Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Intrusion Detection and Prevention?

Posted by Cliff on from the security-assistance-from-code dept.

c0dyd asks: "Lately, computer attacks have gained much popularity in the news; however, it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions. Obviously, the need is present. I've searched thoroughly for network intrusion detection and prevention systems, but the choices and technologies seem somewhat limited or proprietary-- Snort appears an obvious open source solution for intrusion detection but many users many find it lacking in intrusion prevention capabilities. What do you, the experienced network admin, use for detecting intrusions on the network and how does your network react to those intrusions?"

15 of 264 comments (clear)

  1. Don't underestimate just paying attention. by jafo · · Score: 4, Informative
    You're already doing bandwidth monitoring right? Graphing with rrdtool or the like? If you aren't you probably should be. It's a great tool for not only current troubleshooting, but also capacity analysis and more. However, I've also found that it's a fantastic tool for detecting successful intrusions. Detecting attempted intrusions tends to produce many false positives, but if you are watching the bandwidth utilization of your systems and networks, it's pretty easy to tell within a few hours that you have some unusual use going on, usually tracked down to a particular machine or network at least.

    So, don't underestimate the usefulness of watching your network traffic graphs. With rrdtool it's pretty easy to pull out information and average it. For example, we watch not only our overall 95th %ile utilization, but also rank each user based on their utilization. If use suddenly goes up, increasing their rank, it's probably something we should look at. It's been extremely effective for detecting open HTTP proxies, SMTP relays, and people compromised with various vulneribilities.

    Sean

    1. Re:Don't underestimate just paying attention. by Anonymous Coward · · Score: 5, Insightful

      A bandwidth graph may help you catch a noisy worm or a script kiddy. It's almost useless against a determined intruder.

      Any good intruder knows to be quiet and spread their attack out over hours or days. Hence they are practically invisible to any sort of bandwidth analysis, until they start downloading larger amounts of your data (at which point it is often too late).

  2. How do I do my job? by smileyy · · Score: 5, Funny

    Ask Slashdot: I've been wondering how to do my job. I figure other people out there have jobs too, and know how to do them. Maybe they can share their experiences, or even do my job for me!

    --
    pooptruck
    1. Re:How do I do my job? by Rosco+P.+Coltrane · · Score: 5, Insightful

      I know you're trying to be funny (or troll, I don't know), but your comment is actually unfair: the entire software engineering world (not just OSS) is built on people sharing competences. Formal education and self-teaching only account for a small part of a computer engineer's know-how.

      Asking Slashdot is as good a way as any to reach a wide audience and get a handful of good advices amongst the hundreds of trolls. All it takes is asking, and you never know what precious tidbit of information you might get.

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  3. Ethereal by fsterman · · Score: 5, Funny

    As soon as any Ethereal activity occurs I have shell script flash the screen red where a trained monkey pulls out the cat-5 cable.

    --
    Is there anything better than clicking through Microsoft ads on Slashdot?
  4. My complaint about intrusion detection devices. by Anonymous Coward · · Score: 5, Informative
    An intrusion detection device without anyone responding to it is as silly as a silent burglar alarm that noone responds to. All too often I look back at month old logs and see "hey, that's cool, somone was trying to hack us" (typically some windows hack against our bsd box). Had they succeeded it wouldn't have mattered at all that we had the intrusion detection device.

    The one feature I'd look for in an intrusion detection device is that it can quickly escalate a detected intrusion attempt to real people (through email, phone, calls, etc).

    For real enterprise needs, companies like counterpane not only install the intrusion detection devices; but offer services that monitor them just like the physical alarm companies do.

  5. My solution by DanThe1Man · · Score: 4, Funny

    When I find an attacker getting into my company's network I start pulling my hair out and run around screaming "Aww! Aww! The crackers are taking over my network! Aww! Aww!"

    By the way, I just got laid off, does anyone need a Sys Admin?

  6. Bro by pythonguyy · · Score: 4, Informative

    bro-ids.org
    I'd rave more, but bro is watching me and wants me to get back to real work.

  7. Re:intrusion detection by TobyWong · · Score: 4, Funny

    Which who command would that be? The one that was on your system originally or the "new and improved" version I just put on there?

    BTW nice pr0n collection, your space lego photo series in particular is very kinky.

    --
    - Toby
  8. The program of choice for all Network Admins is by jim_v2000 · · Score: 4, Funny

    Obviously Norton Internet Security!

    Norton Internet Security provides a COMPLETE security solution for your machine by promptly blocking all programs on your machine from having any internet access, AT ALL! Buy it today!

    --
    Don't take life so seriously. No one makes it out alive.
  9. Size by chrome · · Score: 5, Insightful

    The biggest problem facing anyone looking at implementing an IDS into an existing system is the size of the network.

    If you're doing 500mbit/sec+ of traffic, it requires a somewhat beefy snort box just to process that data let alone do something about anything that looks like an attack.

    Snort CAN do it, it just takes a lot of effort to pair down the ruleset to the point where it can handle your traffic. But, pairing down the ruleset has some drawback ... :)

    Or, if you can segregate your network, that can help a lot too. But unfortunately, a lot of networks suffer from a lack of design and you end up with huge VLANs that span thousands of hosts, and other nightmares.

    IMHO If you're worried about intrusion, start with host security. If you have a huge farm of linux boxes, then great. Use iptables and keep everything up to date. If you MUST have sun boxes, try not to put them on the edge of your network - NAT specific ports via linux NAT firewalls. Same goes for windows machines. Don't bare them to the internet for any reason.

    Have some aggressive ACLs on your border routers. Don't allow SSH into all your machines directly. Use jumphosts. Consider using token based authentication, like SecurID. Consider Kerberos to replace the use of public key auth in your ssh infrastructure.

    once you have that down, putting in an IDS can wait :)

  10. intrusion prevention by uqbar · · Score: 4, Interesting

    Real prevention is a double edged sword. To really prevent an attack, your device needs to sit in line - or it reacts too late. As such you introduce latency, and the more sophisticated you get, the more the time spent on analysis before the traffic is allowed through. NIDS and HIDS analyse after the fact, so they have the luxury of time since they aren't in line with your traffic. If you have good event correlation, you can raise alerts to appropriate support personnel. But all these don't directly prevent attacks - they just let you know to respond to an attack.

    Companies like Tipping Point have devices that claim to do intrusion prevention with low latency - I'd test that claim before purchase, but the demo I saw seemed to indicate it was worth checking out.

  11. Re:Personalized Login System by Rosco+P.+Coltrane · · Score: 4, Funny

    changing the login program to do something funky is enough to screw up any script.

    Even simpler: drop the user straight to a working shell. That way, scripts will wait for the "ogin:" and "assword:" strings indefinitely until the connection times out, and legit users won't even have to enter their logins. As for hackers, they'll see the "~$" prompt, won't believe their eyes, will think it's a clever trap or something, and they'll promply disconnect out of paranoid fear :-)

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  12. Modern "Firewalls" by Moosifer · · Score: 4, Informative

    Have you had a look at any commercial firewall products lately (SonicWALL, Juniper/Netscreen, Cisco, Fortinet)? The past year has brought about the evolution of yesterday's packet filtering, stateful packet inspection, limited application layer gateways into full-blown "deep packet inspection unified threat management" devices (as the industry prefers to call them now). It's not really accurate to refer to them as firewalls anymore.

    These devices can scan most TCP protocols for any kind of malicious content, like snort-style IPS sigs, viruses, phishing sigs, spyware (generally ActiveX), etc. And since they are the gateway, they can also block or sanitize the content. Some of the better implementations (I'll stop short of a specific product endorsement) can even scan all generic TCP streams, and do not impose any size or stream concurrency limitations on the the content they can scan.

    The thing to be careful about is throughput - even the higher end models fall short of sustaining gig throughputs, so multiple devices might be required for more demanding networks.

  13. Snort supports in-line operation by martyroesch · · Score: 4, Informative
    Hi there, original author of Snort here.

    Snort supports in-line (intrusion prevention) operation on Linux as of version 2.3.0. There is also the snort-inline project which maintains a different code branch that includes support for divert sockets on FreeBSD as well as some in-line focused mods.

    Sourcefire (my company) builds commercial-grade IPS using Snort as the foundation technology and it works well. We're continuing to improve the technology on an ongoing basis as it's central to our IPS offerings. If you want to run an IPS to try out the technology, Snort is certainly suitable today.