Network Intrusion Detection and Prevention? 264
c0dyd asks: "Lately, computer attacks have gained much popularity in the news; however, it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions. Obviously, the need is present. I've searched thoroughly for network intrusion detection and prevention systems, but the choices and technologies seem somewhat limited or proprietary-- Snort appears an obvious open source solution for intrusion detection but many users many find it lacking in intrusion prevention capabilities. What do you, the experienced network admin, use for detecting intrusions on the network and how does your network react to those intrusions?"
NV ActiveArmor (Score:4, Interesting)
ActiveArmor Firewall supports stateless and stateful inspection, Web-based management, pre-defined security profiles, port block filtering, remote administration, and provides an easy-to-use set-up wizard. In addition, ActiveArmor Firewall has anti-hacking features such as anti-IP-spoofing, anti-sniffing, anti-ARP-cache-poisoning, and anti-DHCP server-important security controls for corporate network environments. In a corporate setting, an end-point firewall (such as a desktop firewall) with anti-hacking capabilities can reduce the internally originated security breaches, and can inhibit desktops from generating unauthorized traffic. The result is improved overall security, with reduced requirements from the IT staff.
Again, I'm not sure if it's what you're looking for, but it's at least a very interesting product.
Personalized Login System (Score:3, Interesting)
Please enter todays date (MM/DD/YY):
Please enter your username:
Please enter a valid email address:
Please enter your password:
Just randomize the questions (or have a bunch of questions and randomly ask a few of them) and unless someone is really dedicated to get into your system they're just going to choose another target rather than go after your weird setup.
Re:intrusion detection (Score:3, Interesting)
intrusion prevention (Score:5, Interesting)
Companies like Tipping Point have devices that claim to do intrusion prevention with low latency - I'd test that claim before purchase, but the demo I saw seemed to indicate it was worth checking out.
Where to start? (Score:3, Interesting)
Re:Ethereal (Score:3, Interesting)
"Ethereal activity" was "a change in any MD5 signature or file-size for any file on the web server"..
"trained monkey" was a bunch of 24x7 operators (no offence guys.. I'm not making the comparison - just emphasising the distinction)..
"shell script" and "flash the screen red" were still a shell script, and a red flashing screen..
Red.
Re:Snort-Inline+IPTables+Scripts = Decent IPS (Score:2, Interesting)
So any attack shown as coming from your upstream provider is going to be passed through, isnt' it?
Of course, that very same rule (don't stop your upstream provider) is valid for whatever other "valuable" connections you may have opened (you don't want your IDS to be fooled into droping connections to your e-commerce database server, do you?).
But then, if any "higher privilege" connection is to be opened, probability is that it will be against some of those "high profile" servers (it has no sense allow say, wide access from a random IP to your Ms SQL Server , ha!-, but it does have it from your management console, and then you won't want your IDS to block connections from you management console just because the bad guys threw some IP-spoofed packets, will you?), and if ever spoofed a connection, chances are they will look as if coming from one of those IPs.
Dinamyc firewall ruling as an attack response is a terribly dumb choice on most circumnstances, still, it has everything needed to be accepted by PHBs when shown on glossy paper on ultrabuzzy products like UltraFireBlade MegaDynSec Pro and such.
Quite a pity.
Castle gates (Score:3, Interesting)
In order for traffic to get through the outside interface of the inner firewall OR the inside interface of the outer firewall, there needs to be some sort of authentication or other interaction. It need only happen at the start of sessions, but all of this assumes there is something there.
All firewalls, on the interface pointing to the middle section, default to blocking ALL traffic from ALL IP addresses, other than that of the authentication server and NIDS device, although NEITHER server can reach other networks - they may only talk to the firewalls.
Once a stream authenticates with the authentication server, the authentication server notifies the firewall to allow that IP/port combination and ALSO notifies the NIDS that it is to stop monitoring that IP/port combination.
In the event of the NIDS detecting ANY actual conversation between two machines that is NOT on its list of authorized connections AND is not an authorization request, it can know that it is an intrusion involving the compromise of one of the firewalls. It then notifies the OTHER firewall to shut down that conversation.
Because the NIDS isn't in-line, there is no latency once the conversation has been approved. Because there is an enforced delay at the start, the NIDS has time to verify that the connection is not an intrusion attempt.
What if someone tries to compromise the authentication server? Well, then it is an unauthorized conversation that is not an authentication request, so will get blocked.
What if someone tries to compromise the NIDS server? Well, because the NIDS server needs to only talk to the two fiewalls and the authentication server, AND because communication is going to be very limited, you can use strong encryption and digital certificates to ensure nobody else can connect to the NIDS system. Everything else can be harvested by passive monitoring.
Is this fool-proof? Probably not, fools are just so ingenious. On the other hand, it would probably be good enough to block the bulk of scans, firewall exploits and other such stuff. Breaking one firewall would not be enough, and by the time you detected the other, you'd be locked out.
This kind of portcullis arrangement is not going to be perfect, but is going to be a lot better than having a single firewall and a copy of Snort running.