RealSecure 1.0 for Windows NT

Monitor your network and protect it frommalicious attacks

Attacks on networks connected to the Internet are rampant and getting worse. People are continually discovering new ways to break into or disable Windows NT. You are justified in protecting your network, but you need tools to do the job. One gem of a network protection tool is RealSecure 1.0 for Windows NT, from Internet Security Systems (ISS).

You might think your network is protected adequately, but how do you know for sure? Do you know when someone is trying to break in or attack a network service? Maybe you monitor the attack logs that your security systems produce. Although monitoring system logs is a great practice, it doesn't stop attacks; it simply informs you that an intrusion occurred.

Not all security systems can recognize all forms of attacks. Frequently,you have to program a security system with information about an attack typebefore it can prevent or detect it. The security system you bought last yearmight not adequately handle this year's attack methods. The solution is to keepyour security systems up-to-date, a time-consuming but worthwhile effort.

Between updates to your security systems, RealSecure, a realtime networkattack recognition system, can help you monitor network security. RealSecurelooks at network traffic at the packet level (much like a network sniffer) anduses its built-in attack recognition logic and definable filtering rules todetermine whether the packets are potentially malicious. (RealSecure canrecognize more than 200 different system attacks.) Filter rules define theaction to take when RealSecure detects an attack. When it finds suspiciouspackets, RealSecure can record the date, time, source, and target of the event;record the event's content for session playback; notify administrators of theattack; or terminate the attack by killing the affected network sessions.Powerful stuff, to say the least.

Inside RealSecure
Let's take a quick look at RealSecure's components to see how they interact.RealSecure installs as an application console, a network service (which ISScalls an engine), and a custom packet driver that you load with yourother network protocols.

The RealSecure engine reads the packets as they arrive at the networkinterface from the packet driver. The engine compares the packets to establishedfiltering rules. If the engine finds a packet that matches a rule, the engine'sattack recognition logic parses the packet information. If the logic detects anattack, the engine takes an appropriate action as defined in the filteringrules. The engine also sends all packets that match the filters to the consolefor logging, reporting, session playback, or review.

Installation and Configuration
Installing the software is quick and painless. You need to install thesoftware on each segment that you want to monitor. You can load a packet driverand engine on an NT system residing on each remote segment and then load asingle centralized console on an NT system that collects data from the other RealSecure engines. If your network is simple (i.e., it uses only one network segment), you can load one copy of RealSecure on any NT box to monitor your entire LAN. Each console uses an authenticated and encrypted system-to-system session to talk with a remote engine. This process prevents any tampering with your RealSecure monitoring system's network traffic.

After you've installed RealSecure on each system, you fire each one up andconfigure it. Configuring RealSecure means defining which attacks or suspiciousactivity you'd like to watch out for (called filtering) and what to doabout a particular event when RealSecure detects it. For example, if yournetwork security policies disallow all inbound Telnet sessions and you'veadjusted your firewall to prevent them, you could configure RealSecure to watchfor inbound Telnet connections. If an intruder defeats your firewall andlaunches a Telnet session, RealSecure can detect the session, shut it downimmediately, and record a detailed log of what occurred during the session.

RealSecure can recognize hundreds of potential attack scenarios. Screen 1shows some predefined filter logic of the Maximum Coverage template; Screen 2shows some attack signatures used for detection in the attack recognitionportion of the engine. You can use the built-in templates or define your own.

After you configure the software, you assign your chosen filter profiles toeach engine on your network. To assign filters to an engine, right-click anengine listed in the Engine window, choose Properties, select a filteringprofile from the choices (as you see in Screen 3), and click Apply to Engine.The engines start up using the specified filters and begin acting as yournetwork watchdogs. You can manage all engines, local and remote, from onecentralized console, which simplifies management in a distributed environment.

RealSecure in Action
RealSecure's console is the central place where you review the capturedsuspicious network activity. As you see in Screen 4, the interface has fivewindows. In the left window, you can see a hierarchical view of the sourceaddress, the destination address, events, or actions taken on those events. Thiswindow's NT Explorer-style tree view provides an easy way to drill down to thecapture information. The three top windows on the right (High Priority, MediumPriority, and Low Priority) display each type of captured event according to itsdefinable priority level. The Engine window identifies the location of theengine and the template being used for monitoring.

Screen 5 shows a maximized view of the Medium Priority eventwindow. As you can see, RealSecure has captured many events that I defined inthe filters as being of medium concern to me. These events are mainly HTTP_Getrequests, the usual request a Web browser uses to retrieve a Web page.RealSecure captured the name of the engine reporting the event, the Web Getrequest, the user's IP address (source address), the destination address (my Webservers' addresses), the URL used to retrieve the document or file, and the timeand date. Ordinarily, you don't want to monitor every user retrieving simple Webpages from your server, but I do because my Web site has encountered suspiciousactivity in the past. Tracking all access might help me catch an intruderred-handed.

High-priority events are the most interesting. During my test, I launchedmany attacks (ping floods, SYN floods, IP spoofs, User Datagram Protocol bombs,and several other common intrusion attacks) on my systems to see how RealSecurewould react (as shown in Screen 6). As I expected, RealSecureimmediately detected my attacks, collected information about them for my review,and shut them down.

Another nice feature of RealSecure is its ability to capture and replayentire network sessions. For example, you can define a filter to track andcapture attempts to Telnet into your router or other systems. Later, you canreplay the session to see what the intruder was doing. You can use thesecaptured sessions as evidence against the would-be intruder if you prosecute.Really slick and greatly needed.

The software is robust and easy to use, and it has plenty of usefulfeatures. A report generator produces formatted reports. And the ISS supportteam does a fantastic job of answering your questions.

The second major release of RealSecure will contain new functionality suchas automatic attack logic updates over the Internet and the ability to pushRealSecure out to remote servers without special software such as Microsoft'sSystems Management Server (SMS). RealSecure runs on NT and on a variety of UNIXoperating systems, and the program can detect attacks against any operatingsystem using TCP/IP, not just NT.

I want to point out that someone could misuse RealSecure's power internallyto launch attacks against your network. For instance, just as you can useRealSecure or some other software to prevent users from surfing to certain Websites, disgruntled employees could use RealSecure to attack your network orwreak havoc on connecting networks. Treat the tool like any other sensitiveinformation or equipment: Limit access so that only trusted operators can get tothe RealSecure consoles. In the next version of RealSecure, ISS will add afeature that lets RealSecure detect other copies of RealSecure on the network;this feature will help control internal misuse of the software.

I'm impressed with this new product, and I feel much more secure about myLAN environment now that I have it installed and running. RealSecure is amust-have package for any serious network environment, especially if you'reconnected to untrusted networks such as the Internet.