Friday, January 28, 2011

Enterasys Dragon IDS

I've managed a Dragon IDS system for ten years now. When the company I worked for tasked me with researching and evaluating intrusion detection, some of the major players today didn't even exist yet, and snort had not yet been rolled into the commercial Sourcefire product.We looked at a number of the available offerings back then and settled on Dragon.
At the time, Dragon was winning IDS "bake-offs" and garnering a number of awards, and it seemed to be a decent choice. We did all of our own testing; there were no monies for calling in a security consultant to evaluate our needs and pair us with a product.

Dragon was written by Ron Gula, who is now the CTO of Tenable Network Security. Ron had just sold Dragon to Enterasy, which made some of the early support calls interesting.
But some of Ron's staff had gone with him to Enterasys (like Rick Olesek) and were excellent folks to deal with and very knowledgeable. We started out with Dragon 5, which by today's standards, had a rather primitive management interface. Changes were made by editing the various configuration files directly, either through the browser or using vi on the server itself (I actually missed that, once the interface became sophisticated enough to not require it anymore. Gave you a degree of confidence the changes you were making were actually getting made).

Over the last ten years, I've maintained a love/hate relationship with the Dragon (the original version we used called the HIDS component a "Squire" and the tools were in the sorcery directory. The product was originally named "Dragon Fire IDS). It's fairly easy to maintain, signatures are released for new vulnerabilities in a timely manner, the reporting is easy to set up and filter, and the newest interface has a really nice looking console that is easy to drill down into.

I also remember, however, the early versions of version 7, when I spent days on end on the phone with their developers, with them remoted into my desktop as they tried to fix issue after issue. I remarked more than once that I didn't remember signing on to be a beta tester, but I evidently was one anyway. Fortunately, as of version 7.4.1, all of the bugs have seemingly scurried back into the darkness, and the systems are running without intervention again. Which allows the intrusion analyst to spend his time actually investigating alerts, as well as tuning and filtering. What a concept.

Enterasys was merged with the Siemens Group in 2008.

No comments:

Blog Archive