Product Reviews

Guard the Door

ThreatSentry protects IIS servers from both known and unknown types of attacks.

Protecting your Web servers with a strong firewall and antivirus software updated with the latest virus signatures might have been sufficient a couple of years ago, but it just isn't enough these days. You need something that will take a more intelligent and comprehensive approach to protecting your servers. Screening for both known and unknown threats is the best way to go.

Privacyware's ThreatSentry is a host-based intrusion detection and prevention application designed to do just that.

It will exclusively protect Windows IIS 5.0 and 6.0 servers by screening all incoming traffic and denying any it considers untrustworthy.

ThreatSentry protects against known vulnerabilities like buffer overflows, remote data services, directory traversals, parameter manipulations and parser evasions by comparing traffic access requests to a knowledge base of known exploitive and hacking techniques. It also protects against unknown vulnerabilities by denying any traffic considered different from the normal activity on your server.

Easy Installation There are only a few screens that require your input during the installation process, so installing and configuring ThreatSentry is quite easy. Privacyware has also produced a helpful "getting started" guide to walk you through the process. I had the system installed and running in less than five minutes.

You'll need administrative rights to your server to install ThreatSentry. You won't have to reboot the server to complete the installation, but you will have to reboot to fully enable ThreatSentry's firewall feature. IIS will also be restarted during installation. In addition to local installs, ThreatSentry also supports network installs.

After the initial reboot, ThreatSentry runs in training mode. During this time, the system is constantly analyzing and organizing requests to create a baseline of "normal" activity. While the software is "training" itself, you can go into the ThreatSentry Management Console (see Figure 1) to look at all the data collected. You can also closely examine each record and classify it as trusted or untrusted.

Figure 1. ThreatSentry's Management Console lets you check out the data it's gathering and classify whether or not traffic is coming from a trusted source.
Figure 1. ThreatSentry's Management Console lets you check out the data it's gathering and classify whether or not traffic is coming from a trusted source. (Click image to view larger version.)

ThreatSentry will give each record a default classification based on the request characteristics. It's important to carefully manage this process to make sure your baseline assessment is accurate. ThreatSentry will also recommend how many requests it will need to scrutinize to arrive at an effective baseline. The recommended ranges are between 250 and 2,500 requests. You could also manually enter any number you want. After ThreatSentry reaches whatever number you've established as the training threshold, it will automatically shift from Training Mode to Monitoring — Active Mode.

REDMOND RATING
Documentation 15%
7.5
Installation 10%
9
Feature Set 35%
7
Performance 30%
7.5
Management 10%
9
Overall Rating:
7.6

——————————————
Key:
1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional

En Garde
When ThreatSentry is running in Monitoring — Active mode, it's actively managing traffic coming into your server. It detects and blocks any threats according to established parameters and lets you know what has been blocked.

To use ThreatSentry to simply monitor your inbound server traffic, you can put it into Monitoring — Inactive Mode. This mode detects and notifies you of threats, but doesn't actually block the traffic. You may want to use this mode to see what type of traffic would be blocked once the system is in active mode without actually blocking it. Once you're comfortable with the types of traffic being blocked, you can switch to Monitoring — Active Mode.

The ThreatSentry Management Console has a Security Alert Log section that shows all untrusted events. It also displays the time, source IP address, source name, target IP address, HTTP operation (get, delete and so on) and target URL by default. There are seven other columns you can add to the view.

What's Next
ThreatSentry 3.0, which should be available as early as this month, will include the following enhancements:

  • Improved security alert reporting and auditing
  • Expanded security alert notification filters
  • Enhanced blocked IP address management
  • Improved DDOS and brute-force attack protection
  • Integration with Microsoft Operations Manager

You can sort through this security data by any of the columns to make it easier to find whatever parameters you need. It's important to look through this event data on a regular basis and reclassify as needed. By right-clicking on any particular event, you can reclassify it as trusted. Alternatively, you can choose to block all future requests from the source IP address. Actively managing the status of your alerts ensures that ThreatSentry will always be properly tuned for your environment.

Security Alerts and Notification
ThreatSentry provides on-screen notifications as events are triggered. The alert window shows the name of the computer being compromised and a description of the untrusted event. You can simply click OK to accept the notification without taking action, stop the connection or restart IIS from within the alert window. You can also configure ThreatSentry to list the 20 most recent security alerts when an alert is issued. This will appear as a separate window with every alert.

E-mail and SMS alerting are built into the product. Setting up the e-mail alerting couldn't be easier: enter an SMTP server, a destination e-mail address or addresses, and an originating address. You'll also need to make sure that your ThreatSentry machine can relay through your mail server. For SMS alerting, choose your mobile carrier and type in your phone number.

System Requirements

To filter traffic coming through your Web servers with ThreatSentry, you’ll need the following levels of hardware and software:

  • 700MHz Pentium III or faster
  • 128MB RAM
  • CD-ROM drive (for installing from CD)
  • 10MB of free disk space
  • Windows 2000 Professional, Server or Advanced Server with Service Pack 3 or higher
  • Windows XP
  • Windows Server 2003 Standard Edition or Enterprise Edition
  • IIS installed and configured

No Help Necessary—But Available
ThreatSentry is easy to use and configure. The interface is well designed and there aren't too many options so as to be confusing or difficult to learn. It's fairly obvious what each option does within the management console.

If you do need help, Privacyware provides a 55-page manual in a PDF-format file. I didn't find the documentation to be very technical in nature, but it did answer all the questions I had. It also provides screen shots with explanations of all the screens within ThreatSentry.

I found this format easy to follow and understand.

Stealth Mode
I ran ThreatSentry on my test Web server for about three weeks and never had any problems—in fact, unless I logged onto the console, I didn't even notice it was there and running. This is how good IDS software should function. It should be invisible to everyone except the person looking at the alerts.

In my opinion, the best thing about ThreatSentry is the price. At less than $100 per server, how can you afford not to give your Web servers that level of protection?

comments powered by Disqus

Reader Comments:

Thu, Sep 2, 2010 Binary Options http://www.bbinary.com

You have a very good site, well constructed and very interesting i have bookmarked you, hopefully you keep posting new stuff, many thanks. http://w DOT ww.bbinary.com

Wed, Aug 27, 2008 Anonymous Anonymous

made it .All information on this site is represented for users. A site is

Sun, Aug 17, 2008 Anonymous Anonymous

Nice site... Cool guestbook...r

Sun, Aug 17, 2008 Anonymous Anonymous

This website is Great! I will recommend you to all my friends. I found so much useful things here. Thank you.p

Sat, Aug 9, 2008 Anonymous Anonymous

hochu vodki!

Tue, Apr 29, 2008 Anonymous Anonymous

+%3Ca+href%3D+http%3A%2F%2Fzaray.info%2Fblip%2Dblop+%3Eblip%2Dblop%3C%2Fa%3E+%0D%0A+%3Ca+href%3D+http%3A%2F%2Fzarkn.info%2Fnatuzzi%2Dleather%2Dsofa+%3Enatuzzi%2Dleather%2Dsofa%3C%2Fa%3E+%0D%0AThese+prayers+help+me+to+keep+God+in+my+life%2C+especially+with+the+many+distractions+I+encounter.%0D%0A+%3Ca+href%3D+http%3A%2F%2Fzarkn.info%2Ffitness%2Dtrainer%2Dcourse+%3Efitness%2Dtrainer%2Dcourse%3C%2Fa%3E+%0D%0A

Sat, Apr 26, 2008 Anonymous Anonymous

rubbish
D

Sat, Apr 26, 2008 Anonymous Anonymous

a%2Dbreed%2Dapart%0D%0A

Sat, Apr 26, 2008 Anonymous Anonymous

a-breed-apart

Fri, Apr 25, 2008 Anonymous Anonymous

nursing
0

Thu, Apr 24, 2008 Anonymous Anonymous

xm8

Thu, Apr 24, 2008 Anonymous Anonymous

patio%0D%0A

Wed, Apr 23, 2008 Anonymous Anonymous

free
ê

Mon, Apr 14, 2008 Anonymous Anonymous

hochu vodki!i

Sun, Apr 13, 2008 Anonymous Anonymous

I have your site for its useful and funny content and simple design.P

Sat, Apr 12, 2008 Anonymous Anonymous

I you all love!g

Sat, Apr 12, 2008 Anonymous Anonymous

daite na pivoy

Thu, Apr 10, 2008 Anonymous Anonymous

foul-weathe
O

Thu, Apr 10, 2008 Anonymous Anonymous

Nice post. I\'ll return.u

Thu, Apr 10, 2008 Anonymous Anonymous

You have built a good website

Wed, Apr 9, 2008 Anonymous Anonymous

Very cool design! Useful information. Go on!t

Wed, Apr 9, 2008 Anonymous Anonymous

Please, do not delete the given message. Money obtained from spam will go to the help hungry to children ugandH

Tue, Apr 8, 2008 Anonymous Anonymous

Hi, everybody

Tue, Apr 8, 2008 Anonymous Anonymous

Just serfed in. Great site, guys!

Mon, Apr 7, 2008 Anonymous Anonymous

daite na pivon

Sun, Apr 6, 2008 Anonymous Anonymous

Very cool design! Useful information. Go on!t

Sun, Apr 6, 2008 Anonymous Anonymous

Great site. I will bookmark for my sons to view as well!!!ÿ

Sun, Apr 6, 2008 Anonymous Anonymous

I like it and the background and colors make it easy to read:

Sun, Apr 6, 2008 Anonymous Anonymous

Hello stupid pendosegi.b

Sun, Apr 6, 2008 Anonymous Anonymous

Hello+stupid+pendosegi.b

Sun, Apr 6, 2008 Anonymous Anonymous

Thanks so very much for taking your time to create this very useful and informative site. I have learned a lot from your site. Thanks!!e

Sat, Apr 5, 2008 Anonymous Anonymous

This+website+is+very+nice+and+colorful+too.+Its+nice+to+have+something+to+show+others+where+you+attend+church+and+to+show+all+the+smiling+people+filled+of+the+goodness+of+the+Lord.+You+have+a+wonderful+website+here.+May+God+rich+bless+you+always.%0D%0A+%3Ca+href%3D+http%3A%2F%2Fasainmovie.info%2Fhindi%2Dadult%2Dmovie.html+%3Ehindi+adult+movie%3C%2Fa%3E+%0D%0A+%3Ca+href%3D+http%3A%2F%2Fasainmovie.info%2Fadult%2Dmovie%2Dtheater.html+%3Eadult+movie+theater%3C%2Fa%3E+%0D%0A+%3Ca+href%3D+http%3A%2F%2Fwirelessent.com%2Ffree%2Dswinger%2Dvideo.html+%3Efree+swinger+video%3C%2Fa%3E+%0D%0An

Sat, Apr 5, 2008 Anonymous Anonymous

Wonderful and informative web site.I used information from that site its great..

Sat, Apr 5, 2008 Anonymous Anonymous

schools-educational-services-misc
t

Fri, Apr 4, 2008 Anonymous Anonymous

Interesting web page is, i\'ll see you later one more timen

Fri, Apr 4, 2008 Anonymous Anonymous

Thanks for your project. I like this site. KEEP IT UP..

Fri, Apr 4, 2008 Anonymous Anonymous

Greetings!..t

Fri, Apr 4, 2008 Anonymous Anonymous

I consider that beside Your site there is future!i

Fri, Apr 4, 2008 Anonymous Anonymous

Nice site! Big thanx to webmaster!t

Thu, Apr 3, 2008 Anonymous Anonymous

I\'l be back... :)B

Thu, Apr 3, 2008 Anonymous Anonymous

Your guestbook is example of middle-class guestbooks. Congratulation! I’ll show your site and guestbook to my friends.u

Wed, Apr 2, 2008 Anonymous Anonymous

Wonderful pages! Keep up the grat work.

Wed, Apr 2, 2008 Anonymous Anonymous

Nice site! Big thanx to webmaster!

Tue, Apr 1, 2008 Anonymous Anonymous

Very good site! I like it! Thanks!

Tue, Apr 1, 2008 Anonymous Anonymous

I like this website. This website helped me with prayer learning. Good job. Thank you. Please provide more French prayers. Bye-bye.

Sat, Sep 24, 2005 Jeff Houston

root

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.