CyberCop System
The CyberCop System consists of intelligent CyberCop Sensors that monitor networks to detect misuse and intrusions. These CyberCop Sensors work in concert with a CyberCop Management Server that logs suspicious events, send alarms to IS Managers, and traces attacks.
CyberCop Sensors are placed strategically throughout the network to constantly look for misuse. These Sensors are deployed at points of high-risk around the network, such as:
- Wide Area Links
- dial-in connections
- server clusters
- and critical segments
Attuned to recognize patterns of misuse, the CyberCop Sensors forward a record of suspicious events to the CyberCop Management Server. From any location, the CyberCop System can be viewed, managed and controlled through a secure Web browser interface.
CyberCop Operation
Let's say an unauthorized user is attempting to access a critical database in Finance. CyberCop has been deployed on the network. Here is what happens.
The CyberCop Sensor protecting the Finance group instantly detects the attempt and begins collecting key data - Source and Destination IP addresses, ports used, services accessed. Via an encrypted link, it forwards these details to the CyberCop Management Server to be added to a permanent event record. The Server immediately sends a page (email or SNMP traps are also options) to the security administrator at home, complete with details of the attack.
From the details on their alpha-numeric pager, the administrator determines that someone from an outside network is attempting to use password guessing to pry open a Financial database server.
The administrator accesses the CyberCop System remotely through a Web browser that displays a detailed record of previous event and alarms in the CyberCop Event Log. They see that several attacks have originated from the same outside network by looking at the source address of the intruder. With the information she needs to take immediate action, she dials in and reconfigures a router to block access to the network from the attackers address.
Next, a call goes out to the network manager of the ISP used by the intruder. The security administrator reports that a hacker is using the ISP as a jumping off point to launch attacks and requests the ISP to stop the attacks. For proof, the administrator provides the ISP with Sniffer Network Analyzer trace files documenting the attacks on the Finance server.
In the course of 10 minutes, CyberCop has identified an intrusion, issued an alarm and provided attack details. It has also supplied an event log and enabled the security administrator to take immediate action to protect the network and to build a case for possible prosecution.
Key Features
Real-time security: CyberCop identifies attacks in real time. CyberCop Sensors detect intrusions at the time of the attack, and immediately send details to the CyberCop Management Server for logging and sending an alarm. With CyberCop, the attack is detected, logged, and an alarm is sent -- all within seconds of the security breach.
Automatic attack identification. CyberCop Sensors are active monitors with built-in intelligence to automatically recognize more than 170 types of attack, misuse, and intrusion patterns. CyberCop can recognize a collection of lesser events that would normally go undetected, but collectively signify an intrusion. CyberCop identifies attacks on:
- hosts - UNIX, NT, and Windows
- clients
- network devices
- Web servers and browsers
- applications
- and protocol stacks
By immediately detecting and responding to intrusions, CyberCop reduces the time an attacker has to damage or steal assets. Real-time detection alerts you within seconds of an intrusion, while real-time response allows for an immediate cut-off of access to mission-critical areas.
Ease of Use: CyberCop was designed with the IS operator in mind. CyberCop Sensors come predefined for common network profiles that are enabled through a menu selection so no detailed rules or filters need to be configured. Built-in intelligence and hypertext help means that your staff does not have to be an expert in security to ensure network security.
Easy integration and deployment. As a turnkey solution, CyberCop offers rapid deployment with minimal setup. Additionally, CyberCop is designed to be attached as a listener anywhere on your network. This means it fits right into your existing network with no bottlenecks or reconfigurations.
Secure. CyberCop uses the latest security technology to authenticate, encrypt and manage the connections between CyberCop Sensor, CyberCop Management Server, and the user's browser interface - eliminating spoofing, denial of service and snooping attacks. The CyberCop system has a heartbeat function that protects the CyberCop Sensors from being disabled, and three separate management access levels for CyberCop operators, administrators and managers.
Event logs. Log files are essential for tracing an intrusion. CyberCop keeps a record of key attack information for pinpointing the originating address and following the intruder's course. This log helps with post-attack response too, assisting with recovery and case-building.
Evidence trace files. Upon detecting an intrusion, Sensors can automatically capture detailed packet records from the attacking address. These evidence trace files follow the intruder's 'footprints' and can be used to determine attacker intent, destination, and techniques. The files can also be off loaded to be read by a Sniffer Network Analyzer, or used as evidence for law enforcement.
About Security Services
Network General offers a suite of services to help customers assess their security environment, build security knowledge and skills, and optimize ongoing CyberCop operation. Our Network Consultants will provide continual security posture visibility by conducting periodic vulnerability audits on the network. They will also run hacker attack scenarios to assure the optimal configuration of security products and intrusion sensors. A course on operational security fundamentals and policy will be offered by Sniffer University to help train IS professionals. In addition, comprehensive CyberCop product support and updates will be available through the PrimeSupport program, so customers have the most current protection against the latest hacker techniques.
Technical Specifications
CyberCop Management Server Platform:
| - CPU: |
200MHz Pentium Pro, 256K cache |
| - FDD: |
1 3.5" 1.44MB |
| - CD-ROM |
|
| - HDD: |
9GB SCSI II HDD |
| - Primary Mem: |
64MB RAM |
| - Video: |
built-in SVGA |
| - NIC: |
1 Intel EtherExpress Pro/100B, PCI (for Ethernet)
1 Madge Smart 16/4, ISA (tentative for Token Ring) |
| Embedded OS : |
Solaris 2.5.1 |
CyberCop Sensor Platform:
| - CPU: |
200MHz Pentium Pro, 256K cache |
| - FDD: |
1 3.5" 1.44MB |
| - HDD: |
2GB SCSI II HDD |
| - Primary Mem: |
32MB RAM |
| - Video: |
built-in SVGA |
| - NIC(s): |
1 SMC EtherPower 10/100 dual port, PCI (for Ethernet)
2 Madge Smart 16/4, ISA (tentative for Token Ring) |
| Embedded OS : |
Solaris 2.5.1
|
Secure Connections:
| Sensor to Management Server |
authentication: SunScreen SKIP
encryption: SunScreen SKIP |
| Browser to Management Server |
authentication: ActivCard Token
encryption: *Secure Sockets - https
|
| * number of available bits may be limited due to US export restrictions |
Note: Please refer to the CyberCop FAQs for more information.
CyberCop will be available in December 1997.
CyberCop Home · Product & Solutions · Resources
Security Services · Events · Customer Center
|
