eTrust Intrusion Detection Technical Overview

eTrust Intrusion Detection

Technical Overview



Chris Thomas, CISSP

Senior Security Consultant

Agenda

• Attack Trends & Tools

• What is IDS?

• How does IDS Work?

• What is eTrust IDS?

• eTrust IDS Technical Overview

Global Internet Attacks

Attack of the Click Kiddies





• Superscan

• netcat

• nmap

• Stealth

What is an IDS?

• An IDS is software that can:

• Protect network resources

• Offer proactive defence against

intrusive acts

• Monitor for and alert to network-

access abuse

• Help enforce computer-usage

guidelines & policies

• Prevent unproductive Internet

activities

How Does it work?

• A Network IDS “Sniffs” the traffic

on the network.

• It is not a gateway/proxy system.

• It does not introduce latency.

• It does not become a single point of

failure.

• It sees all of the traffic on the

network segment that it is

connected to.

• Runs in Stealth mode

eTrust Intrusion Detection

• Current release: 2.0 SP1

• Sniffer-based network IDS

• Network packet rules

• Network session rules

• Flexible response to intrusions

• Secure logging

• Antivirus and malicious code scanning

• Web content monitoring and blocking

• Email monitoring

How it Works

• Standalone Architecture



• Suitable for a small Web user base (less than 3000

users)



• The GUI along with the rules base are used to control the

action of the eTrust Intrusion Detection server.



• Installed with Log View Data Client, Central Agent, Report

Viewer. Operates on Windows 98, ME, WinNT/2K.



• 2-Tier Architecture



• The ability to view and manage critical network

information either locally or from a remote station.



• Consists of an Engine component and a Viewer

component that separate data collection and analysis

from viewing and application configuration. Engine

operates on WinNT/2K.

Standalone Architecture



sss

sss

sss

sss

sss

eID

sss









Watching Watching

Outside FW Internet Gateway





Internet Firewall

DMZ

Router

Router

Standalone Architecture

sss

sss

sss

sss

sss

sss









Watching DMZ









Internet Firewall

DMZ

Router

Router







sss

sss

sss

sss

sss

sss









Watching

Internet Gateway

2-Tier Architecture



sss

sss

sss

sss sss

sss

sss sss

sss

sss sss

sss









Server







Engine Intranet

Viewer

Server









sss

sss

sss

sss

sss

sss





Intranet sss

sss

sss

sss

sss

sss









sss

sss

sss

sss

sss

sss









Server



sss





Engine

sss



Intranet

sss

sss

sss

sss









Server









Engine Data Log

Server

Intuitive User Interface

Real-Time Response to Security

Breaches









Provides extensive list

Dynamically Re-Configures

of ‘Action’ types usable as

Checkpoint Firewall-1 or

notification methods

and/or actions taken based on Nokia Firewall as a Standard

Feature

an intrusion.

E-Mail Monitoring



• Students at School X

suspended for violating

the school's e-mail policy

• School uses eTrust

Intrusion Detection to

gather evidence

Telnet Session Playback

• Student uses school resources to

provide services (penetration

testing including scanning,

sniffing, etc) for own Business

• Expelled for violating school policy

• School uses eTrust Intrusion

Detection to gather evidence

Extensive Reporting





• 124 detailed

reports

• Report Scheduler

• Multiple formats

including ODBC

related database,

CSV,

Word/Excel,

Crystal Reports,

HTML

• Excellent for

network charge

back processes

Auditing & Forensics

• Logs time stamped; files encrypted and

signed

• Switching ‘workspaces’ dynamically

enables admin to quickly view traffic

• NO REBOOT OR APPLICATION RESTART

NEEDED!!!

“Who” “What” “Where” “When” and “How”

eTrust Intrusion Detection Log View system

allows users to monitor usage details over an

extended period of time by targeting a specific

database and browsing and viewing the archived

information.

Log View Data Client

Component









• Log View Data Client collects the

data and transfers it to the archive.



• Log View Data Server controls the

archived data on the same or a

different computer.



• Log Database browser resides on

any NT system and provides the

user with an interface for viewing

the archived logs.

• Let’s have a look …

Intrusion Detection Benefits

• Monitor

• HTTP/FTP/SMTP/NNTP/POP/Telnet

• Monitor connection to Web Mail portals (Hotmail,

Yahoo)

• Control

• HTTP/TELNET

• Enforce compliance

• URL control list

• “Bad word” usage in email and NNTP

• Company integrity

• See what people send via FTP

and email

• Legal implications

Summary

• eTrust Intrusion Detection enables you to:

• Detect

• Block

• Scan

• View

• Report



• eTrust Intrusion Detection:

• Flexible

• Deployed on Windows 98, ME, NT/2000

• Easy to install and deploy

• Scalable for large and distributed networks

• Blocks access to inappropriate websites

• Monitors email with inappropriate content

• Generates reports on internet usage

eTrust Threat Management







eTrust Antivirus







eTrust Intrusion Detection







eTrust Policy Compliance

eTrust - The Power to Secure

Q&A



Computer Associates