Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Intrusion Detection and Prevention?

Posted by Cliff on from the security-assistance-from-code dept.

c0dyd asks: "Lately, computer attacks have gained much popularity in the news; however, it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions. Obviously, the need is present. I've searched thoroughly for network intrusion detection and prevention systems, but the choices and technologies seem somewhat limited or proprietary-- Snort appears an obvious open source solution for intrusion detection but many users many find it lacking in intrusion prevention capabilities. What do you, the experienced network admin, use for detecting intrusions on the network and how does your network react to those intrusions?"

8 of 264 comments (clear)

  1. Don't underestimate just paying attention. by jafo · · Score: 4, Informative
    You're already doing bandwidth monitoring right? Graphing with rrdtool or the like? If you aren't you probably should be. It's a great tool for not only current troubleshooting, but also capacity analysis and more. However, I've also found that it's a fantastic tool for detecting successful intrusions. Detecting attempted intrusions tends to produce many false positives, but if you are watching the bandwidth utilization of your systems and networks, it's pretty easy to tell within a few hours that you have some unusual use going on, usually tracked down to a particular machine or network at least.

    So, don't underestimate the usefulness of watching your network traffic graphs. With rrdtool it's pretty easy to pull out information and average it. For example, we watch not only our overall 95th %ile utilization, but also rank each user based on their utilization. If use suddenly goes up, increasing their rank, it's probably something we should look at. It's been extremely effective for detecting open HTTP proxies, SMTP relays, and people compromised with various vulneribilities.

    Sean

  2. My complaint about intrusion detection devices. by Anonymous Coward · · Score: 5, Informative
    An intrusion detection device without anyone responding to it is as silly as a silent burglar alarm that noone responds to. All too often I look back at month old logs and see "hey, that's cool, somone was trying to hack us" (typically some windows hack against our bsd box). Had they succeeded it wouldn't have mattered at all that we had the intrusion detection device.

    The one feature I'd look for in an intrusion detection device is that it can quickly escalate a detected intrusion attempt to real people (through email, phone, calls, etc).

    For real enterprise needs, companies like counterpane not only install the intrusion detection devices; but offer services that monitor them just like the physical alarm companies do.

  3. Bro by pythonguyy · · Score: 4, Informative

    bro-ids.org
    I'd rave more, but bro is watching me and wants me to get back to real work.

  4. IBM Has You Covered by The+Last+Gunslinger · · Score: 3, Informative

    IBM Tivoli Risk Manager provides intrusion detection and automated remediation based on correlated input gathered from numerous sensors in your network. These include network intrusion detection systems (NIDS), host IDS, webserver logs, Windows Event Logs, *nix syslogs, firewall events, SNMP traps, and just about any other device, appliance, or application that writes a log event or generates an SNMP message. The correlation engine at the center is smart enough to take hundreds of thousands of individual input events and display or respond to a handful of meaningful alarms. Read on... http://www-306.ibm.com/software/tivoli/products/ri sk-mgr/

  5. Juniper IDP by Anonymous Coward · · Score: 3, Informative

    I use a Juniper IDP, and love it. Then again, I have to, since I work there. :)

    Seriously, though, it's a good system - our sigs are for the most part, open-source - you can see how we detect things, and make a copy and twiddle it yourself. Those few that are closed are generally to protect Intellectual Property concerns.

    They're a bit spendy for home use, though. I think the cheapest unit is in the $15-17k range.

    Some things also not covered in the question, but imporant issues to raise, are:

    1. Ease-of-Use vs. Functionality/Features
    2. Performance vs. Security
    3. Completeness/Timeliness of Coverage
    4. Accuracy

    Each IPS vendor has their own angle on these issues, and they're all betting that their angle will be the best - in the end, you as the customer have to decide which of these issues is most important to you, and then find the corresponding vendor.

    Juniper has dominant market share, but there are things that other companies do better, but generally at the cost of something we do better at - it's a real mixed bag. See RFC-1925, Section 2, Paragraph 7a for details on this concept.

    Juniper IDP is focused on delivering current, feature-rich, accurate detection, generally at the expense of speed and simplicity. Don't get me wrong, though, we're not slugs - our high-end products are currently pushing 2 gig (which in some environments is fast enough). If you want a cheap, 10-gig box with a single "Secure Me" panic button and a single "You Got Owned" idiot light, we're not for you.

  6. Modern "Firewalls" by Moosifer · · Score: 4, Informative

    Have you had a look at any commercial firewall products lately (SonicWALL, Juniper/Netscreen, Cisco, Fortinet)? The past year has brought about the evolution of yesterday's packet filtering, stateful packet inspection, limited application layer gateways into full-blown "deep packet inspection unified threat management" devices (as the industry prefers to call them now). It's not really accurate to refer to them as firewalls anymore.

    These devices can scan most TCP protocols for any kind of malicious content, like snort-style IPS sigs, viruses, phishing sigs, spyware (generally ActiveX), etc. And since they are the gateway, they can also block or sanitize the content. Some of the better implementations (I'll stop short of a specific product endorsement) can even scan all generic TCP streams, and do not impose any size or stream concurrency limitations on the the content they can scan.

    The thing to be careful about is throughput - even the higher end models fall short of sustaining gig throughputs, so multiple devices might be required for more demanding networks.

  7. No quick, easy answer by rumblies · · Score: 3, Informative
    "...however, it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions."

    Clearly, you don't pay much attention to the glossy ads in Infoworld and CIO magazine. FUD marketing out the wazoo for exactly these types of devices.

    This is actually a very hard problem to solve. I've written quite a bit on the subject, but I'll attempt to provide a few quick helpful points.

    If you have some form of perimeter security, it becomes easier, but still very resource-intensive (both technology resources and human resources). I'm assuming that you're not at a university, or some other type of organization that has a wide open network, because if you were, you wouldn't care.

    For a good list of fun tools, look here:
    http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools. html

    But beyond the rinky-dink stuff, at the most basic level, you want to make two choices right up front:
    How important is the real-time interdiction to you?
    Do you want signature-based tools, anomaly-based tools, or both?

    If you would be content with a good system that doesn't have the ability to mitigate threats in real-time, then that widens your possible solution space quite a bit. In this area, you definitely get what you pay for. FOSS tools that have this capability are way behind commercial tools in ease of maintenance, configuration, and how many types of attacks they work against. So that requirement limits your options considerably.

    A similar situation exists when we look at the detection method, signature vs. anomaly. Signature-based systems are a dime a dozen, but they don't cover the really dangerous stuff. Anomaly-based systems are somewhat more useful against the scarier threats, but no FOSS solution comes anywhere close to the commercial offerings. If you choose a FOSS alternative for an anomaly-based IDS/IPS, you will spend so much effort tuning and maintaining that you won't have any time left to respond to issues, and you will still not get adequate results.

    I should point out that you have also limited yourself by considering only NIDS/IPS systems. The proper bundle of technologies and tools could give you the real intelligence that you need, whether or not it included NIDS/IPS. Other classes of tools, like SIMS, accounting systems, or deception environments have their uses too.

    There are plenty of other aspects to consider, but that would take pages to discuss. All of this could be moot depending on your traffic loads, user demographics, platform constituency, infrastructure design, org chart, geographic distribution, existing IT policies, etc. etc. etc. There's just no universal solution.

  8. Snort supports in-line operation by martyroesch · · Score: 4, Informative
    Hi there, original author of Snort here.

    Snort supports in-line (intrusion prevention) operation on Linux as of version 2.3.0. There is also the snort-inline project which maintains a different code branch that includes support for divert sockets on FreeBSD as well as some in-line focused mods.

    Sourcefire (my company) builds commercial-grade IPS using Snort as the foundation technology and it works well. We're continuing to improve the technology on an ongoing basis as it's central to our IPS offerings. If you want to run an IPS to try out the technology, Snort is certainly suitable today.