Network Associates this week introduced a revamped version of its intrusion detection software suite, including the company's first tool designed to watch network traffic for what might be hacker activity.
The network agent, which initially runs on Windows NT and will later be ported to Solaris, complements the CyberCop Intrusion Protection Suite 5.0's agents for monitoring desktops and servers as well as the suite's management console.
However, Network Associates still lacks an easy way for its customers to update its intrusion detection knowledge base of known hacker and denial-of-service attacks, of which about 250 are included. Currently, the company's PGP division - which sells CyberCop - needs to completely rewrite its software each time it wants to add "attack signatures" to the knowledge base, and the company only does that every three to six months. Observers say that isn't often enough considering the rate at which new forms of attack are discovered.
"CyberCop is still half-baked," says Gartner Group Inc. security analyst John Pescatore. "Network Associates is still considerably behind Internet Security Systems and Axent Technologies in the area of [intrusion detection]."
The new edition of CyberCop is a big improvement over previous versions.
In addition to the new CyberCop Network agent software, the suite's management console has been upgraded. The console, which receives reports from the network- and host-based agents, now has a more powerful data warehouse for storing and analyzing information. The warehouse is now based on Microsoft Corp. SQL Server 7.0, whereas earlier versions used Microsoft Access.
However, the console can't yet relate events sent from CyberCop Network and the host-based agents, known as CyberCop Monitors, to determine possible connections between attacks detected in the network or on servers or PCs.
"That's something we'd like to do down the road, but we're not there yet," says Kara Stanislawczyk, product marketing manager of CyberCop Intrusion Protection Suite.
Network Associates is also cognizant of its shortcomings in the attack signature area. "The signature is hard-coded into the agent software and we have to upgrade it entirely to do updates," Stanislawczyk acknowledges. "But we are working on changing that."
Version 5.0 of CyberCop has gained some flexibility, though, by providing a way for customers to change default settings related to the 250 attack signatures. For example, CyberCop 5.0 has a default setting to alert an administrator after seeing 100 port scans (which usually signals an attacker scanning for vulnerabilities), but enables the administrator to change the default setting to 50 port scans before an alert is issued.
Network Associates is charging $US4,700 for CyberCop Network for one to four servers under a two-year license. CyberCop Monitor, now available on Windows 2000 in addition to NT and Solaris, costs $US102 per node for 100 nodes under a two-year license.
Skinny VirusScan
Also last week, Network Associates aired a slimmed-down version of its VirusScan antivirus software.
Developed by the company's McAfee division, the new VirusScan offering weighs in at 3M bytes, one-fifth the size of the regular edition of VirusScan. The lighter weight makes the software easier to distribute to remote desktops.
The trade-off is that the skinny VirusScan lacks some of the other's features, such as the ability to scan mail attachments before opening them (to prevent people from forwarding infected attachments).
"For remote sites, this slimmed-down version of VirusScan, which costs the same as the regular version, deals with the problem of getting the software out there because it took too long to deploy at 15 megabytes," says Ryan McGee, a McAfee product marketing manager.