April 01, 2003
- Ease of Use:
- Value for Money:
- Overall Rating:
A very user-friendly, flexible and powerful reporting engine.
Advice when double-clicking on an alert could be more helpful.
Offering one of the most scalable IDS on the market, the NID-300 is easy to configure and manage.
This is a network-based IDS, supplied as an appliance. There are four versions of the NID-300 series - the difference being in the number and speed of the Ethernet interfaces. The top-of-the-range model has two 10/100Mbit and two gigabit network interfaces. One of these interfaces is always reserved for management, but the remainder can be used for monitoring. In this way, a single NID-300 can monitor load-balanced or failover WAN connections. By separating the management and monitoring interfaces, NID-300 can operate in stealth mode, as the monitoring interface does not respond to any network traffic or requests from any service on the monitored network.
NID-300 uses signature analysis and stateful protocol analysis to detect known attacks, plus anomaly detection to identify buffer overflows, polymorphic shell code attacks, and denial-of-service attacks. It also reassembles packet fragments to combat IDS evasion techniques, such as fragroute. There is a database of attack signatures built in, and this can be updated periodically from NFR.
NID-300 is particularly tamperproof because, although the appliance contains a hard disk for storing alerts and events, the OS and software are not loaded onto that hard disk. At boot-up, it loads the hardened UNIX OS and application software directly from the read-only environment of a CD. Configuration information is loaded from a floppy disk, which can also be write protected.
There is a Central Management Server (CMS), which runs on RedHat Linux 7.3 or Sun Solaris 2.7 and 2.8. It runs on a separate hardware platform to the NID-300. The CMS provides configuration data for each NID sensor, and processes the alerts generated by the sensors. It can automatically request Check Point VPN-1/Firewall-1 to take specific actions when certain types of attack are detected. Two CMSs can be set up to provide redundancy, if required.
The Administration Interface is the GUI used to define security policy and control the sensors, as well as viewing alerts, but it does nor communicate directly with the sensors - it does so via the CMS. The Administration Interface also controls how often log files are collected, and how frequently reports are run. It runs on a Windows NT/ 2000/XP workstation, and is easy to install from the supplied CD-ROM.
There are four types of alert: informational indicates that a routine system event had occurred; warning means that something unusual happened; error indicates that something is degrading the ability to collect information; and attack means that a potential threat occurred. Rules can be set up to take action automatically based on alerts but using non-NFR programs. It also integrates with IBM Tivoli, Arcsight, and HP Openview, and can generate SNMP traps automatically. Filters can be used to sort and prioritize alerts.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Senior Security Engineer
Loveworklife Recruitment - United Kingdom
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Microsoft update left Azure Linux virtual machines open to hacking
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- ICYMI: CEO Sacked; MS Zero-day; Passwords dropped; Ransomware wild, charging hack
- 9.2 million medical records for sale on darkweb
- ICYMI: Tesco warned; IP Bill threatens economy; German routers offline; Azure trojan; Gooligan fraud
- Data centres are on the move - where will they end up?
- 90% of ITDMs believe IAM is crucial to digital transformation success
- Research: Hacked companies could see customer exodus if breached
- Misconfigured drive exposes locations of explosives used by oil industry