What is WatchTower?
WatchTower is an advanced Network Intrusion Detection System (NIDS),
based on the CIDF model, (Common Intrusion Detection Framework). The WatchTower project
boasts a complete Intrusion Detection System suite, consisting of both sensors and a master management console.
The sensors keep the management console updated by pushing event data based on pattern matching and detected
anamolies on the network to the WatchTower Server, alerting the system administrator to active attacks or network
abuse.
The WatchTower IDS Suite offers complete management and scalability to the end-user. This rhobust Intrusion Detection
System can maintain realtime packet analysis while ensuring wirespeed functionality, offering no degradation in speed as
traffic speeds increase.
What is a NIDS?
NIDS stands for Network Intrusion Detection System. A NIDS is a system which monitors all traffic on a
network looking for hack attempts, DoS's and other things the network administrator deems as network misuse or abuse.
What can WatchTower do for me?
WatchTower offers complete network perimeter defense. It provides full packet analysis at wirespeed, offering not only
passive intrusion detection, but proactive capabilities able to drop active sessions that are flagged as malicious traffic.
How does WatchTower detect attacks?
WatchTower includes a comprehensive list of built-in "filters". These filters utilize pattern matching techniques
to analyze incoming or outgoing packets by comparing them to a database of known attacks. The analysis engine within
WatchTower can "learn" of new attacks by analyzing system changes that are affected by particular packet signatures.
This makes WatchTower the definitive Intrusion Detection System that offers the industry's first IDS with Artificial
Intelligence (AI).
How will WatchTower defend itself against new vulnerbilities?
As new vulnerbilities are discovered by the AI engine, WatchTower will dynamically update its signature
database based on how the remote operating system reacts to the new attack. If certain patterns are met that are
understood by WatchTower as being malicious traffic, the IDS will immediately kill the connection and flag
this traffic for future analysis.
The Fate R&D Division is constantly identifying new attacks and creating signatures based on these discovered
vulnerabilities for use within the WatchTower IDS. There's an option to have WatchTower automatically update itself
through the Dynamics Download function, which allows WatchTower to connect to our remote network to grab new
attack signatures as they are released. The end user also has the ability to update filters through the main GUI
management console. The end user also has the option to easily create his or her own signatures through a flat text
file, similiar to that of the SNORT IDS.
What happens if someone DoS's WatchTower. Will they be free to roam around my network?
No, WatchTower is designed as a "fail-close" application. This means that if WatchTower did
happen to be DoS'd, it would shutdown the network so that an attacker would be
stuck outside on the perimeter, unable to access the protected lan. You will be able to disable this option
should there be proper countermeasures in place behind the IDS should this happen.
Who is working on this project?
There are currently two main programmers for this project. Markus "fluid" Delves
is currently the Event Generator/Network Programmer and Dave "banned-it"
Rude II is currently designing and programming the Analysis Engines. Fate Research Labs is constantly
building the team responsible for the WatchTower IDS project. Loki is currently working on docuementation
and the continued development of the Signature database.
How much does it cost?
WatchTower is free for non-commercial use. One can call this an "honour-system" type license in which we trust
that if you are generating revenue off the use of this application or using it in a commercial environment, that you
will give proper credit where it is due. Large amounts of time and resources are put into this product, help us to
continue support for it.
Is the source code available?
Should Fate Research Labs decide to pursue funding and start a company to support this product, the source will
become available once a customer registers.
Are there any backdoors?
No. That's what we are supposed to say, right? :). WatchTower undergoes a comprehensive amount of penetration testing,
in which Fate Labs hackers and researchers attempt all openly available IDS evasion techniques from malformed packets, TCP
reassembly, and denial of service attacks to ensure the stability and security of the product.
What are the requirements for WatchTower?
At present, we have designed WatchTower for optimal performance on BSD and Linux. It was developed on a Redhat 7.1
2.4-2 kernel. You will also require a dialup or static Internet connection. Fate Labs will provide suggested network
topology diagrams that best suit multiple types of environments.
Will there be a version for Windows?
We do not currently provide a Windows version of WatchTower. However, we do not see a problem in doing so at a later
time. Should any programmers come forward to offer to help with such a task, please email our team.
What systems is WatchTower being tested on?
WatchTower is being designed and tested on FreeBSD 4.3 and Redhat Linux 2.4.2-2
Would it be ok if i pulled a M$ and ripped the source and sold it?
Should WatchTower be released under a BSD Style License, than that not be a problem. However, licensing issues are
still being worked out.
How do I install it?
RTFM: An Installation guide will be released at a later date with the distribution.
Isn't Snort enough? Trying to recreate the wheel?
Actually, yes we are trying to recreate the wheel, and doing it better! Although Snort is an
excellent tool, WatchTower is being designed for optimal use on large scale networks
and is also scalable towards the home, always-on Internet user. WatchTower boasts a much more
comprehensive IDS and framework. The most notable difference between WatchTower and SNORT is
the Graphical User Interface, or GUI for remote or local management of each IDS sensor. The WatchTower
IDS is in essence considered a distributed IDS because of its multiple sensors. WatchTower was also designed
to be managed by the more novice system admin.
What colours does this WatchTower come in?
Green and Neon Blue. [joke]
When can I expect to see a test demo?
Come see us show it off at Defcon '02
Where can I find some technical plans for WatchTower?
A page will be designed very soon.
How can I contact the WatchTower team?
You can email us at WatchTower@fatelabs.com.