Tuesday, May 25, 2010

Guest Post - Ricky Peterson - Intrusion Prevention Systems and You


TEASER/TITLE: Intrusion prevention systems and you!
 
SUMMARY PARAGRAPH: Intrusion detection and prevention is the act of seeking out and stopping an act that is trying to compromise and bypass in place security measures. There are many programs for intrusion detection and prevention. These include both open source and pay versions. Regardless of which type you get, there needs to be someone trained who knows what the data the program is presenting means and what to do with it. There are few, if any, intrusion programs that can be used by people with no computer background or training.
 
KEY FINDINGS
  • Of all intrusion programs on the market, the most popular by far is an open source program called Snort.
  • Intrusion programs are, for the most part, quite effective if used properly.
  • There are ways to bypass intrusion protection that are constantly changing, however intrusion software is constantly changing as well.
  • Intrusion software is most effective when coupled with a honeypot but only if the organization has the funds to monitor the honeypot server.


 
BACKGROUND:
Intrusion protection and detection software monitors a network or computer and detects all incoming requests. Based on data that the company gave to it, the software sorts the traffic and flags anything that should not be there such as programs that are trying to bypass antivirus or requests for network mapping. Depending on the software, it may alert someone in charge of security, who then must decide what to do, or it may give the option to stop the unauthorized access through the software itself. Regardless of which way it works, a security person must approve the action. This is to prevent locking out the wrong people by accident. 
 
ANALYSIS:
Intrusion protection is just another way to protect your network from would be cyber criminals. An intrusion prevention system is basically a really big firewall that protects an entire network. Like antivirus software it has strengths and weaknesses. The biggest weakness that an intrusion prevention system has is that the programs hackers use to gain access to a network are constantly changing. This means that the intrusion program cannot be built to simply look for one specific thing and stop it. The good news is that open source programs are also constantly evolving thanks to a strong community and multiple resources. Intrusion prevention systems also need trained personnel to monitor them and make decisive actions. Intrusion prevention systems are not perfect in that they will return false positives. That is they will say something shouldn’t be there when it really should. This is why trained techs are a must. This may seem like a lot but coupled with a honeypot, intrusion prevention is quite effective. According to Symantec, honeypots are very effective tools. That with antivirus will stop most, but not all viruses and attacks. Nothing is perfect yet but with open source communities working together, one day it may be. There are 5 top intrusion prevention programs on the market right now. These are; Snort, OSSEC HIDS, Fragrouter, BASE, and Squil.
 
IMPLICATIONS:
  • The cost of techs to monitor an intrusion prevention system may be too high for small companies to afford
  • Open source programs are a better choice in this area than pay programs
  • This system is not perfect
  • This system does however, make a difference in terms of network security
  • The support for the open source programs is substantial
  • Both intrusion prevention systems and software used by hackers are changing constantly
 
RECOMMENDATIONS:
  • Small companies who do not have the staff may want to look a an IPS that is owned and run by another corporation
  • Larger companies that can afford the cost of the staff would benefit from the open source programs like Snort
  • Both types of companies should consider combining their intrusion protection with a honeypot server to keep hackers outside the network.
  • IPS’s are an excellent addition to current security for companies that can afford them
  • Don’t just rely on intrusion prevention to take care of viruses, that is not what these programs do.
  • From my research I would recommend Snort because of the vast community of programmers looking for holes in the code.
 
SOURCES:
Sectools.org- Survey about intrusion protection.
Symantec- About Honeypots
Snort.org- About Snort 

No comments:

Post a Comment