Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Intrusion Detection and Prevention?

Posted by Cliff on from the security-assistance-from-code dept.

c0dyd asks: "Lately, computer attacks have gained much popularity in the news; however, it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions. Obviously, the need is present. I've searched thoroughly for network intrusion detection and prevention systems, but the choices and technologies seem somewhat limited or proprietary-- Snort appears an obvious open source solution for intrusion detection but many users many find it lacking in intrusion prevention capabilities. What do you, the experienced network admin, use for detecting intrusions on the network and how does your network react to those intrusions?"

6 of 264 comments (clear)

  1. How do I do my job? by smileyy · · Score: 5, Funny

    Ask Slashdot: I've been wondering how to do my job. I figure other people out there have jobs too, and know how to do them. Maybe they can share their experiences, or even do my job for me!

    --
    pooptruck
    1. Re:How do I do my job? by Rosco+P.+Coltrane · · Score: 5, Insightful

      I know you're trying to be funny (or troll, I don't know), but your comment is actually unfair: the entire software engineering world (not just OSS) is built on people sharing competences. Formal education and self-teaching only account for a small part of a computer engineer's know-how.

      Asking Slashdot is as good a way as any to reach a wide audience and get a handful of good advices amongst the hundreds of trolls. All it takes is asking, and you never know what precious tidbit of information you might get.

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  2. Ethereal by fsterman · · Score: 5, Funny

    As soon as any Ethereal activity occurs I have shell script flash the screen red where a trained monkey pulls out the cat-5 cable.

    --
    Is there anything better than clicking through Microsoft ads on Slashdot?
  3. My complaint about intrusion detection devices. by Anonymous Coward · · Score: 5, Informative
    An intrusion detection device without anyone responding to it is as silly as a silent burglar alarm that noone responds to. All too often I look back at month old logs and see "hey, that's cool, somone was trying to hack us" (typically some windows hack against our bsd box). Had they succeeded it wouldn't have mattered at all that we had the intrusion detection device.

    The one feature I'd look for in an intrusion detection device is that it can quickly escalate a detected intrusion attempt to real people (through email, phone, calls, etc).

    For real enterprise needs, companies like counterpane not only install the intrusion detection devices; but offer services that monitor them just like the physical alarm companies do.

  4. Size by chrome · · Score: 5, Insightful

    The biggest problem facing anyone looking at implementing an IDS into an existing system is the size of the network.

    If you're doing 500mbit/sec+ of traffic, it requires a somewhat beefy snort box just to process that data let alone do something about anything that looks like an attack.

    Snort CAN do it, it just takes a lot of effort to pair down the ruleset to the point where it can handle your traffic. But, pairing down the ruleset has some drawback ... :)

    Or, if you can segregate your network, that can help a lot too. But unfortunately, a lot of networks suffer from a lack of design and you end up with huge VLANs that span thousands of hosts, and other nightmares.

    IMHO If you're worried about intrusion, start with host security. If you have a huge farm of linux boxes, then great. Use iptables and keep everything up to date. If you MUST have sun boxes, try not to put them on the edge of your network - NAT specific ports via linux NAT firewalls. Same goes for windows machines. Don't bare them to the internet for any reason.

    Have some aggressive ACLs on your border routers. Don't allow SSH into all your machines directly. Use jumphosts. Consider using token based authentication, like SecurID. Consider Kerberos to replace the use of public key auth in your ssh infrastructure.

    once you have that down, putting in an IDS can wait :)

  5. Re:Don't underestimate just paying attention. by Anonymous Coward · · Score: 5, Insightful

    A bandwidth graph may help you catch a noisy worm or a script kiddy. It's almost useless against a determined intruder.

    Any good intruder knows to be quiet and spread their attack out over hours or days. Hence they are practically invisible to any sort of bandwidth analysis, until they start downloading larger amounts of your data (at which point it is often too late).