|
|
|
|
|
|
|
|
|
||
|
|
||
|
Be a Commerce Partner |
Intrusion
Detection Systems:
NFR Security
With a focus on flexibility, scalability, and interoperability,
NFR offers a wide range of IDS software and appliances that are both affordable
and easy to deploy.
[March 13, 2002] |
 |
NFR Security was founded in 1996 by current Chief Technology Officer Marcus Ranum as a research enterprise focused on developing best of breed intrusion detection software. The software produced was originally made available for free on the Internet—though, as Chief Executive Officer John Reis recalls, Ranum soon realized that there were more profitable ways to handle things.
"He decided that there was more prudence in commercializing than there
was in freeware, and so he put the first commercial version of the product
in the marketplace in late '98," Reis said. "A year later, he was advised
by some folks who had been providing casual funding to the organization
that it might be wise to get serious about this and build a team that
could make a significant difference in this space."
|
NFR
Security |
 |
Reis joined the company in 2000 to help expand its vision—and last December, NFR's acquisition of CyberSafe Corporation's Centrax IDS product line broadened the company's offering. "Most of our competitors offer point solutions," Reis said. "Network based intrusion detection is a point solution: it's one part of the puzzle. Our vision is what we call intrusion management."
The intrusion management concept, Reis explains, comes down to a specific set of priorities before and after an attack. As a preventative measure, good security policies are key. "That relates to software configurations, password policies, things of that nature," Reis said. "You can engage technology to aid you in establishing policy, and that's one of the components we offer today."
The other priority in terms of prevention is vulnerability assessment. "Most intrusion detection products alert on any attack whether or not you're vulnerable to it, because they don't know otherwise," Reis said. "But when you combine exposure assessment with detection, you can more intelligently alert. One of our differentiators is that we get high marks for generating the fewest false positives in the industry."
After an attack has taken place, the focus is on assessment: looking at what damage has occurred, what changes can be made to prevent such attacks in the future, and whether or not prosecution is merited. "We have technologies that play in most of these areas today, and in the areas that we don't, we're either building those or looking to acquire them," Reis said.
Known vulnerabilities
NFR's IDS solutions include network based software products and appliances,
a host based product, and a management console. Reis suggests, that the
network based product's greatest strength is the thoroughness of its packet
inspection. "Most folks just do a fairly simple pattern matching technique,"
he said. "We also perform full protocol assessment, which means we can
find attacks even before they're publicly known."
The company's Rapid Response Team searches for new vulnerabilities and constantly updates NFR's signature base. "They build new signatures and put them on our web site, and they're instantly deployable by our customers," Reis said. "At the end of the day, the way you handle data is the big area of differentiation in the market, and we think we're well down that road with the Rapid Response Team."
The signatures that are deployed, Reis adds, are made available in full open source. "I don't believe any of our competitors do that," he said. "It means you can get full exposure to the entire signature base; you can customize them, deploy or not deploy, create your own, whatever you like. And that can help you to minimize false positives, because every environment is a little bit different."
Like the network-based product, NFR's host-based IDS is also focused on providing thorough inspection. "It combines policy management, security auditing, and kernel log analysis," Reis said. "Unlike other products, which, for example, would look at syslog and Windows event logs, we go right to the kernel logs, where the information is more specific and gives you more meaningful results."
NFR's management console, Reis says, affords users great flexibility. "We have a highly granular privileges capability, so you can assign users various privileges that could span from view-only to full control of the system," he said. "And we have a prioritization scheme that allows a user to literally turn a knob to determine the level of severity he sees."
What that means is that an analyst can easily adjust the view at any given moment. "If you're overwhelmed at the moment because there's a large amount of activity going on, you can say, 'Show me only the severe alerts, the ones that need my attention,'" Reis said. "In lighter times, you might want to say, 'Show me all the traffic,' and it will do that as well."
Rapid response for ISPs
NFR is actively courting ISP customers and a case
study is available on the company's Web site. It describes an anonymous
ISPs implementation of NFR's network-based IDS appliances on a global
network. According to the case study, the key differentiators for the
solution were its support, scalability, and the efficiency of the Rapid
Response Team.
In addition, Reis says, the ease of deployment is a huge selling point for the product. "From an ISP's point of view, thinking about deploying this on behalf of a customer, the method of deployment couldn't be simpler," he said. "They can literally just put the thing in a box and ship it to a customer, tell them to turn it on, and the information can be fed directly back to them."
And that solution will work comfortably with an ISP's other offerings. "We recognize that we're not the only player on the planet, so it's key to be able to interact with competing technology," he said. "For customers who prefer to manage their security environment from their already-installed open management platform like a Tivoli or an HP OpenView, we have full certification for both of those platforms."
NFR's software-only network-based IDS product lists at $4,500, while the basic appliance lists at $12,500. The host-based IDS starts at $800, though the price can go down considerably depending on the quantity ordered. "It really ranges, because the quantities can be so large," Reis said. "We've got quotes out for 14,000 to 20,000 copies."
Ultimately, Reis suggests, NFR has the bases covered in all areas of concern to an ISP. "The thoroughness of packet inspection and the comprehensive nature of the offering, combined with its scalability, make it very attractive from an ISP's point of view," he said. "And the software product prices at the lowest range of any product in the marketplace today."
— End
Online Resources:
Intrusion
Detection Systems Directory
IDS
Quick Reference Chart
| Related articles: | ||
| [Dec. 24, 2001] | White Paper: Reducing Network Security Risk | |
| [Sept. 25, 2001] | Physical Security Augments Logical Security | |
| [July 11, 2001] | ISP-Planet Survey: MSSPs | |
ISP-Planet's
RSS feed
