The Dragon IPS/IDS platform is an Intrusion Detection/Prevention platform that leverages distributed sensors for the examination of traffic and detection of threats; and a central Enterprise Management Server (EMS) that can both configure/manage multiple sensors throughout the network as well as handle alarm notifications and potentially execute mitigation actions (such as adjusting firewall rules or switch configurations) when threats are detected by the sensors. The key components of the platform are the Linux or Solaris-based EMS itself and the network sensors, which are served as hardware devices. Additional potential platform components include software host sensors for direct protection of end points (Windows, Linux, AIX, Solaris and HP-UX); software sensors specifically for Web servers (IIS and Apache); and an Event Flow Processor with the ability to aggregate data from multiple remote sensors for delivery to the EMS in large networks.

As mentioned, the EMS provides the ability to both configure and monitor multiple sensors, as well as respond (via a basic scripting tool) to alarm signals raised by the sensors by manipulating 3rd party infrastructure such as switches of firewalls. Support is provided for group policy rules for the collective management of multiple sensors; and reporting/archiving features facilitate event forensics, audit trail analysis, or real-time trend analysis.

Multiple individual hardware-based network sensors are offered for use with the system, depending primarily on traffic needs. At the low end, the FE100 sensor includes dual 10/100 and a single 10/100/1000 port and supports 100 Mb/sec data rates; while the new high end sensor supports 10 GigE traffic. (The 10 Gig sensor additionally includes redundant power and distributed fault tolerance features standard; they're optional on the 1 Gig sensors.) The vendor boasts their platform as capable of simultaneous signature matching, protocol analysis, network behavioral analysis and VoIP traffic analysis; noting the comparison of network traffic against a library of over 14,000 threat signatures including live signature updates and support for Snort signature databases. Individual sensors can themselves also be partitioned into multiple virtual sensors, each with the ability to monitor a specific VLAN, Layer 3 network, physical switch port, or TCP/UDP level application and each with their own set of policies for detection methods and alerting.

In addition to the hardware-based network sensors, the vendor also offers host sensors for use directly on end points and the Web Intrusion Prevention System module for use on IIS or Apache Web servers. The host sensors include a kernel monitoring module that traps and analyzes all calls to the kernel to detect the existence of kernel level rootkits.

Dragon IPS/IDS is available now; the new Dragon 10 Gig system is base priced at $175,000.

Contact Enterasys for further information.