Product Information

QVISION 2.0

starstarstarstarstar

March 25, 2004
Vendor:

Q1 Labs

Product:

QVISION 2.0

Price

$25,000 for basic system

RATING BREAKDOWN

  • Features:
    starstarstarstarstar
  • Ease of Use:
    starstarstarstarstar
  • Performance:
    starstarstarstarstar
  • Documentation:
    starstarstarstar
  • Support:
    starstarstarstar
  • Value for Money:
    starstarstarstarstar
  • Overall Rating:
    starstarstarstarstar

QUICK READ

  • Strengths:

    Real-time performance monitoring in graphical form, with plenty of options.

  • Weaknesses:

    : A report generator would be nice.

  • Verdict:

    : This is a useful and versatile system that should be given serious consideration.

If a picture is really worth a thousand words, then QVISION's real-time graphs speak volumes. The QVISION system is a network security monitoring system with a difference. Unlike its automated cousins, this system puts humans back in the loop with its real-time monitoring and display capabilities.

Network performance is displayed in regularly updated graphs, which are easier to interpret than voluminous log files. Historical performance data is invaluable, especially when planning network changes, but real-time performance displays give you the chance to react to situations as they occur.

Of course, few system administrators have the time or inclination to sit and stare at real-time displays for hours at a time, so QVISION has provided ways to make monitoring possible without causing terminal boredom and hallucinations in its users.

The information is selected and displayed using a normal web browser, and the data can be routed to various users according to their responsibilities.

Any compatible web browser can be used, although if Internet Explorer is used, it should be version 5.5 or above. The display can also be embedded as an Active Desktop item if desired.

It is possible to set monitoring parameters, called "Sentries," on selected items. The idea of Sentries is similar to the facilities offered by process control and monitoring systems, where data is checked in real-time against pre-set levels and alarms are triggered when the levels stray outside these limits.

The system is provided with a basic set of Sentry parameters that define known security issues that it can match against network usage over a period of time, alerting the administrator if it detects one.

Further alert conditions can be defined to suit individual network conditions and policies. The system is then "aware" of the way the network ought to behave, and so it can react to situations that would not necessarily trigger a response in other monitoring systems. In this way, it combines the advantages of automatic monitoring with the insight and recognition of trends that humans can have.

Network activity is monitored in various ways, based on packet header information, and it is displayed in various types of views. There are views for several types of network activities, and each type of view has layers. Layers can be used to refine the view by altering the type of data displayed and the way it is displayed. The predefined views enable the administrator to monitor local and remote network activity, applications and ports.

Traffic can be monitored by protocol type; up to 131 types including TCP/IP, UDP and ICMP, and by a "flow type" based on the ratio between inbound and outbound traffic.

TCP flags can also be monitored. There are only a few valid combinations of these flags, and although a strange combination may simply be the result of poor programming practice, it could easily be part of a stack fingerprinting exercise, which is usually a prelude to an intrusion attempt. There are even views that can be used to monitor the traffic's country of origin.

Views can be combined to create new views. These views can also have Sentry alerts applied to them. When an administrator is made aware of a change, perhaps during routine monitoring or because of a Sentry alert, the system can be used to home in on the cause. The administrator can examine past performance figures and compare them with the current situation, from the high level down to individual IP addresses.

An individual device can be "tracked" (monitored on a temporary basis) to check its behaviour. Once the cause is identified, it becomes possible to take the appropriate action to resolve it.

Because the system monitors traffic flow on the network, it can just as easily detect exploits from within the enterprise as well as external intrusion attempts.

Performance anomalies can just as easily be caused by an unauthorised games server set up by users as by an external denial-of-service (DoS) attack, but QVISION will respond in either case.

Its ability to resolve data down to an individual IP address can help to distinguish between genuine misuse of resources and innocent but unexpected activity, such as a user who e-mails large documents to all the other members of their department, saving paper, but inadvertently triggering an alert. It could also help to discover the old file server that everyone has forgotten about.

Apart from its primary use as a security monitor, it can be used for other, no less valuable purposes. It can be used as a general network performance monitor that can help identify network performance problems and monitor the results of changes, and to assess the effectiveness of other security systems on the network, such as firewalls.

Although QVISION is a real-time monitor, it does have reporting facilities. It is possible to print display data from the browser or to save it in CSV format for processing at a later date.

QVISION can also work with other security products, including Intrusion Detection Systems such as Snort.

The system runs under Red Hat Linux, and can be installed on any system that meets its requirements. However, Windows users need not worry since the product is also available as a complete network appliance, so no Linux knowledge is required.

SC Webcasts UK

Sign up to our newsletters

FOLLOW US