Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Intrusion Detection and Prevention?

Posted by Cliff on from the security-assistance-from-code dept.

c0dyd asks: "Lately, computer attacks have gained much popularity in the news; however, it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions. Obviously, the need is present. I've searched thoroughly for network intrusion detection and prevention systems, but the choices and technologies seem somewhat limited or proprietary-- Snort appears an obvious open source solution for intrusion detection but many users many find it lacking in intrusion prevention capabilities. What do you, the experienced network admin, use for detecting intrusions on the network and how does your network react to those intrusions?"

5 of 264 comments (clear)

  1. NV ActiveArmor by AKAImBatman · · Score: 3, Interesting

    I have no idea if this help or not, but NVidia has a technology called ActiveArmor that may be of interest. In a nutshell, it's a Gigabit hardware firewall solution that is built into many inexpesive boards. Supposedly it can be used in both incoming and outgoing directions, allowing you to know immediately if a penetrator attempts to access improper network resources. Here's the schpiel:

    ActiveArmor Firewall supports stateless and stateful inspection, Web-based management, pre-defined security profiles, port block filtering, remote administration, and provides an easy-to-use set-up wizard. In addition, ActiveArmor Firewall has anti-hacking features such as anti-IP-spoofing, anti-sniffing, anti-ARP-cache-poisoning, and anti-DHCP server-important security controls for corporate network environments. In a corporate setting, an end-point firewall (such as a desktop firewall) with anti-hacking capabilities can reduce the internally originated security breaches, and can inhibit desktops from generating unauthorized traffic. The result is improved overall security, with reduced requirements from the IT staff.

    Again, I'm not sure if it's what you're looking for, but it's at least a very interesting product.

    --
    Javascript + Nintendo DSi = DSiCade
  2. Personalized Login System by Compholio · · Score: 3, Interesting

    I think the best way to prevent intrusions is to design a personalized login system (and have the system install updates regularly). Just about everyone uses the same system (username then password), so changing the login program to do something funky is enough to screw up any script. Ex:

    Please enter todays date (MM/DD/YY):
    Please enter your username:
    Please enter a valid email address:
    Please enter your password:

    Just randomize the questions (or have a bunch of questions and randomly ask a few of them) and unless someone is really dedicated to get into your system they're just going to choose another target rather than go after your weird setup.

  3. Re:intrusion detection by pHZero · · Score: 3, Interesting

    Why isn't there a 'bad advice' mod category?

  4. intrusion prevention by uqbar · · Score: 4, Interesting

    Real prevention is a double edged sword. To really prevent an attack, your device needs to sit in line - or it reacts too late. As such you introduce latency, and the more sophisticated you get, the more the time spent on analysis before the traffic is allowed through. NIDS and HIDS analyse after the fact, so they have the luxury of time since they aren't in line with your traffic. If you have good event correlation, you can raise alerts to appropriate support personnel. But all these don't directly prevent attacks - they just let you know to respond to an attack.

    Companies like Tipping Point have devices that claim to do intrusion prevention with low latency - I'd test that claim before purchase, but the demo I saw seemed to indicate it was worth checking out.

  5. Where to start? by mysfitt · · Score: 3, Interesting

    I'm an IDS engineer by trade and I could go on for days about this topic. Yes, snort is great. No, it's not anywhere near enough by itself. That's why you take a varied approach. Snort is probably one of the best signature based IDSes available. The user community behind it is very strong and produces some great sigs, usually same day as the vulnerability is announced. But the downside is no protection against 0 day attacks. Therefore you have to have some behavioral systems in place as well. Problem with those is tuning out the false positives can be very difficult and time-consuming. Add a Honey pot/IPS with blocking capabilities like activescout to the mix and you're starting to get there. Add a SIM (security information management) product that can correlate data from all of your sensors and issue blocks to your firewalls and you're well on your way.