What is WatchTower?
WatchTower is an advanced Network Intrusion Detection System (NIDS), based on the CIDF model, (Common Intrusion Detection Framework). The WatchTower project boasts a complete Intrusion Detection System suite, consisting of both sensors and a master management console. The sensors keep the management console updated by pushing event data based on pattern matching and detected anamolies on the network to the WatchTower Server, alerting the system administrator to active attacks or network abuse.

The WatchTower IDS Suite offers complete management and scalability to the end-user. This rhobust Intrusion Detection System can maintain realtime packet analysis while ensuring wirespeed functionality, offering no degradation in speed as traffic speeds increase.

What is a NIDS?
NIDS stands for Network Intrusion Detection System. A NIDS is a system which monitors all traffic on a network looking for hack attempts, DoS's and other things the network administrator deems as network misuse or abuse.

What can WatchTower do for me?
WatchTower offers complete network perimeter defense. It provides full packet analysis at wirespeed, offering not only passive intrusion detection, but proactive capabilities able to drop active sessions that are flagged as malicious traffic.

How does WatchTower detect attacks?
WatchTower includes a comprehensive list of built-in "filters". These filters utilize pattern matching techniques to analyze incoming or outgoing packets by comparing them to a database of known attacks. The analysis engine within WatchTower can "learn" of new attacks by analyzing system changes that are affected by particular packet signatures. This makes WatchTower the definitive Intrusion Detection System that offers the industry's first IDS with Artificial Intelligence (AI).

How will WatchTower defend itself against new vulnerbilities?
As new vulnerbilities are discovered by the AI engine, WatchTower will dynamically update its signature database based on how the remote operating system reacts to the new attack. If certain patterns are met that are understood by WatchTower as being malicious traffic, the IDS will immediately kill the connection and flag this traffic for future analysis.

The Fate R&D Division is constantly identifying new attacks and creating signatures based on these discovered vulnerabilities for use within the WatchTower IDS. There's an option to have WatchTower automatically update itself through the Dynamics Download function, which allows WatchTower to connect to our remote network to grab new attack signatures as they are released. The end user also has the ability to update filters through the main GUI management console. The end user also has the option to easily create his or her own signatures through a flat text file, similiar to that of the SNORT IDS.

What happens if someone DoS's WatchTower. Will they be free to roam around my network?
No, WatchTower is designed as a "fail-close" application. This means that if WatchTower did happen to be DoS'd, it would shutdown the network so that an attacker would be stuck outside on the perimeter, unable to access the protected lan. You will be able to disable this option should there be proper countermeasures in place behind the IDS should this happen.

Who is working on this project? There are currently two main programmers for this project. Markus "fluid" Delves is currently the Event Generator/Network Programmer and Dave "banned-it" Rude II is currently designing and programming the Analysis Engines. Fate Research Labs is constantly building the team responsible for the WatchTower IDS project. Loki is currently working on docuementation and the continued development of the Signature database.

How much does it cost?
WatchTower is free for non-commercial use. One can call this an "honour-system" type license in which we trust that if you are generating revenue off the use of this application or using it in a commercial environment, that you will give proper credit where it is due. Large amounts of time and resources are put into this product, help us to continue support for it.

Is the source code available? Should Fate Research Labs decide to pursue funding and start a company to support this product, the source will become available once a customer registers.

Are there any backdoors?
No. That's what we are supposed to say, right? :). WatchTower undergoes a comprehensive amount of penetration testing, in which Fate Labs hackers and researchers attempt all openly available IDS evasion techniques from malformed packets, TCP reassembly, and denial of service attacks to ensure the stability and security of the product.

What are the requirements for WatchTower?
At present, we have designed WatchTower for optimal performance on BSD and Linux. It was developed on a Redhat 7.1 2.4-2 kernel. You will also require a dialup or static Internet connection. Fate Labs will provide suggested network topology diagrams that best suit multiple types of environments.

Will there be a version for Windows?
We do not currently provide a Windows version of WatchTower. However, we do not see a problem in doing so at a later time. Should any programmers come forward to offer to help with such a task, please email our team.

What systems is WatchTower being tested on?
WatchTower is being designed and tested on FreeBSD 4.3 and Redhat Linux 2.4.2-2

Would it be ok if i pulled a M$ and ripped the source and sold it?
Should WatchTower be released under a BSD Style License, than that not be a problem. However, licensing issues are still being worked out.

How do I install it? RTFM: An Installation guide will be released at a later date with the distribution.

Isn't Snort enough? Trying to recreate the wheel? Actually, yes we are trying to recreate the wheel, and doing it better! Although Snort is an excellent tool, WatchTower is being designed for optimal use on large scale networks and is also scalable towards the home, always-on Internet user. WatchTower boasts a much more comprehensive IDS and framework. The most notable difference between WatchTower and SNORT is the Graphical User Interface, or GUI for remote or local management of each IDS sensor. The WatchTower IDS is in essence considered a distributed IDS because of its multiple sensors. WatchTower was also designed to be managed by the more novice system admin.

What colours does this WatchTower come in?
Green and Neon Blue. [joke]

When can I expect to see a test demo?
Come see us show it off at Defcon '02

Where can I find some technical plans for WatchTower?
A page will be designed very soon.

How can I contact the WatchTower team?
You can email us at WatchTower@fatelabs.com.





© Copyright 2001 Fate Research Labs
All United States Federal Copyrights Reserved.