hosts numerous product demonstrations each year.