Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Intrusion Detection and Prevention?

Posted by Cliff on from the security-assistance-from-code dept.

c0dyd asks: "Lately, computer attacks have gained much popularity in the news; however, it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions. Obviously, the need is present. I've searched thoroughly for network intrusion detection and prevention systems, but the choices and technologies seem somewhat limited or proprietary-- Snort appears an obvious open source solution for intrusion detection but many users many find it lacking in intrusion prevention capabilities. What do you, the experienced network admin, use for detecting intrusions on the network and how does your network react to those intrusions?"

5 of 264 comments (clear)

  1. Don't underestimate just paying attention. by jafo · · Score: 4, Informative
    You're already doing bandwidth monitoring right? Graphing with rrdtool or the like? If you aren't you probably should be. It's a great tool for not only current troubleshooting, but also capacity analysis and more. However, I've also found that it's a fantastic tool for detecting successful intrusions. Detecting attempted intrusions tends to produce many false positives, but if you are watching the bandwidth utilization of your systems and networks, it's pretty easy to tell within a few hours that you have some unusual use going on, usually tracked down to a particular machine or network at least.

    So, don't underestimate the usefulness of watching your network traffic graphs. With rrdtool it's pretty easy to pull out information and average it. For example, we watch not only our overall 95th %ile utilization, but also rank each user based on their utilization. If use suddenly goes up, increasing their rank, it's probably something we should look at. It's been extremely effective for detecting open HTTP proxies, SMTP relays, and people compromised with various vulneribilities.

    Sean

  2. My complaint about intrusion detection devices. by Anonymous Coward · · Score: 5, Informative
    An intrusion detection device without anyone responding to it is as silly as a silent burglar alarm that noone responds to. All too often I look back at month old logs and see "hey, that's cool, somone was trying to hack us" (typically some windows hack against our bsd box). Had they succeeded it wouldn't have mattered at all that we had the intrusion detection device.

    The one feature I'd look for in an intrusion detection device is that it can quickly escalate a detected intrusion attempt to real people (through email, phone, calls, etc).

    For real enterprise needs, companies like counterpane not only install the intrusion detection devices; but offer services that monitor them just like the physical alarm companies do.

  3. Bro by pythonguyy · · Score: 4, Informative

    bro-ids.org
    I'd rave more, but bro is watching me and wants me to get back to real work.

  4. Modern "Firewalls" by Moosifer · · Score: 4, Informative

    Have you had a look at any commercial firewall products lately (SonicWALL, Juniper/Netscreen, Cisco, Fortinet)? The past year has brought about the evolution of yesterday's packet filtering, stateful packet inspection, limited application layer gateways into full-blown "deep packet inspection unified threat management" devices (as the industry prefers to call them now). It's not really accurate to refer to them as firewalls anymore.

    These devices can scan most TCP protocols for any kind of malicious content, like snort-style IPS sigs, viruses, phishing sigs, spyware (generally ActiveX), etc. And since they are the gateway, they can also block or sanitize the content. Some of the better implementations (I'll stop short of a specific product endorsement) can even scan all generic TCP streams, and do not impose any size or stream concurrency limitations on the the content they can scan.

    The thing to be careful about is throughput - even the higher end models fall short of sustaining gig throughputs, so multiple devices might be required for more demanding networks.

  5. Snort supports in-line operation by martyroesch · · Score: 4, Informative
    Hi there, original author of Snort here.

    Snort supports in-line (intrusion prevention) operation on Linux as of version 2.3.0. There is also the snort-inline project which maintains a different code branch that includes support for divert sockets on FreeBSD as well as some in-line focused mods.

    Sourcefire (my company) builds commercial-grade IPS using Snort as the foundation technology and it works well. We're continuing to improve the technology on an ongoing basis as it's central to our IPS offerings. If you want to run an IPS to try out the technology, Snort is certainly suitable today.