q000049

I have some questions about corporate deployment of the ICEpac suite.

This article applies to: ICEcap

SUMMARY

Here are some common questions and answers for corporate customers.

DETAILS

How many different types of attacks do you detect?

The current count (October, 1999) is around 300. These are listed at http://advice.networkice.com/Advice/Intrusions.

What is the incidence of false-positives?

This question is difficult to quantify with numbers, It varies greatly from site to site. However, we believe that one of our key differentiators is that we have the fewest false positives in the industry. This has been verified by customers who place our product side-by-side to the competition.

Does your product require updates to its rules?

Yes. It is similar to virus scanning, new intrusion methods are discovered on a regular basis.

How much do these updates cost, and who provides them?

These updates come as part of the product. For subscription purchases, they come free for the duration of the subscription. For a perpetual license, they are roughly 20%-30% of the original purchase price.

How do I upgrade with new signatures and functionality?

You manually download the update to the console, which then automatically pushes them out to the agents.

How often do you update your attack signatures?

This is hard to predict. Historically, we've created new signatures at the rate of about 1 per day, and adjusted an existing one to remove false positives or increase its range also at a rate of about 1 per day. About monthly we provide a new update to our customers with that month's worth of changes.

How do you keep up to date with the latest attacks?

Like most vendors, the majority of our information comes from public sources, such as Bugtraq, NTBugtraq, and vendor announcements. We obtain early information from a network of customers and partners who know people in the "underground".

Is the product remotely manageable?

The network agents (Sentry) and host agent (Agent) are fully remotely manageable from the console (ICEcap). This includes product updates, signatures, and configuration. Furthermore, Agent host agents contain a built-in firewall whose rule sets are maintained by the ICEcap console.

What is the scalability?

We believe that scalability is one of our key differentiators. Competing product lines have been built around the concept of a few network sensors reporting to the console. Our product line has been built around the concept of both network sensors and desktop agents reporting to the same console, using the same mechanism. As a result, we expect thousands of agents can be managed from a single console.

What automated response mechanisms are available?

E-mail, popup windows, and pager. The system contains an innovative mechanism of being able to script an "HTTP POST", which would allow it (after user configuration) to post the contents of an alert to any web page. Further techniques, such as SNMP traps, are planned for the near future.

How much of an impact will your product have on my network/host performance? What other performance issues does it raise?

The network sensor (Sentry) is a promiscuous sniffing probe and has no impact on the network it is monitoring. The host sensor (Agent) has been built to the same high-performance standards as Sentry: namely, Sentry can process around 148,800 frames/second using 90% of its CPU, but the average end-node sends/receives less than 100 frames/second. Servers have different performance parameters, but it is really difficult to predict performance numbers. The most notable impact we've seen to date was a 10% performance degradation on a highly utilized 200-MHz single-CPU server.

How robust are communications between the sensor and the central manager?

Extremely robust. We believe this is one of our key differentiators. Reporting systems have a number of problems, including attacks directed against the sensors themselves. We have sophisticated techniques to coalesce events, recover from sensor-console communication failures, and to back off when the console is overloaded.

How reliable is alarm capture? That is, if you're generating a high volume of alarms, will all of them be captured and put into a database?

We have sophisticated coalescing algorithms so that rather than discarding events, they are combined into a single event. For example, if an attacker does a single TCP port probe to test if a service available, that is a single event with the "data" being the port number. However, if an attacker scans the range of ports 1-1024 doing a slow scan of one port every 6 hours, that too is a single event, with the "data" containing the range 1-1024 and the time period. Now consider an attacker who is smart and sends a port probe to every other port such that we cannot combine them into a range. The events are still consolidated, but now we report the range "1~1024", 512 ports within that range were scanned, and about every other port was scanned. We call this the "Powerful Principle of Graceful Degradation", rather than a "cliff" effect where the system shuts itself down due to information overload, the system gracefully degrades.

What can you do with the data when you get it? Data visualization is a key issue.

Simple data and charts based upon a web front-end and an SQL backend. Our visualization is targeted at engineers who need to solve problems such as tracking down intruders or resolving false positives. We have found that our customers have different visualizations that they are comfortable with. Rather than creating an whole new visualization system they would have to be trained upon, we have instead opened up the SQL database to make it easy to generate graphs and reports that suite their needs using such products as Excel and Crystal Reports.

Is your product appropriate for deployment on the perimeter of my network as well as inside the network?

We believe this is one of our key differentiators. Sentry is an excellent product for high-speed networks, such as the choke point between a large corporate network and the Internet that uses T3 lines or faster. It is further designed for many of the attacks that such sites experience, and the event coalescing feature helps in data reduction during massive attacks.

The Agent has been designed for "outside the perimeter" nodes such as telecommuters or a roving sales force. It protects the VPN machine with a centrally managed, personal firewall such that attacks against those machines are unlikely to compromise the corporation as a hole.

Finally, Agent is built for internal, switched networks. For example, someone on the same Ethernet switch as the CEO has had free reign in the past to attack the CEO's machine, but Agent today will detect the intrusion, identify the attacker, and protect the machine. All these agents are centrally managed as described above.

How does your product detect internally-generated abuse by authorized users over a long period of time?

This is an interesting question. The traditional question is about "slow scans" as a technique for unauthorized users to evade detection (which the intrusion-detection component has been designed to detect). However, authorized activity is more difficult. Today the product has few detection capabilities to track authorized users. We believe such detection is best handled by audit trails built into normal products.

How can I customize or configure your product to meet my specific site policies and needs?

The intrusion-detection component has hundreds of configuration options for adjusting it to meet your specific needs and adding signatures.

How many people will I require to use this product effectively?

This depends on how you expect to use this product, but for a large corporation you might expect 5-10 people. As is described below, we believe this is the easiest to use product in its class, and therefore staffing levels are lower. In a large corporation with wide scale deployment, you will find internal employees attempting hacks against computers. Roughly 80% of losses due to hacking in large companies are due to such activity. Therefore, running the product can actually increase load on the human resource staff, require investigation into hacking incidents, and so forth. On the other hand, some people simply use the system for forensics, which means tracking back information collected about an attack after it has occurred. This system needs little or no ongoing maintenance for this scenario.

What kind of expertise and training is needed to set up and maintain your product and analyze the results?

We believe this to be one of our key differentiators. We believe our product is the easiest to use in the industry. This has been validated by magazine reviews of our product, and customer testimonials.

In particular, we believe that it requires NO expertise and NO training in order to setup and analyze the results to a basic level. We have several corporate customers who have successfully tracked down hackers on their website or inside their company, even though they know nothing about security.

Of course, for long term maintenance and for the most effective use of the product, some training is needed. We have therefore designed the most complete website in the industry for users to learn about security and what the results of the product mean.

Finally, the ease-of-use should not be misconstrued as the product being a "lightweight". Testimonials from security experts have validated our belief that we are second to none in the quality of our anti-hacker sensor technology. Our ease-of-use features means experts have easier access to the data they need, without the product getting in their way.

How much training and support does your company provide?

We have partners that supply training in the product. However, we believe that such training is not necessary.

How well does your IDS product integrate with vulnerability assessment products?

It is easy to turn off detection so that such products can run without causing undue false positives.

We are also working with the CVE database in order to integrate our knowledgebase with the most popular vulnerability assessment systems.

Finally, we have our own "production scanner" that runs slowly in the background on a continuous basis looking for changes in security vulnerabilities. This system integrates with the same ICEcap console that produces intrusion reports.

If you were to circumvent your own IDS product, where would you attack?

We don't currently know any such ways to completely circumvent the product. If I were to attack a corporation running our product, I would try extensive social engineering attacks or dumpster diving rather than go up against it. It is much like Home Alarm Systems -- it raises the level of difficulty and encourages the hacker to go elsewhere.

How much does it cost?

http://www.networkice.com/Products/pricing_corp.htm

 
Keywords: corporate, corporations, wide-spread deployment 
Version:  1.8.5.5 
Fixed:     
Modified: 1999-10-04