Sentivist to get dynamic shielding capabilities

12.04.2005
Von Ee Sze

NFR Security Inc. will be incorporating the ability to discover new applications on the network and to dynamically shield the system from attacks, in the next version of its Sentivist intrusion detection and intrusion prevention offerings scheduled for release in July. The company will also be releasing multi-gigabit capable offerings during the same time frame.

Discussing the NFR technology roadmap during a recent visit to Singapore, president and chief executive officer Andre Yee pointed out the changes in the enterprise drive security exposure. ?In most organizations, changes that occur in the network fly under the radar of the security administrator. For example, someone brings in P2P tool like Kazaa or any file sharing application and starts using it, and often the security administrator is the last person to know. If he is not aware of it, he cannot address it.?

Which is why NFR will be incorporating the open source vulnerability scanner Nessus in its Sentivist offerings, so that the intrusion detection system (IDS)/intrusion prevention system (IPS) will be able to adapt its tuning parameters based on the data vulnerability and network services information that it receives.

For example, if someone decides to take an FTP server and use it as an Apache server, the Nessus scan will discover the presence of the new server. The system will then update the signature packages to make sure it is dynamically shielded from attacks.

Yee also observed that while the promise of IDS/IPS technology is compelling, with its ability to protect systems against the likes of worms and distributed denial of service attacks, adoption rates are relatively low.

One reason for this is that IDS/IPS has traditionally been ?high touch, high maintenance? technology. ?It takes effort to deploy, tune and maintain the system, and in the attempt to solve a security problem, enterprises are saddled with a management problem.?

NFR is aiming to change this by making the Sentivist family easy to use. One way of doing this is to have default configurations that cover 80 per cent of the use scenarios, and a point-and-click interface to tune the IDS/IPS.

Another challenge, which NFR is aiming to address, is the management of sensors deployed in disparate locations. ?We want to provide a central point of control and management, so that software can be updated and refreshed and new signatures pushed out through a single point,? said Yee.

To address the issue of false positives, NFR also bundles OS (operating system) fingerprinting technology and the IDS/ IPS in a single box. What this means is that the traffic can be correlated with the operating system running on the target host. If, say, the system sees a Windows-based attack heading towards a Linux server, it can suppress the alert.

Yee believes that the IDS and IPS markets in this region is currently under-served. ?A lot of organizations recognize the need for IDS/IPS technology,? he said.

The company intends to increase its focus here, and to make strategic investments in training and technology support here. ?We see this market as being important to us from a revenue standpoint,? said Yee.