Product Reviews

Guard the Door

ThreatSentry protects IIS servers from both known and unknown types of attacks.

Protecting your Web servers with a strong firewall and antivirus software updated with the latest virus signatures might have been sufficient a couple of years ago, but it just isn't enough these days. You need something that will take a more intelligent and comprehensive approach to protecting your servers. Screening for both known and unknown threats is the best way to go.

Privacyware's ThreatSentry is a host-based intrusion detection and prevention application designed to do just that.

It will exclusively protect Windows IIS 5.0 and 6.0 servers by screening all incoming traffic and denying any it considers untrustworthy.

ThreatSentry protects against known vulnerabilities like buffer overflows, remote data services, directory traversals, parameter manipulations and parser evasions by comparing traffic access requests to a knowledge base of known exploitive and hacking techniques. It also protects against unknown vulnerabilities by denying any traffic considered different from the normal activity on your server.

Easy Installation There are only a few screens that require your input during the installation process, so installing and configuring ThreatSentry is quite easy. Privacyware has also produced a helpful "getting started" guide to walk you through the process. I had the system installed and running in less than five minutes.

You'll need administrative rights to your server to install ThreatSentry. You won't have to reboot the server to complete the installation, but you will have to reboot to fully enable ThreatSentry's firewall feature. IIS will also be restarted during installation. In addition to local installs, ThreatSentry also supports network installs.

After the initial reboot, ThreatSentry runs in training mode. During this time, the system is constantly analyzing and organizing requests to create a baseline of "normal" activity. While the software is "training" itself, you can go into the ThreatSentry Management Console (see Figure 1) to look at all the data collected. You can also closely examine each record and classify it as trusted or untrusted.

Figure 1. ThreatSentry's Management Console lets you check out the data it's gathering and classify whether or not traffic is coming from a trusted source.
Figure 1. ThreatSentry's Management Console lets you check out the data it's gathering and classify whether or not traffic is coming from a trusted source. (Click image to view larger version.)

ThreatSentry will give each record a default classification based on the request characteristics. It's important to carefully manage this process to make sure your baseline assessment is accurate. ThreatSentry will also recommend how many requests it will need to scrutinize to arrive at an effective baseline. The recommended ranges are between 250 and 2,500 requests. You could also manually enter any number you want. After ThreatSentry reaches whatever number you've established as the training threshold, it will automatically shift from Training Mode to Monitoring — Active Mode.

REDMOND RATING
Documentation 15%
7.5
Installation 10%
9
Feature Set 35%
7
Performance 30%
7.5
Management 10%
9
Overall Rating:
7.6

——————————————
Key:
1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional

En Garde
When ThreatSentry is running in Monitoring — Active mode, it's actively managing traffic coming into your server. It detects and blocks any threats according to established parameters and lets you know what has been blocked.

To use ThreatSentry to simply monitor your inbound server traffic, you can put it into Monitoring — Inactive Mode. This mode detects and notifies you of threats, but doesn't actually block the traffic. You may want to use this mode to see what type of traffic would be blocked once the system is in active mode without actually blocking it. Once you're comfortable with the types of traffic being blocked, you can switch to Monitoring — Active Mode.

The ThreatSentry Management Console has a Security Alert Log section that shows all untrusted events. It also displays the time, source IP address, source name, target IP address, HTTP operation (get, delete and so on) and target URL by default. There are seven other columns you can add to the view.

What's Next
ThreatSentry 3.0, which should be available as early as this month, will include the following enhancements:

  • Improved security alert reporting and auditing
  • Expanded security alert notification filters
  • Enhanced blocked IP address management
  • Improved DDOS and brute-force attack protection
  • Integration with Microsoft Operations Manager

You can sort through this security data by any of the columns to make it easier to find whatever parameters you need. It's important to look through this event data on a regular basis and reclassify as needed. By right-clicking on any particular event, you can reclassify it as trusted. Alternatively, you can choose to block all future requests from the source IP address. Actively managing the status of your alerts ensures that ThreatSentry will always be properly tuned for your environment.

Security Alerts and Notification
ThreatSentry provides on-screen notifications as events are triggered. The alert window shows the name of the computer being compromised and a description of the untrusted event. You can simply click OK to accept the notification without taking action, stop the connection or restart IIS from within the alert window. You can also configure ThreatSentry to list the 20 most recent security alerts when an alert is issued. This will appear as a separate window with every alert.

E-mail and SMS alerting are built into the product. Setting up the e-mail alerting couldn't be easier: enter an SMTP server, a destination e-mail address or addresses, and an originating address. You'll also need to make sure that your ThreatSentry machine can relay through your mail server. For SMS alerting, choose your mobile carrier and type in your phone number.

System Requirements

To filter traffic coming through your Web servers with ThreatSentry, you’ll need the following levels of hardware and software:

  • 700MHz Pentium III or faster
  • 128MB RAM
  • CD-ROM drive (for installing from CD)
  • 10MB of free disk space
  • Windows 2000 Professional, Server or Advanced Server with Service Pack 3 or higher
  • Windows XP
  • Windows Server 2003 Standard Edition or Enterprise Edition
  • IIS installed and configured

No Help Necessary—But Available
ThreatSentry is easy to use and configure. The interface is well designed and there aren't too many options so as to be confusing or difficult to learn. It's fairly obvious what each option does within the management console.

If you do need help, Privacyware provides a 55-page manual in a PDF-format file. I didn't find the documentation to be very technical in nature, but it did answer all the questions I had. It also provides screen shots with explanations of all the screens within ThreatSentry.

I found this format easy to follow and understand.

Stealth Mode
I ran ThreatSentry on my test Web server for about three weeks and never had any problems—in fact, unless I logged onto the console, I didn't even notice it was there and running. This is how good IDS software should function. It should be invisible to everyone except the person looking at the alerts.

In my opinion, the best thing about ThreatSentry is the price. At less than $100 per server, how can you afford not to give your Web servers that level of protection?

comments powered by Disqus

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.