|
Lucid Security Review
Dawn of a new age or just another software company?
By: Bruce Bahlmann - Contributing Author (your
feedback
is important to us!)
Created: June 26, 2005
Recently a friend asked me to take an objective look into a company
called Lucid Security and this document outlines some of the questions I was
asked of Lucid Security as well as some of my own opinions I gained from
reading up on the technology they employ.
Questions Asked:
- If product “ipANGEL”
is a viable direction?
- Is there a market?
- How they work with
IDS?
General observations and
recommendations in response to questions asked
#1) From my initial inquiry into Lucid’s
ipANGEL the product seems quite focused around providing a true Intrusion
Prevention System (IPS) and my research presented below does not discount
the fact that their product does address such a function. Clearly they
provide a value to companies wanting to leverage such benefits with a
minimum amount of time and resource investment. So, where the need is to
maintain some kind of low Total Cost of Ownership (TCO), Lucid’s product
offering is a viable direction.
However, in terms of how such a product would
fit into a large scale offering or integrate into services offered by a
large broadband carrier (such as a product catalog, policy server, edge
resource management, and its top level network management system), this
value seems to escape the current functionality of such a product offered by
Lucid. Not to say it could not be developed, but that because they (Lucid)
act as a service provider, it is difficult to see them reworking their guts
to support such an overhaul of their product.
A much more viable approach for large
carriers might be to just work directly with snort (www.snort.org) to create
a more integrated security system that would meld well with services being
offered to enterprise customers such that as new security policy options are
presented, they may be incorporated into broadband service providers product
catalogs and offered as up-selling opportunities to their enterprise
customers. It also allows them to cut out the middle man (Lucid Security)
which although provides a value add, their solution may always serve the
best interest of the broadband service providers.
#2) Clearly there is a market as evident form
the popularity that Lucid has received. However, a fire and forget type
product for a large broadband service provider may not provide the same type
of service options as one custom built on standards to address the specific
business needs.
#3) Lucid does not approach IDS in the
traditional sense; rather their product focuses on Intrusion Prevention
System (IPS) which is arguably better, but not as well paved of a trail. IPS
is still a fairly new approach and while there are products out there like
Lucid’s that do IPS, the funny thing about it is that people still want
reports about IDS data and so by its nature, most IPS systems do some kind
of IDS – especially when it comes to meeting reporting requirements.
Background information
about Lucid Security
Known Intellectual
Property:
No US patents or applications on file with
the USPTO under the assignee “Lucid Security”
Lucid does however have a single patent on an
ADAPTIVE INTRUSION DETECTION SYSTEM that is filed in UK (EP1512075A1),
Canada (CA2486695AA),
Australia (AU3233640AA),
and World Intellectual Property Organization (WO03100617A1)
Inventors:
PHATAK, Vikram; 1438
Evans Road, Lower Gwynedd, PA 19002, United States of America
SCIPIONI, Robert; 3797 Mill Road, Collegeville, PA 19426,
United States of America
SHAH, Paraji; Suite 6100, 555 North Lane, Conshohocken, PA
19428, United States of America
Source: delphion.com
NOTE: that while obviously Lucid Security has a patent filed with the PCT,
it in no way assures them they have a patent with the USPTO until they
successfully file a patent application AND it issues. Until that time,
merely saying their technology is patented does not protect users of this
technology in the US (since Lucid does not currently have any US protection)
nor does it cover any other aspects of how their product works above and
beyond what is licensed from snort. Companies, now more than ever, MUST be
cognizant of using products that are not well patented or covered from IP –
especially when the vendor is small (has limited financial resources to
defend IP lawsuits surrounding their products for their customers) or does
not have a broad patent thicket covering the technology they market and
sell.
Technology Concerns:
IDS (detection) is giving way to IPS
(prevention) – so for this product to be successful, it must somehow obtain
updated threat signatures from Lucid Security for this product to work. Such
a requirement would place additional technical dependencies on the company
to fulfill ongoing in order for the product to perform as expected.
Signatures for new or unrecognized attacks or perhaps new legitimate end
user applications could negatively impact honest traffic until it is
correctly identified by “LUCIDWATCH”.
If ones company is not either running a web
server or an ftp server, how can the product provide value that would offset
its cost?
Marketing collateral indicates that a
customer was seeing 300 automated attacks a day. Only how does one know if
this is comprehensive. What about the attacks that are not known, does every
attack fit into something nice and neat that one can easily profile, or are
attacks increasingly complex and not easily categorized or unraveled to
understand what they are and how one can detect them, let alone prevent
them?
Note ipANGEL is built around or incorporates
“snort” technology (www.snort.org)
which it uses to update its rules engine. Evidently, there must be some kind
of license associated with the use of this technology which represents
~2/3rds of the annual subscription, only because it is based on a third
party, this rate could become variable.
TaoSecurity Blog (March 1, 2005) If you absolutely must have the latest
rules, as soon as Sourcefire's Vulnerability Research Team (VRT) develops
them, you should
subscribe. "Introductory pricing" is $195/month, $495/quarter, or
$1795/year. You are not allowed to redistribute these rules outside of your
organization. Where does this leave the companies with products like
Lucid Security's ipANGEL or services like
Versign's (previously Guardent's) managed intrusion detection, that use
Snort as their IDS? Sourcefire calls these organizations
Snort Integrators: "any company that distributes Snort or Snort rules in
their commercial offerings. This includes vendors bundling Snort or Snort
rules, MSSPs and SIMs." These companies will need to buy a
Snort Integrator License. I have emailed the listed point of contact to
find out more about this.
Product is based on fundamental notion: About 80% of our rules are based
upon the vulnerability. This represents around 95% of attacks since there
can be multiple exploits against a single vulnerability.
Know Issues with
ipANGLE as publicized on the web
Content is king (February 16, 2004)
IpAngel
looked, at first glance, like the answer to our
problems. The
built-in Nessus scanner activating rules seemed like a great solution. Scan
your network once in a while, turn on and off the appropriate rules, and
you're all set. But in our tests, Nessus might have found our non-standard
mail server on Port 2525, but
ipAngel didn't
activate any signatures for that port. With
ipAngel's very
weak Web-based GUI, we didn't have the option to fix this deficit ourselves.
Intrusion-Protection Systems (January 20, 2005)
Lucid's implementation has a few quirks. The
first major problem is the requirement that the
ipAngel attach to
the Internet to validate its license key and update its signature files.
This is a risk many network pros prefer not to take. It would be nice if the
risk were accompanied by a simple registration process, but Lucid made it
more involved than any of the other products we tested. The
ipAngel can be
set up to recognize and respond to a wide variety of threats, including all
the generated threats we used in our test scenarios. But we ran into some
difficulties with setting up the device and seeing precisely
ipAngel's
activities. While the Lucid interface provides a measure of insulation
between the user and Linux, there are elements of customization that only
Linux experts could perform. In our case, we managed to create a group of
firewall rules that kept us from accessing the
ipAngel through
the usual interface! A quick trip to the Linux command line and
modifications to iptables restored management interface access. Our problem
with reporting started with an apparent inability to write events to a
external syslog server or report events based on SNMP traps. These aren't
fatal flaws, but they do make it more difficult to incorporate the
ipAngel into a
larger security infrastructure. Lucid also made us work harder to see
information on a real-time basis than with SecurityMetrics, though we did
eventually get all the information we needed out of the management
interface.
Reviews:
Intrusion-Protection Systems (January 20, 2005)
The
ipAngel is one of
two systems we tested that make use of the open-source software available to
run on Linux. In this case, Lucid Security has used Red Hat Linux as the
foundation for a complete IPS system. Like SecurityMetrics' Model 60, the
ipAngel wraps a
useful central interface around a variety of programs, such as Nessus, Snort
and iptables, integrating the pieces in a single IPS server. Lucid has done
a good job of joining functions, and at a very competitive price. The
ipAngel counts as
one of the bargains in this bunch. The device has a good legitimate attack
hit rate while not flagging a high number of false positives, using a
foundation that has been vetted by a large number of users as part of the
open-source process. In addition, the interface has a mature feeling. If
your network staff eats and breathes Linux, you might want an
ipAngel watching
over your network.
ipAngel
X3 AVS-400, $18,000 ($15,000 hardware; $3,000 annual subscription). Lucid
Security Corp.
Content is king (February 16, 2004)
Pros:
High-end Check Point Firewall-1 built-in; innovative Nessus-based
autoconfiguration. Cons: Can’t catch attacks that only take a single
packet; weak GUI and too few configuration/control options.
Alternatives based on
reviews:
Content is king (February 16, 2004)
One of the most solid products
was UnityOne. With a clear interest in core-of-the-network implementation,
it offers a good base for a simple IPS. TippingPoint didn't stand out with
flashy features, but the architecture of the product and the capabilities it
did offer make it a product to watch.
Solution Title: IPS not IDS (December 30, 2003) Like most things in
the IT world, you have a trade-off between how much effort you have to put
into the thing personally, and how much you have to pay someone else to put
the effort in for you. Snort-Inline, Flexresp, custom IPtables, Portsentry,
etc. are all things that are cheap but require deep knowledge to setup. If
you want to go with one of these, you'll have to do the research yourself
(start with a google search), since we
can't
cookie-cutter them for you. There are also several reasonably good
commercial IPS systems the vendors of which will be happy to set up for you
and train you in their operation. Some vendors to look at are TippingPoint (www.tippingpoint.com),
NetScreen (www.netscreen.com),
Captus Networks (www.captusnetworks.com),
and Lucid
Security (www.ipangel.com).
Can Birds-Eye.Net help you or your Company?
Receive your Birds-Eye.Net articles and white
papers hot off
the presses by adding our RSS feed to your reader.
|