Enterasys Dragon Instrusion
Detection System
Enterasys
IDS
Enterasys
XSR
Overview
Enterasys Networks provides world-class
infrastructure solutions for today's Global 2000 enterprises
driving the critical Security, Productivity and Agility
customers require for a distinct competitive edge. By
optimizing our solutions to support converged resources,
Enterasys builds a solid end-to-end foundation for the
seamless deployment of emerging business applications.
Flexible and highly manageable, Enterasys solutions
scale to meet changing customer demands while protecting
investments and lowering cost of ownership.
Few vendors can match the breadth and
depth of Enterasys' product line. But it goes beyond
products. The Enterasys business approach includes adhering
to industry standards so you're not locked into one
vendor--your investments remain intact. Indeed, we partner
with other industry leaders to ensure the successful
integration of business-enhancing applications, from
VoIP and videoconferencing to cutting-edge CRM.
Enterasys also offer comprehensive
best-in-class services to fully support your enterprise
for the full network lifecycle--from design and implementation
to 24x7 response and future enhancements. Enterasys'
roots are founded in delivering the very best customer
service and that will never change as we extend this
expertise and commitment to our channel partners.
As a global technology leader with
more than 15 years of experience and over 750 patents,
Enterasys Networks has provided Business-Driven Networks
to some of the world's most successful companies, including
many of the Fortune 500. Enterasys anc Computrad can
do the same for you.
Dragon Family
Designed specifically to meet
the unique security requirements of the enterprise
environment, Enterasys Dragon Intrusion Detection
System offers comprehensive features that bring
improved security to the enterprise. Only Dragon,
with its unique network-based detection capabilities,
modular host intrusion detection components, server
management, and event management provides a reliable
solution for detecting the broad array of attacks
present in today's constantly changing security
landscape.
Enterasys
Dragon Enterprise Management Server
Dragon Enterprise Management Server
is made up of a number of highly integrated technologies.
Web based and centralized, Policy Management tools offer
enterprise-wide management of small and large-scale
Dragon deployments. Dragon Policy Manager provides centralized
management of the Dragon Network and Host Sensors, while
Alarmtool offers centralized alarm and notification
management.
A centralized collection of all security
information, Security Information Management applications
provide monitoring, analysis, and reporting of security
events across the enterprise.
Finally, Event Flow Processors collect
and analyze logs from firewalls, routers, switches,
applications and even third-party intrusion detection
systems for log aggregation, analysis and event forwarding,
providing for highly scalable and flexible architectures.
Features & Benefits
- Web-based management interface allows platform-independent
administration of the IDS system from any browser
- Continuous signature updates ensure customers are
covered, even from the most recent attacks
- System-level management enables all network or host
sensors to be configured and updated simultaneously
with new configuration parameters or signatures
- Custom signature development allows customers to
create their own signatures to detect whatever events
are most critical to each environment
- Usability tools, such as Wizards, guide the user
through many configuration and administrative tasks,
making management of the IDS system much easier
- Vulnerability correlation with Nessus allows a proactive
approach to implementing an effective IDS solution
by identifying the vulnerabilities applicable to each
environment
- Event analyzer allows the customer to view events
in either real time or from a historical perspective,
to maintain a clear understanding of the state of
the security system
- Management reports offer easy-to-understand aggregated
data on the events detected, and the timeframe of
detection
- Real-time monitoring allows events to be viewed
as they occur, providing an understanding what may
have changed, or what is happening at that moment
within the security system
- Session reconstruction allows the user to view the
entire session related to an event, including the
packets involved
Enterasys Dragon
Network Sensor
A sophisticated appliance-based network intrusion detection
system (NIDS), the Dragon Network Sensor identifies
misuse and attacks across the network.
Placed at network aggregation points, the Dragon Network
Sensor is unmatched in detecting intrusions via signature,
protocol, and anomaly-based techniques. These multi-method
detection techniques, combined with an extensive signature
database and false-positive tuning capabilities, ensure
that no intrusion goes undetected.
With Dragon Network Sensor software licensing, customers
can license Network Sensor based on their unique requirements-for
50 Mbps, 200 Mbps or unlimited bandwidth-providing a
competitive, price-to-performance ratio.
Dragon Network Sensor is centrally managed via Dragon
Enterprise Management Server, which provides signature
and configuration updates, as well as reporting and
event management.
Features & Benefits
- Open tunable signatures allow implementation and
modification of a set of signatures designed to detect
the attacks that apply to each unique environment;
adapt to new attacks or events very quickly, without
depending on vendor updates
- Multi-interface monitoring combines multiple network
interfaces into a single traffic stream for analysis,
enabling monitoring via a dual-tap solution-without
a switch
- IP defragmentation and TCP/UDP stream reassembly
identifies attackers who attempt to evade
an IDS via IP fragmentation and TCP/UDP stream disassembly
- Protocol decoding identifies attackers who attempt
to hide an attack with an application protocol by
decoding these attempts for most commonly targeted
servers including HTT, FTP, Telnet and more
- IDS DOS countermeasures defeats tools such as "stick"
and "snot" that attempt to DOS an intrusion detection
system
- Event sniping terminates an attack session via a
TCP reset or ICMP unreachable message, stopping the
attack before real damage can occur
- Probe prevention defeats or confuses many scanning
techniques by issuing false responses to the probe,
misleading attackers about the true nature of the
network and/or target system
- Application-based event detection detects non-signature
based attacks against commonly targeted applications
including HTTP, RPC, and FTP
- 802.1Q VLAN decoding decodes and monitors 802.1Q
VLAN traffic
- Backdoor and rogue server detection detects backdoors
and rogue servers using varied techniques, including
protocol analysis, session analysis, and ICMP traffic
profiling
- Session VCR collects all session information for
services such as HTTP, FTP, and POP, and/or certain
IPs or networks, valuable in collecting forensic information
about known or suspected misuse on the network
- Virtual Honeypot detects attempts to connect to
hosts and services that do not exist, valuable in
identifying someone probing the network in an attempt
to find vulnerable systems
Dragon Host Sensor
A host-based intrusion detection tool, Dragon Host
Sensor monitors individual systems and applications,
including today's most common operating systems, for
evidence of malicious or suspicious activity in real
time, and monitors key system logs for evidence of tampering.
Dragon Host Sensor may be deployed on a protected host
or on a dedicated analysis system where logs are forwarded
and aggregated via SNMP or syslog.
Dragon Host Sensor uses a variety of techniques to
detect attacks and misuse on a protected system, including
analyzing the security event log, checking the integrity
of critical configuration files, or checking for kernel
level backdoors. This hybrid approach ensures that no
misuse goes undetected.
Centrally managed via Dragon Enterprise Management
Server, Dragon Host Sensor also reports all information-including
event description, source/destination IP, source/destination
port, raw log (if applicable) and timestamp-to the Security
Information Management functionality within Dragon Management
Server for forensic and trend analysis
Features and Benefits
- File attribute monitoring monitors specific file
attributes such as owner, group, permissions and file
size
- File integrity checking (MD5) monitors files to
determine if content has been changed via MD5, to
ensure hat sensitive files, which should not be modified,
have not been modified
- Log file analysis analyzes any file-including the
system log, security log, or the log of a custom-built
application-against a signature policy
- SNMP and silo analysis analyzes events sent via
SNMP or syslog, critical in monitoring the security
of systems, such a routers and legacy systems or custom
applications, where Host Sensor cannot be installed
- Windows event log analysis monitors the various
Windows event logs for sign of misuse or attack
- Windows registry analysis analyzes the Windows
registry for attributes that should not be accessed
and/or modified, essential in identifying attacks
against often-targeted Microsoft servers
- TCP/UDP (backdoor) service detection monitors for
opened TCP and UDP ports, providing critical protection
against backdoor services, which can be used to allow
unauthorized access through the firewall or act as
a staging point for a distributed denial of service
or outright attack
- Rootkit detection monitors a system for existing
or new rootkit installations, an absolute requirement
in identifying compromised systems before an attacker
is able to completely cover their tracks
- Kernel monitoring detects suspicious privilege escalations
and other anomalous kernel-level activity
- Custom module interface provides an open and easy
interface for custom module development, allowing
the customers to write their own modules for
Differentiators
Advanced Agent Architecture
Using a highly scalable and flexible architecture
where functionality is delivered in the form of modules,
Dragon Host Sensor lets customers implement modules
on an as-needed basis. With support for custom module
development, new product functionality can be brought
to market more quickly while protecting existing investments.
Firewall Monitoring and Application-Level Intrusion
Detection
Dragon Host Sensor is able to monitor and analyze the
output from most commercial firewalls, routers and switches.
Correlating events from these devices and from Dragon
Network and Host Sensors is critical in identifying
which events are the most serious, as well as understanding
their origin and impact. In addition, Dragon Host Sensor
monitors the most commonly attacked applications-such
as DNS servers, mail servers, and web servers, including
Microsoft IIS. Dragon Host Sensor can also monitor a
local system for new services, which is essential in
identifying backdoors or unauthorized applications that
may have been installed via an "out-of-band" attack
or worm.
Deceptive "Honeypot" Services
Using non-conventional techniques to identify attempted
intrusions or general misuse, the host sensor can be
installed on a dedicated system to create a "honeypot"
server designed to entice an alarm on attempted intrusions
by simulating a fake web server, telnet server, or mail
server. |
