RealSecure 1.0 for Windows NT

Attacks on networks connected to the Internet are rampant and getting worse. People are continually discovering new ways to break into or disable Windows NT. You are justified in protecting your network, but you need tools to do the job. One gem of a network protection tool is RealSecure 1.0 for Windows NT, from Internet Security Systems (ISS).

You might think your network is protected adequately, but how do you know for sure? Do you know when someone is trying to break in or attack a network service? Maybe you monitor the attack logs that your security systems produce. Although monitoring system logs is a great practice, it doesn't stop attacks; it simply informs you that an intrusion occurred.

Not all security systems can recognize all forms of attacks. Frequently, you have to program a security system with information about an attack type before it can prevent or detect it. The security system you bought last year might not adequately handle this year's attack methods. The solution is to keep your security systems up-to-date, a time-consuming but worthwhile effort.

Between updates to your security systems, RealSecure, a realtime network attack recognition system, can help you monitor network security. RealSecure looks at network traffic at the packet level (much like a network sniffer) and uses its built-in attack recognition logic and definable filtering rules to determine whether the packets are potentially malicious. (RealSecure can recognize more than 200 different system attacks.) Filter rules define the action to take when RealSecure detects an attack. When it finds suspicious packets, RealSecure can record the date, time, source, and target of the event; record the event's content for session playback; notify administrators of the attack; or terminate the attack by killing the affected network sessions. Powerful stuff, to say the least.

Inside RealSecure
Let's take a quick look at RealSecure's components to see how they interact. RealSecure installs as an application console, a network service (which ISS calls an engine), and a custom packet driver that you load with your other network protocols.

The RealSecure engine reads the packets as they arrive at the network interface from the packet driver. The engine compares the packets to established filtering rules. If the engine finds a packet that matches a rule, the engine's attack recognition logic parses the packet information. If the logic detects an attack, the engine takes an appropriate action as defined in the filtering rules. The engine also sends all packets that match the filters to the console for logging, reporting, session playback, or review.

Installation and Configuration
Installing the software is quick and painless. You need to install the software on each segment that you want to monitor. You can load a packet driver and engine on an NT system residing on each remote segment and then load a single centralized console on an NT system that collects data from the other RealSecure engines. If your network is simple (i.e., it uses only one network segment), you can load one copy of RealSecure on any NT box to monitor your entire LAN. Each console uses an authenticated and encrypted system-to-system session to talk with a remote engine. This process prevents any tampering with your RealSecure monitoring system's network traffic.

After you've installed RealSecure on each system, you fire each one up and configure it. Configuring RealSecure means defining which attacks or suspicious activity you'd like to watch out for (called filtering) and what to do about a particular event when RealSecure detects it. For example, if your network security policies disallow all inbound Telnet sessions and you've adjusted your firewall to prevent them, you could configure RealSecure to watch for inbound Telnet connections. If an intruder defeats your firewall and launches a Telnet session, RealSecure can detect the session, shut it down immediately, and record a detailed log of what occurred during the session.

RealSecure can recognize hundreds of potential attack scenarios. Screen 1 shows some predefined filter logic of the Maximum Coverage template; Screen 2 shows some attack signatures used for detection in the attack recognition portion of the engine. You can use the built-in templates or define your own.

After you configure the software, you assign your chosen filter profiles to each engine on your network. To assign filters to an engine, right-click an engine listed in the Engine window, choose Properties, select a filtering profile from the choices (as you see in Screen 3), and click Apply to Engine. The engines start up using the specified filters and begin acting as your network watchdogs. You can manage all engines, local and remote, from one centralized console, which simplifies management in a distributed environment.