November 2002

Test Center

RealSecure 7.0

ISS matures its IDS into an enterprise-class, best of breed solution.

BY James C. Foster

I'm not one to gush effusively over a security product, but Internet Security Systems' RealSecure 7.0 just might be the best IDS I've ever seen. It has matured into a best-of-breed technology that's a significant advancement over previous iterations and competing IDSes.

ISS invested heavily in integrating the BlackICE technology (acquired through its purchase of Network ICE in 2001), giving RealSecure increased Linux support and nearly doubling its attack signatures. It also added the new "Trons" module, which gives RealSecure the ability to use Snort-based rules. Under the hood is gigabit-speed capacity that enables RealSecure to stand side by side with appliance-based IDSes.

To give RealSecure enterprise-class scalability, ISS designed a three-tier architecture: sensors (network and server), event collectors and databases (enterprise and asset), and management consoles. In addition, easily integrated add-on modules--such as the Internet and System Scanner--provide input for correlation, as well as advanced false positive and priority analysis.

The SiteProtector management console drives the entire RealSecure suite. It allows admins to quickly navigate through correlated events and search multiple sensors for events. The optional FastAnalysis module is worth every penny for organizations that conduct daily event investigations. The module quickly provides intruder details, including the target and the type of attack attempted. Without it, investigators would have to manually track down IPs and attack sequences.

With more than 1,200 unique signatures, RealSecure 7.0 is far more comprehensive than its predecessors.

In addition, its Trons (Snort spelled backwards) feature allows for the quick importation of Snort-based rules, enabling admins to secure their networks with the easiest signature schema until ISS releases a signature.

The Trons and RealSecure detection modules work together, but aren't fully integrated. Organizations implementing the entire Snort database within RealSecure will suffer a system-wide performance hit similar to using two different IDS engines pushed into one interface. Whenever possible, use RealSecure signatures instead of Trons inclusions.

RealSecure adds another layer of protection with its dropped packet alerts. RealSecure will signal when it can't keep up with the traffic flow, a key indicator of a distributed denial-of-service (DDoS) attack.

Behind the Scenes
Out of the box, the RealSecure Network Sensor is very good at identifying and analyzing network reconnaissance tools, application/system probes and some custom exploits. During testing, it quickly identified several common tools--including Whisker, Nessus, Nmap, Firewalk, Internet Scanner, hping and SMTPScan. In putting the IDS through its paces, I employed several techniques for bypassing policies and poorly written signatures. Here are some of the highlights:

String and fragmentation attacks. RealSecure is able to identify and analyze more than 60 application- and transport-layer protocols, easily defeating common fragmentation attacks.

Unicode. RealSecure has excellent transmission assembly engines and successfully detected hundreds of unique Unicode attack strings.

URL encoding. URL encoding obfuscates text or attack sequences within the URL field for Web transmission-based attacks. This was once an effective way for probing and overflowing Web servers without detection, but RealSecure effectively identified all of these attacks, too.

Polymorphic shell code attacks. RealSecure and just about all network-based IDSes are fooled by custom polymorphic attacks. The implemented rules and session reassembly mechanisms don't adequately protect against fragmented shell code, especially when "garbage" bits and packets are injected into the attack sequence packet stream.

Cross-protocol and port-destination attacks. Sending protocol traffic to wrong destination ports to bypass IP filter tables and port-specific IDS rules is an old evasion technique, and RealSecure's packet analysis catches these types of attacks.

Denial of service. Nondistributed bandwidth or computational DDoS tools don't have a chance of getting past the RealSecure Gigabit Sensor. Even if they did have such firepower, the tools would trigger the dropped packet alert.

ISS did a fantastic job reducing the number of false positives generated by RealSecure. However, the filter capability could allow some attacks to go undetected. Similar to opening a firewall port to allow all inbound and outbound traffic, RealSecure filters can eliminate alerts based upon IP address, port or event. Filtering too much could allow some anomalous traffic to sneak past Real-Secure. My recommendation is to sparingly use these filters.

Drilling Down on Data
RealSecure's GUI makes it easy to navigate through the various reports, logs and management screens.

RealSecure 7.0's reporting is nearly identical to its predecessor, allowing a user to view common reports based upon several criteria, including source/destination IP address, event name, ports, suspicious connections or user activity.

Network traffic can be recorded using either packet logging or evidence logging. Packet logging copies all traffic to log files. This has two drawbacks. First, these files can get very large quickly. Second, it can significantly hinder system and application performance because of its extensive use of computational resources.

If feasible, I recommend using evidence logging, which only records packets that are relevant to identified attacks, such as flagged attack strings and their responses from the target machines.

It's disappointing to see that RealSecure's GUI and real-time alert modules don't support viewing files in the industry-standard PCAP format. ISS should include PCAP support in the next version, so admins won't waste time exporting log files while analyzing events.

Rough Start
In contrast to its functionality, comprehensiveness and scalability, RealSecure is extremely tedious to install and learn.

Documentation leaves a little bit to be desired. ISS doesn't provide enough detail on how to integrate RealSecure into existing network architectures or enough explanation of new features.

ISS provides ample installation documentation (printed material comes with the license and supplemental information can be downloaded from its Web site).

Unfortunately, the documentation alone isn't sufficient for implementation. The new configurable features, including Linux support, could have been better explained. Key management for secure communication between the infrastructure links is similarly complex and poorly documented.

Reaping the power of RealSecure comes only after considerable network and security integration. RealSecure can create a management nightmare--especially when encrypted and authenticated links are in use--as it pulls data from a variety of sensor and network devices.

ISS realizes that RealSecure is a complicated piece of software, which is why it provides free installation consulting services. Of course, ongoing support costs extra. Even with this ISS support, some organizations may require third-party consulting.

Once installed, though, RealSecure delivers some of the best functionality and performance of any IDS on the market. With some tweaking and documentation improvements, RealSecure can only get better.

JAMES C. FOSTER is a manager of security development at Foundstone.

November 2002 Table of Contents

Copyright 2002 TechTarget