Price: Sensors start at $13,000; Management platform starts at $10,000
NFR's Sentivist 4.0, with its Confidence Indexing for assessing threats, ease of use and reporting capabilities, impressed us sufficiently to be named
The enterprise value of Sentivist's architecture is its ability to scale to thousands of sensors with the same level of protection deployed to all network segments. Its scalability is supported by a three-tier architecture: management, sensors and database (which can be either MySQL for smaller implementations or Oracle for larger enterprises).
In complex enterprises deploying tens or hundreds of sensors, an intermediate "sensor server" can be used to handle some of the correlation before data is packaged and transmitted to the central database. This data handling layer is also ideal for multinational or geographically dispersed corporations.
Now a true enterprise-level product, Sentivist went from a few hundred Mbps to high-end sensors that can analyze up to 4 Gbps. Sentivist's failover pass-through, which will create a hardware-layer copper bridge to ensure network connectivity should a unit fail, is impressive.
The Dynamic Shielding Architecture (DSA) permits the sensors to be aware of their environment and tailor security accordingly. DSA collects Nessus scan data via its XML-formatted vulnerability output reports, which are parsed and input into the database for real-time correlation of network attacks. Correlation is based on attack type, port, IP and CVE. NFR plans to integrate McAfee Foundstone and Qualys data into the product in the near future. All attack signatures and sensor policies are be centrally managed through the NFR Protection Center administration and analysis system.
The analyst console for NFR is the most impressive we have seen, providing real-time views into a particular sensor or all sensors at the click of your mouse. You also have the ability to dissect the attack and alert data into common groups. These groups are customizable and are ideal for tracking potential intruders, worms or internal threats. For example, you can group alerts by any field in the packet--source IP, attack type and target vulnerability-- to determine the scope of an attack.
The interface contains all the slick benefits of Java, with adjustable windows, drag-and-drop functionality, and customization. Ad hoc reports with Crystal are available and easily integrated, but do not come prepackaged with the solution.
SMBs will be pleased that all sensors now are bundled with full network firewall capabilities, which gives them the option of replacing older firewalls from the '90s with easily managed multi-use prevention appliances.
Sentivist 5.0 is common criteria EAL 2 certified and is IPv6 compliant.
With Sentivist 5.0, NFR has made itself a formidable player in the IDS/IPS market, appealing to both large enterprises and resource-poor SMBs.
This product review also appears in the March 2006 issue of Information Security magazine.