Intrusion detection and prevention: not only Firewall

Intrusion Detection System (IDS) and their close relatives-Intrusion Prevention System (IPS) are Intrusion alarms for network security. We know that the firewall can only block traffic, and an IDS can detect malicious traffic (if malicious communication exists) and then send an alarm to the system administrator or IT security personnel. IPS not only detect malicious intrusion, but also try to fix it.

For large companies with complicated networks, it is natural to install and set up such detection systems and prevention systems. IDS and IPS are usually part of a large-scale network security structure and are installed along with the firewall.

However, for small-and medium-sized enterprises (SMB) that only have small networks and a number of IT staff, IDS may seem a little extravagant. In addition, a staff member is required to be on standby all day long to monitor IDS. However, it is not enough for small and medium-sized enterprises to implement protection with firewalls.

There are two low-budget solutions that use IDS and IPS. Small and medium enterprises can consider trying them out. You can use products suitable for small networks of small companies, or use detection and warning services provided by external users for small and medium-sized enterprises.

Before making any decision, consider the basic criteria for evaluating IDS or IPS: the size and scope of your network, the data to be protected, and the type of infrastructure, and how IDS will integrate into your existing accident response strategies.

Network scale and scope: the size and scope of your network are very important, because IDS, like applications in any other network, may affect network performance. IDS is just a security hardware, just like your firewall and filters for virus, spam, and content management. For a very small network, it will be a great burden. If this is the case, a firewall with good processing capabilities will have better control than a complete IDS. Remember, the firewall can block unnecessary traffic, but it is not always recorded. IDS records unnecessary traffic, but may not block it unless there are IPS. So the firewall and IDS are like the front and back of the coin, with complementary functions.

In addition, many products have recently combined IDS, firewalls, filters, and other features to become a convenient and all-around application software. This product can be considered when small and medium enterprises are considering purchasing a cheap and cost-effective device for small networks.

Data and infrastructure types: Small and medium enterprises cannot rely solely on IDS for protection. IDS should be part of a multi-layer defense system, which should also include firewalls, secure access management, and desktop server hardware hardening.

In addition, in order to implement effective protection, the intrusion detection system must be installed on both sides of the firewall and the gateway with inbound Intranet and Internet traffic. IDS does not work independently. It needs to detect the traffic from all parties, whether from internal or external. By comparing the detection results of different network segments, you can determine the source of the attack or the malicious program you are trying to intrude. Internal attacks are quite common and can be identified. For example, IDS can be used to detect suspicious activities of internal (rather than external) network segments.

To integrate IDS into your current response policy, you should analyze the risks in detail on your server:

1. Is it possible to expose the customer's identity or file a lawsuit against your company's important customer information? Or is it not just about the population and sales data of personal interests?

2. Does your server store private company information or plans?

3. Does your server store employee information including payroll and Social Security numbers?

If the data risk is not high, a simple firewall is enough to prevent intrusion. It is said that hackers often break into a low-protection system as a backdoor and then enter a key system. Are low-risk systems isolated from servers with high-risk data? When installing IDS, consider not only the data risk level, but also the system structure and the accessibility from low to high risks.

When reviewing a system, you need to check how it sends alerts and who it sends. If your IT store has only one person, can this person handle endless accidents? And many of them may be false alarms. Should I send an email? The IDS system also generates a large amount of log data, and most of them do not play any role. Evaluation data-timely processing to detect real intrusions-is indeed not easy. In this case, you can consider using common useless data that can help review alert data and help hackers routinely test the network to find products that actually intrude.

IDS solution

There are two interesting applications for small and medium-sized enterprises, from iPolicy Networks Private and TriGeo network security companies.

IPolicy 3.0, released in last December, uses a program called Real-Time Vulnerability Correlation (RVC. IPolicy RVC uses data from Nessus (Nessus is a popular scanning tool for Tenable network security companies) and Retina of eEye, retina can compare the real-time threat information with the data in Common Vulnerabilities and Exposures and BugTraq (two well-known IT security vulnerability databases. You can adjust iPolicy Based on the asset value and risk level. RVC then uses the asset value to determine the threat level and sends an alert from its IDS and IPS. IPolicy also includes anti-virus protection; it can also monitor Internet-Protocol voice transmission networks, instant messaging and other point-to-point communication (even if it uses non-standard or busy ports ).

TriGeo's Security Information Manager (Security Information Manager) is famous for its real-time log analysis, and it can analyze real-time data and network behavior like iPolicy for more detailed intrusion detection. This product aggregates log information into a single practical report. Instead of filtering multiple logs from the beginning to the end, TriGeo usually sorts every time, so your IT staff only need to glance to know what action to take.

Small and medium enterprises can also outsource protection to companies specialized in intrusion monitoring and accident response. Three vendors provide this service to small and medium-sized enterprises: Internet Security Systems Inc. in Atlanta, Qualys in Redwood Shores, California, and Symantec in Cupertino, California. These companies have dedicated staff who are experts in accident response and intrusion handling. Without the need for hardware IDS, these companies can remotely scan and manage networks for small and medium enterprise systems from their operation centers.

ISS, which also provides IDS application software, uses information from its X-Force security intelligence service center and has a portal to provide customers with real-time updates. Qualys first classifies assets based on their values and risks, and then performs monitoring based on their levels. Symantec's DeepSight threat management system can detect attacks by analyzing specific areas of the company's system.

Symantec is also a security management service provider partner of Sourcefire. Sourcefire is a Snort production company, the famous open-source IDS software. Snort can also be used as an independent product without outsourcing support. It is a reliable and popular IDS. Small and medium enterprises can consider using Snort.

As security threats are already combined, from hardware to network and software, intrusion detection is required to implement protection. Intrusion detection has become a part of greater security protection, including firewall and Vulnerability Management, network access control, and Endpoint Security. IDS should only be considered as part of the IT security plan for small and medium-sized enterprises, not all.