Self-built high-performance intrusion detection and defense system

Zero-day attacks and distributed denial of service (DdoS) attacks brought by increasingly large botnets, many small and medium-sized enterprises that use traditional security equipment are exhausted, and the active defense technology can effectively solve the security problems brought about by these aspects. Intrusion detection and defense system (IDS/IPS) is an active defense technology that installs them in key locations of the network and detects all network traffic passing through it, the system detects malicious traffic or attack behavior, then generates an alarm and automatically blocks the passing of such malicious traffic. However, the price of existing intrusion detection and defense systems on the market is RMB 100,000, or even higher. This price makes many small and medium enterprises reluctant to apply IDS/IPS. Is there a way for small and medium-sized enterprises to use IDS/IPS to protect their network resources without expensive costs? After reading this article, you will find the desired answer.

Preparation of software and hardware

Intrusion detection and defense systems (IDS/IPS) are composed of hardware and software. If you want to build a high-performance intrusion detection and defense system, the hardware and software required to form IDS/IPS must be prepared by ourselves! Without any of the two, it is impossible to complete the task of creating an intrusion detection and defense system.

I. Software preparation

Snort is an open-source and free intrusion detection system based on command lines. Although it is a software used to detect network attacks for small and medium-sized enterprises, because it is mainly used in the form of command lines, you must not only learn how to install, deploy, and set it, but also remember a large number of detection commands, this is a big problem for users who are not used to command line operations. Therefore, a lot of software has emerged on the market that uses Snort to provide intrusion detection functions. However, these software only misappropriates simple functions and even does not have basic intrusion detection settings, let alone the intrusion defense function. In this article, I will introduce you to an intrusion detection and defense software named "Strata guard" produced by StillSecure, it is a real IDS/IPS software with intrusion detection and active defense functions.

Strata guard is a commercial software based on Linux, but its free version has no limits on all other functions except for its maximum network bandwidth limit of 5 Mbps. 5 mbps bandwidth is sufficient for small and medium-sized enterprises that are still using 2 Mbps or 4 Mbps. In addition, Strata guard only pays $2500 for Small and Medium-sized Enterprise Business versions, which is much more cost-effective than purchasing a traditional hardware-based IDS/IPS device separately.

The Strata guard software has also evolved from Snort. It not only has all the features of Snort, but also has the following unique features:

1. the graphical installation interface and wizard-based initialization settings make it easy for users to get started.

2. priority-based Alarms can be generated based on the attack severity program.

3. The real intrusion defense capability can be intercepted Based on attack packets.

4. WEB-based remote configuration and management.

Strata guard's unique features above make it easy to install and use without having to know more about the Linux system. As Strata guard evolved from Snort, it still uses the Detection Technology Based on the attack feature library to identify malicious attacks in network traffic. However, Strata guard can also detect malicious attacks in network traffic by using Feature Analysis, protocol exception analysis, status packet analysis, and TCP packet restructuring. It is precisely because Strata guard also has these unique detection methods that it can launch new malicious attacks.
Make correct judgments and take corresponding active interception responses to play a real active defense role.

When Strata guard is installed as a gateway to a critical position of the enterprise network, in addition to proactively intercepting detected malicious network traffic, it can also securely replay TCP traffic, it can also intercept network attacks by source IP addresses or ports, prevent DoS attacks, and execute custom response scripts. Strata guard also allows us to configure it to respond to all detected attacks in the global default mode, or create an independent response mode for each independent attack mode, this allows us to flexibly and freely create various methods to respond to network attacks based on different network application environments.

The latest version of Strata guard is v5.0beta. To download Strata guard, you must first goHttp://sgfree.stillsecure.comYou can only register a free account fromHttp://www2.stillsecure.com/go/stillsecure/SGFreeDownload and get an authorization code that allows the free version of Strata guard. This authorization code will be used during configuration initialization and must be copied and saved to a text file. The free version of Strata guard has two release methods: one is a CD image created for the gateway mode and the other is a virtual machine file created for the standard mode. We can decide which file to download based on the purpose of using Strata guard. In this article, I need to use the free version of Strata guard as the gateway, so I will download its CD image file, it is about MB in size.

Ii. Hardware requirements

Strata guard has high performance requirements on the dependent hardware, mainly to ensure sufficient network forwarding performance while detecting all network traffic. For the free version of strata guard, we can use the following hardware to customize a hardware platform for the intrusion detection and defense system:

Processor: AMD 4400 +

Memory: DDR2 667 2 GB

Hard Disk: SATA 80 GB

NIC: strata guard requires two NICs when working in standard mode and three NICs when working in Gateway mode. We recommend that you use Intel
Pro/1000MT desktop Gigabit Nic.

Motherboard: choose to have multiple PCI-E interface, integrated sound card, graphics card, or even Gigabit Ethernet NIC motherboard, this can save us a lot of money and some unnecessary trouble.

Optical Drive: general IDE interface CD Optical Drive.

Other hardware: to provide continuous power for the operation of these hardware, it is best to choose a reliable PC power supply of or above.

The above hardware can fully meet the requirements of most small and medium-sized enterprises for intrusion detection and defense systems. Of course, we can fully meet the actual needs of our networks, enterprises are allowed to invest money in this area to choose a variety of PC hardware with faster speed, larger capacity, and better performance. Moreover, the current PC hardware price is close to the cabbage price. Even if you choose a hardware with higher performance, you will invest in the hardware of the customized intrusion detection and defense system, it is still much lower than the market's hardware-based intrusion detection and defense system, which is 100,000 higher.

Deploy the Strata guard intrusion detection and defense system

After all preparations are completed, you should consider the method in which the strata guard intrusion detection and defense system is connected to the target network.

In the hardware phase of preparing the intrusion detection and defense system, I have mentioned that Strata guard has two working modes: one is the gateway mode, that is, to use Strata guard as a separate LAN gateway, you must install it at the egress of the enterprise network and install it before the Enterprise Firewall, as shown in figure 2.1. In this case, Strata guard also provides the routing function while providing the IDS/IPS function. Another mode is the standard mode, which only uses Strata guard as IDS, alternatively, you can achieve the Intrusion Prevention (IPS) function by interacting with the firewall installed in the enterprise network. In this case, you must connect it to the target network through a bypass, as shown in figure 2.2.

498) this. style. width = 498; "border = 0>

Figure 1 Network Access Principle of Strata guard in Gateway Mode

498) this. style. width = 498; "border = 0>

Figure 2 network access principle of Strata guard in standard mode

When Strata guard works in Bypass mode, it cannot detect all network traffic. When it works in Gateway mode, all network traffic passing through it will be detected. Therefore, we recommend that you install Strata guard on a single host and use it as the intrusion detection and defensive gateway for the entire enterprise. In this article, I only want to explain how to use Strata guard as the method for installing and setting Strata guard in the gateway mode, because all functions of Strata guard can be obtained, in order to reflect the significance of self-built intrusion detection and defense systems.

Install strata guard intrusion detection and defense Software

After deploying the strata guard intrusion detection and defense system to the network, the next task is to install the strata guard software into the ready system. The installation of strata guard is very simple and intuitive. During the installation process, you can use the Tab key to switch the selection, use the up and down arrow keys to move up and down the selection, and use the space bar key to confirm the selection.

In this article