Few would argue that prevention is the best form of network security. Certainly not the Datamation readers who supported NFR Security’s Sentivist IPS as the winner in the Product of the Year 2005 Enterprise Security category.
Sentivist turned back a strong challenge from Digital Defense Inc.’s Frontline 3.0 subscription-based vulnerability testing tool. Other finalists were Britestream Networks’ BN1010, SecureWave’s Sanctuary Device Control and PivX Solutions Inc.’s Qwik-Fix Pro Enterprise.
For Brian Philips, director of technical operations at Network Systems Technologies, a systems integrator and managed services provider in Chicago, Sentivist IPS filled a gaping hole in his network.
“There are a lot of things that will slip through a firewall or defeat anti-virus software,” Philips says. “So you need a strong defense-in-depth strategy.”
But he says that when he looked to add another layer of protection in the form of intrusion prevention to his network, he was concerned about the possible ramifications.
“Security of this type is a fine line, Philips says. “You don’t want to negatively impact the user.”
Many of the products he evaluated before choosing Sentivist IPS required a long cycle of monitoring logs and fine-tuning configurations to make sure that good traffic wasn’t blocked.
With Sentivist IPS, he says that time has been cut from a month to a week. He credits a tool called “Confidence Indexing” for this. Philips says the Confidence Index lets IT groups mark traffic they think is real and apply that information in real time rather than wait for the next log update. This avoids the problem of false positives.
Pete Anderson, CIO at Computer Systems Center Inc. in Springfield, Va., is also a fan of the Confidence Indexing feature. As a defense systems contractor for agencies such as the Department of Defense, Anderson says he needs an airtight network for the 80 servers and 200 users distributed between his three sites in California, San Diego and Virginia.
“We needed security for our points of entry beyond just a firewall,” he says. “We needed to make sure things weren’t slipping through.”
Anderson credits NFR for its agility with the Sentivist IPS product. “Because NFR is a smaller company, they are more flexible,” he says. Anderson adds this flexibility has allowed his team to integrate Sentivist directly with the firewall and enterprise management system. Like Philips, Anderson tested a dozen products before settling on NFR’s intrusion prevention offering.
“If we see an intrusion or a potential intrusion, we dynamically change policy on the firewall — that’s not something that other products let you do. The others we looked at had static rule sets,” he says.
Anderson says such changes occur in near real-time. He’s clocked them at less than three seconds from detection to router configuration change to firewall configuration change to alert notification. In fact, when an intrusion is detected, an alert is sent in near real-time to his internal system administration team so they can start collecting audits related to the intrusion.
“You can’t get much closer to real time than that,” he says.
The automation takes pressure off his small staff of six — three systems administrators and three help desk workers.
He also depends on the interoperability of the system to work with his firewalls (from Cyberguard and Secure Computing) and enterprise management system (Computer Associates’ Unicenter).
Finally, Anderson says the clincher for him in deciding on the NFR system was its ease of use.
“We were able to bring the CD and appliance in and within 24 hours have the system up and running and actually start analyzing data,” he says. Other systems, according to Anderson,required at least two weeks of configuration.
Some other features that caught readers’ attention are Sentivist’s flexibility to switch between intrusion detection and intrusion prevention modes; its ability to quarantine attackers in real time; and its unified console that allows for management of the enterprise from a single point.