|
|
|
|
|
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
Security Tools for the Budget Conscious ISP, Part III: Network Intrusion Detection Systems
VP Core Competence, Inc. [February 6, 2004] |
 |
Network Intrusion Detection Systems
Ad hoc packet analysis can help you understand what's happening in your network.
However, when it comes to security, ad hoc analysis is like spot checking—you'll
only notice attacks if you're looking in just the right place at just the right
time, and then only if you can spot patterns that suggest you're under attack.
For more rigorous full-time inspection of network traffic, you'll need a Network
Intrusion Detection System (NIDS).
In the past, most NIDS were software-based monitoring systems located near a firewall. Recently, we've seen growth in NIDS appliances, integrated NIDS-firewalls, and distributed NIDS that use sensors to report to a central console. In all of these cases, the goal of the NIDS is to watch passing traffic and alert you to potential attacks. An Intrusion Prevention System (IPS) goes further by taking automated steps to deflect attacks in real-time by resetting TCP connections, applying temporary filters, etc..
To detect attacks, a NIDS or NIPS can look for packets aimed at ports used by viruses and trojans, packet floods aimed at well-known server ports, badly-formed packets or packet sequences used by hacker tools, and malicious payloads (known exploits) carried inside packets. NIDS/NIPS can also watch for policy violations or deviations from traffic profiles that represent "normal" network usage. Reliably differentiating between a real attack and innocuous traffic that resembles an attack can be tough, and every vendor has its own "secret sauce" for eliminating false positives. To learn more about these kinds of techniques, visit the SANS IDS FAQ page.
In 2002, ISP-Planet published a comprehensive series of IDS product profiles; a summary chart can be found here. Examples of NIDS products include:
- AirDefense (802.11 only)
- Cisco IDS
- Enterasys Dragon IDS
- Intrusion.com Network IDS
- ISS Proventia A-Series Appliances
- Newbury Networks Wi-Fi Watchdog (802.11 only)
- NFR Sentivist Appliance
- OneSecure IDS
- SecureWorks iSensor Appliance
- Symantec ManHunt IDS Software
Several of these products have been used by providers to deliver managed IDS services—see ISP-Planet's 2003 MSSP Survey. Combining both commercial and open source intrusion detection systems is fairly common. Freely-available NIDS tools include:
- ACID
(Analysis Console for Intrusion Databases) is an open source security event
search and processing tool that runs on any system with PHP, including *NIX
and Windows. ACID can process Snort and Tcpdump output to build a database,
viewed through any Web browser.
- Firestorm
is an open source NIDS platform that runs on *NIX. Firestorm can be used as
a network sensor, logging events to Prelude (below).
- Prelude
is an open source IDS that runs on POSIX compliant platforms. Prelude is a
distributed hybrid that gathers data from NIDS and HIDS sensors that have
been placed strategically throughout the network.
- SHADOW
is an open source NIDS developed by the Naval Surface Warfare Center. This
distributed system uses tcpdump-based sensors, feeding a Perl-based analysis
engine that uses Apache to present results through any Web browser.
- Snort
is by far the most well-known open source NIDS. Snort runs on *NIX and Win32
platforms, providing real-time network traffic capture, logging, analysis,
and alert generation. Snort uses signatures to detect buffer overflow attacks,
port scans, OS fingerprinting, and many other intrusions. To learn more about
Snort, consult the FAQ,
How-To Guides, and IDS papers on the Snort
website. To view sample Snort output, click here.
- WIDZ is a freely-available wireless NIDS developed on Mandrake. This proof-of-concept is currently limited to basic capabilities like rogue AP alerting. Rogue APs can also be detected by Kismet and Network Chemistry open source tools mentioned earlier, and by NetStumbler, a popular Win32 war driving tool. To view sample NetStumbler output, click here.
.
|
Security
Tools for the Budget Conscious ISP, Part III:
Network Intrusion Detection Systems |
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q2 2008 Top U.S. ISPs by Subscriber (Updated 08/29/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia
Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers