Combining three key components into a total security solution, Enterasys Networks' Dragon IDS offers an ideal package for the high-tech ISP. But keep in mind that it's targeted at advanced users.

by Jeff Goldman [January 23, 2002]

In March of 2000, Cabletron Systems was restructured into a holding company with four main subsidiaries. The largest was Enterasys Networks, providing solutions for the enterprise market. Enterasys became a public company (NYSE: ETS), in August of 2001, and the firm now has more than 2,600 employees in 30 countries worldwide.

Enterasys Networks' product offerings focus on six main areas:

Switching Routing VPN

Wireless LAN Network Management Network Security

Dragon IDS, the company's intrusion detection solution, was the flagship product of Network Security Wizards, which was acquired by Enterasys Networks in September 2000.

Enterasys Networks 35 Industrial Way Rochester, New Hampshire 03867 Voice: (603) 332-9400 E-mail: sales@enterasys.com

In May 2000, Dragon IDS won Network Computing's Well-Connected Award as Best Intrusion Detection System. At the time, Senior Technology Editor Mike Fratto wrote, "While the product is still raw-those not comfortable in the Unix world will struggle with it-it works, and is consistently the most difficult of the network-based ID systems to sneak past."

Chris Peterson, Enterasys Networks' Product Marketing Manager for Intrusion Detection Systems, says that kind of complexity was the company's intent: Dragon IDS isn't built for beginners, but it's ideal for anyone who wants to have total control over all aspects of security on their network.

"It's the IDS of choice for a lot of really technical security people, because it's got such low level analysis and extensive configuration options," Peterson said. "For the advanced network security professional who really knows intrusion detection, you're not going to find a more powerful system on the market."

And, Peterson adds, that's usually a great selling point for most ISPs. "It's a very effective tool in the hands of a very competent security professional-which, I think, is very applicable to an ISP who knows exactly what they're looking for," he said.

Bases covered
The Dragon IDS suite is divided into three products: a network IDS, a host IDS, and a core management and monitoring system. Both network-based and host-based IDSes can talk to the management system, providing you with an enormous amount of control over all aspects of your network.

Dragon Sensor is the network IDS solution. Performance, Peterson says, is Sensor's strongest selling point. "When we go into real world environments, we blow the competition away," he said. "We get around 100 megabits per second-and up into 200, 250, we're still processing with minimal packet loss while competing solutions are dropping a lot of packets or simply falling over."

Another of Sensor's strengths, Peterson adds, is its ability to gather low-level forensics information. "We'll actually maintain raw packet data before and after an attack, and make that information available through the management console," he said. "So we can do complete session replays of an attack, providing a tremendous amount of data to be used in the forensic analysis process."

Finally, Sensor can catch encoded attacks that many other products might not be able to see. "We've got decodes for a lot of the most common protocols," Peterson said. "If an attacker has encoded an attack in Unicode against an IS web server, we've got a decode for that, so our signature engine will find it even though it's encoded. A lot of other products aren't there yet."

Dragon Squire is Enterasys' host IDS product. While Squire's basic functionality is similar to Tripwire, Peterson says its capabilities go far beyond that. "We also support most commercial firewalls," he said. "You can load Squire on the firewall itself to analyze the firewall logs, looking for a sign of misuse or attack—which is very germane to an ISP."

Squire also looks at the applications on the host itself. "We're not looking just at the operating system: we're also looking at the applications that are most commonly attacked," Peterson said. "That's a key differentiator for us. The bottom line is, when somebody's attacking your system, they're attacking the applications you made available to them—so we're looking there as well."

Squire also stands out thanks to its minimal impact on host performance—and Dragon Squire 5.1, coming out in a few months, will be even more lightweight. "We've developed a framework that supports plugins," Peterson said. "All the functionality for Squire will be added via plugin modules, so if you want an extremely lightweight host IDS, you could just install a log analysis plugin, and run with that."

The plugin architecture will also allow Enterasys to offer new functionality easily to the Squire framework. "We'll be able to come to market very fast as the host IDS market changes, and it's changing very rapidly," Peterson said. "We're seeing the convergence of anti-virus, content inspection—all that functionality we'll be able to bring into the product line very quickly."

Control factors
Dragon Server provides centralized management and monitoring for all Dragon Squires and Dragon Sensors on your network. You can set up groups of Squires and Sensors and then deploy configuration changes to hundreds of systems with a single click.

Riptech, a leading MSSP, uses Dragon Server to monitor the Sensors and Squires spread out across its customer base. "They've been using Dragon for quite some time," Peterson said. "That's how they manage the Sensors and Squires they're monitoring for customers: through that interface, with a single click, they can deploy new signatures, new policies, out to hundreds of systems worldwide."

In addition to its management functionality, Dragon Server also centralizes the monitoring functions of Sensor and Squire into a common backend system. "You can correlate across the network-based and host-based products," Peterson said. "All the events are coming into the exact same system, so you've got true correlation across a large part of your infrastructure."

Three Analysis Consoles focus on different aspects of investigation. Dragon Server's Realtime Console focuses on speed, easily maintaining several million events in memory and making them available through graphs and charts.

The Forensics Console then allows you to go deeper in looking at an event. "If in the Realtime Console you detect something you want to inspect, you can go to the Forensics Console and pull out the raw packet logs, the complete session, and look at all the detail," Peterson said.

Finally, the Trending Console uses MySQL to store event information over a longer period of time and apply trend analysis to it. "If somebody's attacking you over a longer period of time, more meticulously and gradually, the Trending Console will help you find that," Peterson said.

Make it your own
Dragon's flexibility, Peterson says, is ideal for the technical demands of an ISP. "An ISP can develop their own signatures to detect things that are specific to their operating environment," he said. "ISPs like Dragon because they're technical enough that they can take advantage of the open signature language to look for something specific to what they want to detect on their network."

And if you're deploying Dragon as a value added service, then Server will provide enormous flexibility. "At the ISP level, you can see everything, or go down to the customer level and view just that customer," Peterson said. "And it's web based, so a customer can access it directly, as well as the ISP monitoring staff. For an ISP, it's that scalability, that architecture, that sets us so far apart from the competition."

Pricing for the solutions is as follows: a software license for Dragon Server costs $8500, while the appliance is $15,000. The Dragon Sensor software license retails at $7500, and the appliance costs $20,000. Finally, Dragon Squire, which is available via software license only, costs $650.

Peterson notes that hundreds of customers are currently running Dragon IDS, of just about every size imaginable. "Two of the largest ISPs out there are Dragon users," he said. "We're geared towards the enterprise, but it scales to whatever size you want to deploy it on. We've got smaller ISPs, and we've got the biggest—and I've got Dragon on my home network."

— End

Related articles:
	[Jan. 16, 2002]	IDS Profile: Top Layer Networks
	[Dec. 24, 2001]	White Paper: Reducing Network Security Risk
	[Sept. 25, 2001]	Physical Security Augments Logical Security