One of the first things you notice when you start working with IDSes is that they produce a lot of data. In fact, this flood of data can be so overwhelming that the usefulness of products such as Snort can become questionable. Yes, you can eventually tune them so that they filter out some of the noise, but that can require an investment in staff hours nearly as vast as the deluge of data itself. And that's only one source. Add to this the streams of data from your firewalls, the log files from your servers, and reports from vulnerability management products and other network devices, and your management picture goes from being difficult to basically hopeless. Enter e-Security. The company -- and the product of the same name -- seeks to dam the flood and to filter it to retrieve only what's important and relevant. The result is a stream of information that gives you a real-time look at your security status. You can see instantly when an attack begins or when something goes wrong with your enterprise network. You can spot suspicious activity when it starts, and you can tell when someone is trying to hack your defenses or when a worm starts trying to spread.
Even better, it's smart enough to know when you're vulnerable to an attack and provides expert advice on security events and their resolutions.
Yes, it's a big product and there's a lot there. But then again, it has a big job to do. Yet despite its deep complexity of this product, using it is extremely intuitive. It's clearly designed for use by busy IT managers who don't have the time or resources to dedicate a person to baby-sit it.
e-Security works by knitting several specialized pieces of the solution with your existing security devices -- such as firewalls, vulnerability scanners, and intrusion prevention systems -- to create a highly functional reporting fabric. Event information from the network reporting devices is sent to one of many available agents on what the company calls the e-Wizard server. Each agent is set up to receive information from a specific source. You can have as many e-Wizard servers as you need to cover your entire enterprise.
The e-Wizard server runs the event information through e-Security's correlation engine, which compares the results with other events to look for common threads. It also compares event reports against normal network activities to filter out routine stuff. Once that's done, the information is sent to the e-Sentinel server, which prepares the displays and makes detailed information available. e-Sentinel relies on event data stored in SQL form on the database server, which can be either Microsoft SQL Server or Oracle9i, depending on the platform you're using.
Despite the underlying complexity of e-Security, it was surprisingly easy to use. Information was presented clearly and logically, and using the console was intuitive. Even better, this product is scalable and can work with just about any solution that provides some sort of reporting capability. The e-Security engineers can create an agent for just about anything that they don't already have available, and that's all part of the included professional service.
A single security view
I tested e-Security at the University of Hawaii's Advanced Network Computing Lab. The product was provided on three servers sent over by e-Security, but by the time we'd finished setting up our reporting devices, the resulting deluge overwhelmed one of them. We substituted an Hewlett-Packard Co. ProLiant DL360 to handle the load. The price of e-Security includes installation, setup, and configuration by company engineers, so you get to pick the hardware platform. Just be aware that if you have a large enterprise, you'll need something fairly capable.
The products sending event information to e-Security in my test included the Snort IDS, an Ingate firewall, eEye Digital Security Inc.'s Retina vulnerability scanner, some Red Hat Inc. Linux and Windows 2003 servers (those devices sent Syslog reports), and the SNMP and Syslog data from a group of IP PBXs that were undergoing testing at the same time. During this test, we also started up a test of TippingPoint's intrusion prevention system.
When everything was installed, I let it run for a couple of days to collect data. During this time, the network experienced a significant number of penetration attempts from hackers and worms that reached the Ingate firewall. Ingate reported these events, which were displayed graphically on the e-Sentinel management screen.
Snort, meanwhile, reported through the management console nearly everything that happened on the network, accurately picking up such details as IM communications to suspicious locations. (Some of the e-Security people were checking in with the engineer while they were traveling.) We had e-Security report on the country of origin for each potential threat, just to see where everything was coming from. With e-Security, it was easy to assess the security state of the network. Rather than bouncing between the various security products, I was able to get all the information from one easy-to-understand display.
e-Security demonstrated its security savviness when Contributing Editors Oliver Rist and Brian Chee kicked off the TippingPoint test. This resulted in a scan of the items on the network, prompting Snort to report a series of intrusion events. At the same time, other devices on the network also reported the IPS scan. Initially, we thought a worm was causing the sudden influx of traffic. But e-Security received the reports from around the network, put two and two together, and correctly reported the TippingPoint scan as the culprit.
Overall, I was impressed by e-Security; it makes sense out of the overwhelming flow of information that otherwise spews forth from your IDS and other enterprise devices. In short, it takes devices that are otherwise marginal at best and makes them useful, even vital, to your the overall security. -- InfoWorld (US)