Forgot your password?
typodupeerror
Security Networking

Network Intrusion Detection and Prevention? 264

Posted by Cliff
from the security-assistance-from-code dept.
c0dyd asks: "Lately, computer attacks have gained much popularity in the news; however, it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions. Obviously, the need is present. I've searched thoroughly for network intrusion detection and prevention systems, but the choices and technologies seem somewhat limited or proprietary-- Snort appears an obvious open source solution for intrusion detection but many users many find it lacking in intrusion prevention capabilities. What do you, the experienced network admin, use for detecting intrusions on the network and how does your network react to those intrusions?"
This discussion has been archived. No new comments can be posted.

Network Intrusion Detection and Prevention?

Comments Filter:
  • ASL (Score:2, Informative)

    by skarphace (812333)
    I've searched thoroughly for network intrusion detection and prevention systems, but the choices and technologies seem somewhat limited or proprietary-- Snort appears an obvious open source solution for intrusion detection but many users many find it lacking in intrusion prevention capabilities.

    You can balance FLOSS and proprietary techs with something like Astaro Security Linux [astaro.com]. They do appliances or standalone software.
  • by jafo (11982) * on Wednesday July 20, 2005 @04:49PM (#13116964) Homepage
    You're already doing bandwidth monitoring right? Graphing with rrdtool or the like? If you aren't you probably should be. It's a great tool for not only current troubleshooting, but also capacity analysis and more. However, I've also found that it's a fantastic tool for detecting successful intrusions. Detecting attempted intrusions tends to produce many false positives, but if you are watching the bandwidth utilization of your systems and networks, it's pretty easy to tell within a few hours that you have some unusual use going on, usually tracked down to a particular machine or network at least.

    So, don't underestimate the usefulness of watching your network traffic graphs. With rrdtool it's pretty easy to pull out information and average it. For example, we watch not only our overall 95th %ile utilization, but also rank each user based on their utilization. If use suddenly goes up, increasing their rank, it's probably something we should look at. It's been extremely effective for detecting open HTTP proxies, SMTP relays, and people compromised with various vulneribilities.

    Sean

    • by Anonymous Coward on Wednesday July 20, 2005 @04:59PM (#13117069)
      A bandwidth graph may help you catch a noisy worm or a script kiddy. It's almost useless against a determined intruder.

      Any good intruder knows to be quiet and spread their attack out over hours or days. Hence they are practically invisible to any sort of bandwidth analysis, until they start downloading larger amounts of your data (at which point it is often too late).
      • by m0rningstar (301842) <cpw@@@silvertyne...com> on Wednesday July 20, 2005 @07:20PM (#13118758) Homepage
        I have to admit that I'm just not a big IDS/IPS fan. FAR too few people have the time (at least in my experience) to use them well. It doesn't matter what the product is.

        What is generally lacking is a policy (which, sadly, security is mostly about) and a concrete idea of what to do when an 'attack' is detected.

        And people then buy an expensive new IDS, or spend time to implement one, or whatever. Think it's exciting for a while. And then I come back 3 months later and it's turned off in the corner.

        And in the meantime people aren't exploiting the information they already have. Not just the bandwidth graphs but firewall logs, system logs, etc. I personally would recommend finding an event correlation system (anyone know of a good open source one?) along the lines of Netforensics or the former Protego and implementing /that/. And then seeing if an IDS is of any additional use.

        IPS -- I haven't had enough personal experience with an in-line IDS to make even a remotely intelligent comment. I like the idea of such a platform but it (as MJR frequently points out) falls foul of being an 'allow everything not specifically denied' platform and thus limited. This is not an outright condemnation, since otherwise you run into best being the enemy of good, but it's something to be considered...
    • by Steeltoe (98226) on Thursday July 21, 2005 @07:22AM (#13122664) Homepage
      While actively monitoring is always preferred, not everybody has the luxury of time to sit in front of the server monitoring every minor detail. Especially on projects for humanitarian organisations you do on your spare time. To be honest, some automation SHOULD be implemented, because a human is simply not a robot and will tire over time. The purpose of computing is exactly that - to alleviate humans of doing boring tasks.

      I set up my scripts so I am emailed ONLY on new activity not seen before. So I find ways to silence minor attacks/alerts which does not interest me in conjunction with finding automatic ways to react on attempts.

      I can recommend this setup:
      • Snort [snort.org] (Network packet sniffer)
        Enough is said about this. Absolutely needed, but useless without intervention. Oinkmaster is nice to use for automatic downloading of new rules.

      • Narc Firewall [knowplace.org]
        Perl script for iptables/ipchains. Fast and easy to set up, however any decent firewall will do. Narc allows for user-customization/hacking, which is a plus for those who wants to learn ipchains/iptables and do more advanced stuff than a GUI can offer. I like to fiddle with the rules myself for outgoing packets, which very few firewalls supports. It's nice to know your computer is not sending out traffic you don't know what is. By blocking everything outgoing by default, I will catch stuff in the logs and adjust the rules when I know what it is (not recommended while in production).

      • BlockIt [teknofx.com] (Perl script for reactive firewalling)
        Blocks hosts temporarily and permanently based on SSH-logs, snort-alerts and firewall-logs. Nice and easy to extend even if you don't know perl, but have patience to test alot. The maintainer is cool about accepting patches. Yes, you need a list of hosts to never block, and yes a dedicated cracker can spoof IP addresses to DOS you. However, I'll deal with that when somebody does just that. It depends how important your service is I guess.

      • Samhain [la-samhna.de] (Rootkit and file change detection)
        I set up Samhain to email me of EVERY change in the root filesystem. However, I run Samhain with the silent option just after every upgrade at night. So upgrades are done automatically and silently without alerting me (Debian Stable - Sarge).

      • chkrootkit [chkrootkit.org] (Another rootkit checker)
        It's in the Debian-tree. Can't hurt to use more than one checker. This one is less spammy than Samhain and checks for other kinds of signatures in the system.


      This might seem much, but I consider it a bare minimum for an install I'm not going to watch over continuously. Running Linux doesn't make you secure, and even with all this, I know I'm still vulnerable to:

      A) Crackers hacking over time. Little by little they may do a portscan and find out enough to do a:

      B) Full-scale successful attack. Reactive firewalls just won't stop it, and then you're cracked.

      C) DOS. Automatic blocking based on IP and DSL-connection is just not enough to stop DOS and DDOS.

      However, with a hardware firewall in front, I feel a bit more secure.. ;*) All emails to root is forwarded to my email-account, cron-jobs and all, and believe me, with the pruning-job done, hardly any email is sent. Days can go without any emails, oh wait, maybe..... *shiver*

      One interesting project is a firewall based on snort: Hogwash [sourceforge.net]. The project is in need of maintainers though. However the idea is cool: To block based on snort-alerts in real-time. This can actually be useful to block intrusions before they can do harm other than DDOSing. I for one will accept the increase in latency if it means my network is that much more secure. I really hope this one will take off one day.
  • by smileyy (11535) <smileyy@gmail.com> on Wednesday July 20, 2005 @04:50PM (#13116976)
    Ask Slashdot: I've been wondering how to do my job. I figure other people out there have jobs too, and know how to do them. Maybe they can share their experiences, or even do my job for me!
    • by Rosco P. Coltrane (209368) on Wednesday July 20, 2005 @05:05PM (#13117117)
      I know you're trying to be funny (or troll, I don't know), but your comment is actually unfair: the entire software engineering world (not just OSS) is built on people sharing competences. Formal education and self-teaching only account for a small part of a computer engineer's know-how.

      Asking Slashdot is as good a way as any to reach a wide audience and get a handful of good advices amongst the hundreds of trolls. All it takes is asking, and you never know what precious tidbit of information you might get.
      • you never know what precious tidbit of information you might get

        Or how long you'll have to sort through the trolls/awful jokes to find it :)
    • Why should each person have to reinvent the wheel?
  • NV ActiveArmor (Score:4, Interesting)

    by AKAImBatman (238306) * <akaimbatman.gmail@com> on Wednesday July 20, 2005 @04:50PM (#13116981) Homepage Journal
    I have no idea if this help or not, but NVidia has a technology called ActiveArmor [nvidia.com] that may be of interest. In a nutshell, it's a Gigabit hardware firewall solution that is built into many inexpesive boards. [asus.com] Supposedly it can be used in both incoming and outgoing directions, allowing you to know immediately if a penetrator attempts to access improper network resources. Here's the schpiel:

    ActiveArmor Firewall supports stateless and stateful inspection, Web-based management, pre-defined security profiles, port block filtering, remote administration, and provides an easy-to-use set-up wizard. In addition, ActiveArmor Firewall has anti-hacking features such as anti-IP-spoofing, anti-sniffing, anti-ARP-cache-poisoning, and anti-DHCP server-important security controls for corporate network environments. In a corporate setting, an end-point firewall (such as a desktop firewall) with anti-hacking capabilities can reduce the internally originated security breaches, and can inhibit desktops from generating unauthorized traffic. The result is improved overall security, with reduced requirements from the IT staff.

    Again, I'm not sure if it's what you're looking for, but it's at least a very interesting product.
    • "anti-DHCP server"

      "Hey, Bob.. maybe it's this new motherboard we put in to the DHCP server that's causing the problems."

      Just wait, it'll take out the DNS server next and maybe a mail server, just to show you who's boss.
  • Ethereal (Score:5, Funny)

    by fsterman (519061) on Wednesday July 20, 2005 @04:51PM (#13116995) Homepage
    As soon as any Ethereal activity occurs I have shell script flash the screen red where a trained monkey pulls out the cat-5 cable.
    • Would that be Ether-Ape? oh....wait....
    • Damn, your monkey is smart. All my monkey does is chew on the cable!
    • Re:Ethereal (Score:3, Interesting)

      by RedPhoenix (124662)
      Actually, during a period of 'heightened awareness' at an organisation I used to work at (ie: A national television program that discussed the organisation at length), we did something like this for real.

      "Ethereal activity" was "a change in any MD5 signature or file-size for any file on the web server"..
      "trained monkey" was a bunch of 24x7 operators (no offence guys.. I'm not making the comparison - just emphasising the distinction)..
      "shell script" and "flash the screen red" were still a shell script, and
  • by Anonymous Coward on Wednesday July 20, 2005 @04:52PM (#13116997)
    An intrusion detection device without anyone responding to it is as silly as a silent burglar alarm that noone responds to. All too often I look back at month old logs and see "hey, that's cool, somone was trying to hack us" (typically some windows hack against our bsd box). Had they succeeded it wouldn't have mattered at all that we had the intrusion detection device.

    The one feature I'd look for in an intrusion detection device is that it can quickly escalate a detected intrusion attempt to real people (through email, phone, calls, etc).

    For real enterprise needs, companies like counterpane [counterpane.com] not only install the intrusion detection devices; but offer services that monitor them just like the physical alarm companies do.

    • I get about 1000 probes and somewhere near 50 IDS events a day. Something tells me I won't like what I have to deal with if my firewall/IDS starts telling me about it in emails.

      All of these logs are history. Fortunately I'm running Linux and 99% of these probes and attacks are of little interest and are no threat.

      Now, when you get a tool that will tell me when at attack is about to happen, that's when I want to know about that tool. Especially if it can not only give me advance warning, but warnings appro
    • Using the same analogy, though, you don't necessarily want your burglar alarm calling the cops every time someone tries to open a door on your house that you know is locked, or looks in a window.

      All too often I look back at month old logs and see "hey, that's cool, somone was trying to hack us"

      This is why you need to review your logs on a daily basis, or at the very least keep a monitoring program of some kind open that you check once in a while throughout the day. Ideally you've got someone who's en
    • Well, you can always pipe your firewall log into Festival and make it talk to you...

      tail -f /var/log/messages |festival --tts
    • For real enterprise needs, companies like counterpane not only install the intrusion detection devices; but offer services that monitor them just like the physical alarm companies do.

      "real enterprise" doesn't need another log parser tied to an email notification service. It needs insurance. It needs another company to pass the buck to when they get hacked. I'm sure counterpane does a bang up job, but what you're talking about should only take a developer a few months to put together. Then you'd have th
  • My solution (Score:5, Funny)

    by DanThe1Man (46872) on Wednesday July 20, 2005 @04:53PM (#13117007)
    When I find an attacker getting into my company's network I start pulling my hair out and run around screaming "Aww! Aww! The crackers are taking over my network! Aww! Aww!"

    By the way, I just got laid off, does anyone need a Sys Admin?
  • Bro (Score:4, Informative)

    by pythonguyy (880807) on Wednesday July 20, 2005 @04:53PM (#13117008) Homepage
    bro-ids.org [bro-ids.org]
    I'd rave more, but bro is watching me and wants me to get back to real work.
  • There shouldn't be *anything* incoming that you don't already know about. Dedicated firewalls are a great boon to security. There are several linux and BSD based distros that are specifically for this purpose. Corperate environments, or those well heeled, have even more options.

    A true DMZ is also a good thing to have, seperated by another firewall, if you have enough infrastructure to justify an (n)tiered network.

    Firewalls aren't the end-all-be-all, but They do make compromises much less likely.

    As to
  • I recall that there was a patch for snort that was specifically designed to prevent people from breaking into other systems from a compromised honeypot machine. It did some good stuff like replacing NOP-slides with breakpoints etc. I don't have the URL handy, but this might help you with your intrusion prevention...
  • by Compholio (770966) on Wednesday July 20, 2005 @04:55PM (#13117029)
    I think the best way to prevent intrusions is to design a personalized login system (and have the system install updates regularly). Just about everyone uses the same system (username then password), so changing the login program to do something funky is enough to screw up any script. Ex:

    Please enter todays date (MM/DD/YY):
    Please enter your username:
    Please enter a valid email address:
    Please enter your password:

    Just randomize the questions (or have a bunch of questions and randomly ask a few of them) and unless someone is really dedicated to get into your system they're just going to choose another target rather than go after your weird setup.
    • by Rosco P. Coltrane (209368) on Wednesday July 20, 2005 @05:11PM (#13117183)
      changing the login program to do something funky is enough to screw up any script.

      Even simpler: drop the user straight to a working shell. That way, scripts will wait for the "ogin:" and "assword:" strings indefinitely until the connection times out, and legit users won't even have to enter their logins. As for hackers, they'll see the "~$" prompt, won't believe their eyes, will think it's a clever trap or something, and they'll promply disconnect out of paranoid fear :-)
    • You have only telnet services running on your network? Or do you crack all your CIFS, HTTP, SMTP, POP, IMAP, LDAP etc clients and servers to do this?

      Most networks have a variety of protocols running on them, any of which could be an attack vector or used by an attacker once they've compromized your site.
    • Instead of screwing around with the authentication protocols, approach the problem by restricting its use.

      Including a significant delay in any authentication system seriously reduces the effectiveness of bruteforce attacks. The delay is only noticed once by regular users and although it might be a headache for those that forget their passwords, an attacker would have to be very patient.

      Another approach is to limit the number of login attempts per connection.

      Your example may require its users to remember
  • by jim_v2000 (818799) on Wednesday July 20, 2005 @04:55PM (#13117031)
    Obviously Norton Internet Security!

    Norton Internet Security provides a COMPLETE security solution for your machine by promptly blocking all programs on your machine from having any internet access, AT ALL! Buy it today!
    • by jd (1658)
      They're cheap, they're easy to obtain, you don't need expensive upgrades every time a new threat comes out. Just cut the cable and watch the hacking attempts falter.
  • IBM Has You Covered (Score:3, Informative)

    by The Last Gunslinger (827632) on Wednesday July 20, 2005 @04:55PM (#13117032)
    IBM Tivoli Risk Manager provides intrusion detection and automated remediation based on correlated input gathered from numerous sensors in your network. These include network intrusion detection systems (NIDS), host IDS, webserver logs, Windows Event Logs, *nix syslogs, firewall events, SNMP traps, and just about any other device, appliance, or application that writes a log event or generates an SNMP message. The correlation engine at the center is smart enough to take hundreds of thousands of individual input events and display or respond to a handful of meaningful alarms. Read on... http://www-306.ibm.com/software/tivoli/products/ri sk-mgr/ [ibm.com]
  • Astaro http://www.astaro.ca/ [astaro.ca] offers a good all -in-one appliance.
  • Size (Score:5, Insightful)

    by chrome (3506) <chrome@stupen d o u s.net> on Wednesday July 20, 2005 @04:58PM (#13117061) Homepage Journal
    The biggest problem facing anyone looking at implementing an IDS into an existing system is the size of the network.

    If you're doing 500mbit/sec+ of traffic, it requires a somewhat beefy snort box just to process that data let alone do something about anything that looks like an attack.

    Snort CAN do it, it just takes a lot of effort to pair down the ruleset to the point where it can handle your traffic. But, pairing down the ruleset has some drawback ... :)

    Or, if you can segregate your network, that can help a lot too. But unfortunately, a lot of networks suffer from a lack of design and you end up with huge VLANs that span thousands of hosts, and other nightmares.

    IMHO If you're worried about intrusion, start with host security. If you have a huge farm of linux boxes, then great. Use iptables and keep everything up to date. If you MUST have sun boxes, try not to put them on the edge of your network - NAT specific ports via linux NAT firewalls. Same goes for windows machines. Don't bare them to the internet for any reason.

    Have some aggressive ACLs on your border routers. Don't allow SSH into all your machines directly. Use jumphosts. Consider using token based authentication, like SecurID. Consider Kerberos to replace the use of public key auth in your ssh infrastructure.

    once you have that down, putting in an IDS can wait :)
    • by chrome (3506)
      Oh, and as an addendum to this, 99% of ALL the intrusions I see hitting the network right now are SSH dictionary attacks. At the very least, you should get rid of password auth, and go with RSA key auth. Carrying the key around on a USB keychain isn't such a bad idea, though not perfect. It should be considered a temporary solution until you've had time to implement a full blown security policy.
      • We just dumped access via password, forced everyone to work using RSA keys, at the very least, it certainly actually makes people's jobs easier since now they can login without a password if they want :-)
    • by m50d (797211)
      Pairing down the ruleset? Is that, like, grouping the rules into pairs?

      /I know, I know

  • by Rosco P. Coltrane (209368) on Wednesday July 20, 2005 @04:58PM (#13117065)
    what I'd really like is a network intrusion product that not only detects "bad guys" but also automatically retaliates, i.e. deluges said bad guy with ping floods, winnukes (yes I know, it's old), tries to root the bad guy's box and wipe the hard disk, or install backorifice, etc...

    I reckon if the majority of network admins did that, perhaps intruders would think twice about playing that game. Not to mention the feeling of satisfaction when (if) the intruder's box is trashes in real-time before his eyes :-)

    • by Anonymous Coward
      Two words: Address spoofing.

      Bad guys would not need zombies anymore for a DDOS: They would simply "attack" a couple of people like you with a forged source address, and let you do the dirty work. Bad Idea[tm] indeed.
      • Bad guys would not need zombies anymore for a DDOS:

        Sorry, I thought we were talking about network intrusion here: surely someone trying to subvert a service (like getting a working shell account, snooping on a Windows box or perusing an intranet) would need a valid IP to do that. Of course, my nasty piece of imaginary software wouldn't fight back DDOSes or spam, since those are essentially impossible to trace back to the original perpetrator.
        • Sorry, I thought we were talking about network intrusion here: surely someone trying to subvert a service (like getting a working shell account, snooping on a Windows box or perusing an intranet) would need a valid IP to do that.

          Sometimes it's not about you.

          We're not talking about preventing DDOSs against you; we're talking about provoking your system into initiating a DOS on some other unfortunate victim by poking at your watchdog (junkyard dog?) software with packet probes that have forged source addres

    • The intruder is probably hitting you from another box that he hacked somewhere, so all you'd be doing is attacking that poor slob's machine.

      The reason no network admins do what you propose isn't because it's illegal, it's because it's incredibly stupid. :)
    • Why would the intruder care? You make it sound like they are using their own personal box to launch the attack.
    • The Sidewinder firewall software has this capability. It's pretty worthless, to be honest.
    • Portsentry has a hook for running any script when it triggers. This can be as simple as a ping flood, if you have a wide pipe...

      and BTW, it isn't illegal. You are allowed to protect your property, but the problem is collateral damage, which may be illegal.
  • What I mean to say is this. Once you have your standard security suite in place (firewalls, ip-chains, standard configs locked down, etc.), all that is left is to simply monitor the activity logs. That is all that CAN be done, since there will always be new security holes found and exploits created. Having a well planned and documented monitoring process involving going through the log files on a daily/constant basis is the best that you can do. Yes, this is time consuming and arduous redundant process. Th
  • We use... (Score:3, Informative)

    by mengel (13619) <mengel AT users DOT sourceforge DOT net> on Wednesday July 20, 2005 @05:03PM (#13117099) Homepage Journal
    ...a little package called AutoBlocker [indico.cern.ch] which analyzes netflow data in real time, and blocks sites at the border router for a while when they appear to be trying to do bad things.

    Of course, it's needed some tuning so it wouldn' think that things that should be talking to multiple systems in a short time window don't get blocked...

  • intrusion prevention (Score:5, Interesting)

    by uqbar (102695) on Wednesday July 20, 2005 @05:06PM (#13117127)
    Real prevention is a double edged sword. To really prevent an attack, your device needs to sit in line - or it reacts too late. As such you introduce latency, and the more sophisticated you get, the more the time spent on analysis before the traffic is allowed through. NIDS and HIDS analyse after the fact, so they have the luxury of time since they aren't in line with your traffic. If you have good event correlation, you can raise alerts to appropriate support personnel. But all these don't directly prevent attacks - they just let you know to respond to an attack.

    Companies like Tipping Point have devices that claim to do intrusion prevention with low latency - I'd test that claim before purchase, but the demo I saw seemed to indicate it was worth checking out.
    • by artoo (11319)
      We use Tipping Point, and I was very skeptical at first. After having it at work and using it, I would highly recommend it.

      Service is not as good as it used to be, but still decent. They are going through some growing pains and some adjustments after being purchased by 3 Com, but that was to be expected. Their support is still much better than your average vendor.

      The rules they use are very conservative, and it affects no other protocols other than IP. It will pass these quite happily, and even the IP tra
    • Castle gates (Score:3, Interesting)

      by jd (1658)
      This goes back to a method I've suggested on Slashdot before. Have two firewall/proxy devices in serial. You have one line linking the two together, and one line from each firewall to a single Active NIDS device. Also in parallel is an authentication server.

      In order for traffic to get through the outside interface of the inner firewall OR the inside interface of the outer firewall, there needs to be some sort of authentication or other interaction. It need only happen at the start of sessions, but all of

  • http://sourceforge.net/projects/sentrytools/ [sourceforge.net]

    What more do you need?
  • by anandpur (303114) on Wednesday July 20, 2005 @05:07PM (#13117141)
    No security topic generates more spirited debate than intrusion prevention. Deployed on the edge -- and increasingly, deep inside -- the network, IPSes (intrusion prevention systems) purport to identify and stop attacks before they start based on constantly updated threat profiles. In this Point/Counterpoint, we've pitted Marc Willebeek-LeMair, CTO and Chief Strategy Officer of 3Com's (Profile, Products, Articles) security division, TippingPoint, against Martin Roesch, CTO and founder of Sourcefire (and the inventor of Snort). TippingPoint's Willebeek-LeMair is bullish on the supreme effectiveness of his IPS approach; Sourcefire's Roesch positions IPSes, which his company also sells, as just one component of an integrated network defense system. The clash of these two partisans reveals much about the state of network protection and the rivalry between hardware and software security vendors.

    http://www.infoworld.com/article/05/05/09/19FEipsi ds_1.html [infoworld.com]
  • Juniper IDP (Score:3, Informative)

    by Anonymous Coward on Wednesday July 20, 2005 @05:11PM (#13117181)
    I use a Juniper IDP, and love it. Then again, I have to, since I work there. :)

    Seriously, though, it's a good system - our sigs are for the most part, open-source - you can see how we detect things, and make a copy and twiddle it yourself. Those few that are closed are generally to protect Intellectual Property concerns.

    They're a bit spendy for home use, though. I think the cheapest unit is in the $15-17k range.

    Some things also not covered in the question, but imporant issues to raise, are:

    1. Ease-of-Use vs. Functionality/Features
    2. Performance vs. Security
    3. Completeness/Timeliness of Coverage
    4. Accuracy

    Each IPS vendor has their own angle on these issues, and they're all betting that their angle will be the best - in the end, you as the customer have to decide which of these issues is most important to you, and then find the corresponding vendor.

    Juniper has dominant market share, but there are things that other companies do better, but generally at the cost of something we do better at - it's a real mixed bag. See RFC-1925, Section 2, Paragraph 7a for details on this concept.

    Juniper IDP is focused on delivering current, feature-rich, accurate detection, generally at the expense of speed and simplicity. Don't get me wrong, though, we're not slugs - our high-end products are currently pushing 2 gig (which in some environments is fast enough). If you want a cheap, 10-gig box with a single "Secure Me" panic button and a single "You Got Owned" idiot light, we're not for you.

  • Where to start? (Score:3, Interesting)

    by mysfitt (704313) on Wednesday July 20, 2005 @05:13PM (#13117196)
    I'm an IDS engineer by trade and I could go on for days about this topic. Yes, snort is great. No, it's not anywhere near enough by itself. That's why you take a varied approach. Snort is probably one of the best signature based IDSes available. The user community behind it is very strong and produces some great sigs, usually same day as the vulnerability is announced. But the downside is no protection against 0 day attacks. Therefore you have to have some behavioral systems in place as well. Problem with those is tuning out the false positives can be very difficult and time-consuming. Add a Honey pot/IPS with blocking capabilities like activescout [forescout.com] to the mix and you're starting to get there. Add a SIM (security information management) product that can correlate data from all of your sensors and issue blocks to your firewalls and you're well on your way.
    • One of the biggest strengths of Snort is also its biggest weakness - the "User Community". Literally anyone and their mom can write a sig for Snort and submit it. Are you going to vet every sig they write? If you could, why not just do it yourself then?

      Or do you wait a few days until they've been vetted by the "regulars" and the signature is stable? Well by then you've lost your 'same day sig' advantage.

      People who know enough to make their own IPS' from scratch generally already have a clue about netw
  • Nessus (Score:3, Informative)

    by MattW (97290) <matt@ender.com> on Wednesday July 20, 2005 @05:15PM (#13117216) Homepage
    Snort isn't designed as a vulnerability scanner; Nessus is [nessus.org]. And don't forget than nmap [insecure.org] is pretty useful in the hands of someone who knows what they're doing.

    As far as "intrusion prevention", there's not a "tool" that does that. You can firewall off unwanted and unneeded traffic; you still need to patch your public services. If you run public services, someone should be responsible for making certain everything you run is up to date and no unpatched vulnerabilities are public (and if the latter is the case, find a workaround or preventative measure until a real patch is out).
    • You need to develop a strategy that includes network monitoring, penetration testing, and watching the security lists or sites.

      For a network monitor, Nagios (http://www.nagios.org/ [nagios.org] is popular, but I like Mon (http://www.kernel.org/pub/software/admin/mon [kernel.org]), because of its simplicity.

      Once you start watching, you realize that you get attacked so much that you quickly scale back the sensitivity. In the end, the monitor becomes a forensics tool, or a way of verifying that it's not an attack that's causing what
  • Modern "Firewalls" (Score:5, Informative)

    by Moosifer (168884) on Wednesday July 20, 2005 @05:35PM (#13117457)
    Have you had a look at any commercial firewall products lately (SonicWALL, Juniper/Netscreen, Cisco, Fortinet)? The past year has brought about the evolution of yesterday's packet filtering, stateful packet inspection, limited application layer gateways into full-blown "deep packet inspection unified threat management" devices (as the industry prefers to call them now). It's not really accurate to refer to them as firewalls anymore.

    These devices can scan most TCP protocols for any kind of malicious content, like snort-style IPS sigs, viruses, phishing sigs, spyware (generally ActiveX), etc. And since they are the gateway, they can also block or sanitize the content. Some of the better implementations (I'll stop short of a specific product endorsement) can even scan all generic TCP streams, and do not impose any size or stream concurrency limitations on the the content they can scan.

    The thing to be careful about is throughput - even the higher end models fall short of sustaining gig throughputs, so multiple devices might be required for more demanding networks.
  • I've seen a bunch (Score:3, Informative)

    by TheCabal (215908) on Wednesday July 20, 2005 @05:35PM (#13117459) Journal
    I'm a big fan of Snort, but it's really not good for the enterprise, especially at the core. It's a decent backup or sensor on the cheap near the edge. Multple sensor management and speed really limits Snort's usefulness.

    I've seen plenty of appliances out there. Some of your options depends on what kind of equipment you're already running. As far as "best choice", you really should factor in what you already have- if you have Cisco modular equipment at your core or distribution layer, maybe going with the Cisco IDS blade will make more sense than getting a Proventia. Do you have Juniper firewalls? They make an IDS blade that fits in their ISG series.

    That being said, I've worked with Cisco IDS and SecureAgent. SA's a real beast- you can expect to spend a long time getting up to speed with it. I've had problems managing the blades themselves- they're basically little RedHat boxes on a blad that plugs into the backplane. CiscoWorks makes it relatively easy to manage but I had a *lot* of problems pushing updates and management info to them, and configuring your modular chassis with the right VLAN stuff can be a bitch unless you're good with Cisco equipment. One issue I hope they fixed was that their email notification sucked and they had to provide a PERL script to generate a useful email alert.

    I like Juniper's IDP stuff. Their appliances come with cobber and fibre cards and are a snap to set up. You can set them in in pass-through mode and place them inline between your routers and switches, or just mirror/tap the trunk port. In inline mode you get the ablity to send hard RSTs to both endpoints of an attack. The management software is pretty intuitive and the dashboard give you a very good "at a glance" view. They top out at about 500Mbps/sec so if you're pushing great gobs of data, they might not be sufficient.

    I've played around a bit with ISS' Proventia stuff- their appliances are OK, and I think their desktop stuff needs one more development cycle to be good. SiteProtector is decent, but it too needs a little more development in the UI area. The desktop agents are a lot easier to manage than Cisco's SecureAgent.
  • by rumblies (621305) on Wednesday July 20, 2005 @05:35PM (#13117460)
    "...however, it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions."

    Clearly, you don't pay much attention to the glossy ads in Infoworld and CIO magazine. FUD marketing out the wazoo for exactly these types of devices.

    This is actually a very hard problem to solve. I've written quite a bit on the subject, but I'll attempt to provide a few quick helpful points.

    If you have some form of perimeter security, it becomes easier, but still very resource-intensive (both technology resources and human resources). I'm assuming that you're not at a university, or some other type of organization that has a wide open network, because if you were, you wouldn't care.

    For a good list of fun tools, look here:
    http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools. html [stanford.edu]

    But beyond the rinky-dink stuff, at the most basic level, you want to make two choices right up front:
    How important is the real-time interdiction to you?
    Do you want signature-based tools, anomaly-based tools, or both?

    If you would be content with a good system that doesn't have the ability to mitigate threats in real-time, then that widens your possible solution space quite a bit. In this area, you definitely get what you pay for. FOSS tools that have this capability are way behind commercial tools in ease of maintenance, configuration, and how many types of attacks they work against. So that requirement limits your options considerably.

    A similar situation exists when we look at the detection method, signature vs. anomaly. Signature-based systems are a dime a dozen, but they don't cover the really dangerous stuff. Anomaly-based systems are somewhat more useful against the scarier threats, but no FOSS solution comes anywhere close to the commercial offerings. If you choose a FOSS alternative for an anomaly-based IDS/IPS, you will spend so much effort tuning and maintaining that you won't have any time left to respond to issues, and you will still not get adequate results.

    I should point out that you have also limited yourself by considering only NIDS/IPS systems. The proper bundle of technologies and tools could give you the real intelligence that you need, whether or not it included NIDS/IPS. Other classes of tools, like SIMS, accounting systems, or deception environments have their uses too.

    There are plenty of other aspects to consider, but that would take pages to discuss. All of this could be moot depending on your traffic loads, user demographics, platform constituency, infrastructure design, org chart, geographic distribution, existing IT policies, etc. etc. etc. There's just no universal solution.

  • by Walker (96239) on Wednesday July 20, 2005 @05:37PM (#13117487)

    A lot of people are trying to come up with data mining tools for intrusion detection. Just check out all the forward links to this paper from citeseer [psu.edu]. The problem is that they are currently reliable as bad motion detectors ... too many false positives. Which makes them useless.

  • I work for a security firm that resells just about everything under the sun, and the two I like the best are McAfee's IntruShield and Juniper's IDP.

    Both have a fairly intuitive interface, but I like Juniper's interface better. The juniper interface works like a firewall, where you create policies linked to attacks, and choose whether or not to allow them to pass. Updates come out weekly or whenever something major comes out. However, their interface is not web based, so you need to run a client on eithe
    • I'll second this... I love the interface for Juniper's IDP. It's Java based, but its *extremely* easy to manage buttloads of sensors. The sensors themselves are a snap to set up and get running- I deployed half a dozen in about an hour. We were looking at the ISG blades but the price quoted for us was staggering, even for this place.

      ISS' stuff... eek. Maybe in a few months after they've gone through another development cycle. I just finished an eval of their stuff and their pre-sales team walked away with
  • ... how does your network react to those intrusions?

    but my network immediately electrocutes the intruder.
  • Here is a solution that I've seen around:

    Script monitors ports, ips, etc and baselines their activity. If the threshold for activity is exceeded the port,ip is blocked and an email is sent with an unblock link for the admin. Merging an IDS log into a script like that should be straight forward.
    • I implemented something like this at my home network, but its a dangerous approach to use professionally unless you are sure that it couldn't be used to create a DOS attack. For example, if I spoofed traffic from a bunch of IPs, the system might start denying the spoofed IPs access...
  • AirSnare [comcast.net] is a useful tool for detecting "unfriendly" MAC addresses (any MAC addresses that you have not specified as "friendly").

    It can be set to email the admin in cases of unauthorized access, and it works in conjunction with Ethereal and AirHorn as well.

    Oh, and it's free (as in beer).
  • Defense In Depth (Score:2, Informative)

    by incognitox (123292)
    This probably wraps up what various people have said in other ways, but I'll say it again. (and I'm being general on purpose -- I'm not trying to make specific reccomendations). The real answer here is a Defense In Depth Security policy.

    To truly protect your system(s), you need to do many different things, including keeping the system updated, educating users, using a NAT, installing an IDS, and much more. That said, an IDS is probably one of the last things you should worry about: get your "basics"
  • by martyroesch (589524) on Wednesday July 20, 2005 @08:23PM (#13119309) Homepage
    Hi there, original author of Snort here.

    Snort supports in-line (intrusion prevention) operation on Linux as of version 2.3.0. There is also the snort-inline project [sourceforge.net] which maintains a different code branch that includes support for divert sockets on FreeBSD as well as some in-line focused mods.

    Sourcefire [sourcefire.com] (my company) builds commercial-grade IPS using Snort as the foundation technology and it works well. We're continuing to improve the technology on an ongoing basis as it's central to our IPS offerings. If you want to run an IPS to try out the technology, Snort is certainly suitable today.

  • QRadar (Score:2, Informative)

    by QRick (901435)
    Check out Q1Labs [q1labs.com]. (Disclaimer: I'm an employee)

The world is moving so fast these days that the man who says it can't be done is generally interrupted by someone doing it. -- E. Hubbard

Working...