Intrusion Detection System

Next Generation - Network Intrusion Detection and Prevention

Monitor & Protect Wired, Wireless, Application Layer and Virtual Networks

> Make sure your network is protected from attacks.

> Combine: Global threat intelligence, real-time visibility of your network and endpoints to detect and prevent intrusions.

> Monitor network, server hosts and mobile device activity across the enterprise.

> Packet inspection checks inside traffic packets

> Identify and model human and machine behaviours that represent threats with a high degree of accuracy - and without lots of false positives.

> Designed for both c-level executives and threat analysts

Organisations require or implement IDS / IPS to prevent outside hackers breaching networks to either steal information, bring down or disrupt systems / services or prevent data loss from internal leaks. Often compliance and audit requires that specific data and entry point activity be logged and reported.

Next generation IDS / IPS solutions available either as dedicated, integrated into holistic security solutions or as managed services.

Below we review the varying network intrusion detection and prevention solutions features and platforms.

In order to provide not only detection, but also pro-active prevention of ‘intrusions’, you may find that network security devices consist and tick boxes for one or more security functions, including firewall, intrusion prevention/detection (IPS/IDS), data leakage prevention (DLP), and content security filtering functions (e.g. anti-spam, antivirus, URL filtering). Those functions have increasingly been integrated into single platform solutions, also called Unified Thread Management (UTM) systems or Next Generation Firewalls.

> Hacking has mutated from a hobby to a successful business

> Protect your organisation’s assets without draining its resources.

> Security threats don’t have to compromise your organisation or your budget.

Intrusion detection systems protect you from a wide range of threats

Malware, including worms, spyware, ransomware.

Attacks launched by botnets

Unwanted application traffic, including IM and P2P (Instant messaging and peer-to-peer related risks, such as network abuse and data loss).

Denial of service (DoS / DDoS) and distributed denial of service attacks.

Application layer 7 DoS attacks that spread through HTTP, DNS, or SIP.

Targeted attacks against web applications, such as cross-site scripting and SQL injection.

Data loss related to proprietary or sensitive data.

Buffer overflow attacks.

Client-side attacks, such as those targeting web browsers.

Microsoft vulnerability coverage - including pre-emptive protections against emerging vulnerabilities and exploits.

Server vulnerabilities.

Insider threats.

IDS Solution Platforms

Hardware Appliances

Software

Virtual

Managed / Cloud Service

Network-based IDS

Inline scanning ensures that all Internet traffic (inbound and outbound) can be inspected. This thorough approach ensures that all traffic, including active content attacks such as cross-site scripting can be detected and stopped. Inline scanning is also the only way to immediately stop detected threats. Compare this to hardware appliances that are deployed in TAP mode - so they can identify, but not block threats.

Network anomaly detection - gathers network flow data and sends it to security information and event management (SIEM) solutions.

Host-based IDS

Host Sensors are security applications used to detect attacks on a network server in real time. Host Sensors monitor individual systems.

IDS Sensors

Provides complete visibility without data stream interference or introducing a point of failure.

Provides deep forensics capabilities, including flexible packet capture and complete session reconstruction. Network Sensors are centrally managed.

Monitoring device connected to the tap still sees all full-duplex traffic as if it were inline, including Layer 1 and Layer 2 errors.

Intrusion Detection Technology Solution Features

> Protect virtual servers

> Protect endpoints

Protects servers, mobile devices, fixed point devices – Desktops & POS.

> Client protection

Protects end users against attacks targeting applications used every day, such as Microsoft Office files, Adobe PDF files, multimedia files (Flash and AVI files) and web browsers, plug-ins (Java and ActiveX), protection against web 2.0 threats, defence against operating system vulnerabilities, detection of infected systems, and detection of spyware and adware.

> Server protection

All-round server protection, addressing problems including system and service vulnerability exploits, brute force, SQL injection, and cross site scripting.

> Infrastructure protection

Malformed packet attack prevention

Special packet control

Scanning attack prevention

TCP/UDP flooding attack prevention

Application-layer DDoS attack prevention

Domain Name System (DNS) protection

Traffic model self-learning.

> Data security

Monitors and identifies unencrypted personally identifiable information and other confidential data.

> Application & protocol protection

Identifies and blocks application and protocol related probes and attacks

Database of patterns and rules Including:

Probing, port scans, interrogations, host sweeps

Attacks on application vulnerabilities

Protocol exploitation's

> Highly effective protocol scanning

Protocol compliance and anomaly detection.

Scans all protocols, including HTTP, HTTPS, FTP, TCP, UDP, DNS, SMTP, and POP3 to block network, application, and protocol-based attacks.

Web application security - Protects web applications, Web 2.0 and databases with the same level of protection as web application firewalls.

Application Control - Reclaims bandwidth and blocks Skype, peer-to-peer networks and tunneling.

Bi-directional, full stack inspection - provides inbound and outbound inspection of critical application traffic. Includes protection for a wide variety of attacks, such as SQL injection, cross-site scripting, remote code execution, shell code payloads and remote procedure calls.

> Context aware monitoring engine

Features full traffic visibility on end users, applications, sources, destinations, threat types, content and devices.

> VPN cleaning

Inspects all incoming and outgoing VPN traffic for attacks and blocks malicious traffic.

> Zone-based protection

Flexible, object-based policy engine enables quick and easy rule creation for specific systems, users, groups, hosts or networks.

> Application traffic analytics

Offers comprehensive logging with filtering options, on-box reporting and administrator notification capabilities. Includes customised intrusion prevention templates for off-box IPFix exporting for long-term analytics reporting.

> Application control

Provides the ability to monitor and manage over 4,500 applications including instant messaging and peer-to-peer file sharing programs, closing a potential back door that can be used to compromise the network, while improving employee productivity and conserving bandwidth.

Covering mainstream application protocols including P2P, IM, online games, stock software, voice application, online video, streaming media, Web mail, mobile terminals, and remote login.

> Bandwidth control

Restrict the bandwidth used by harmful or unwanted applications. By removing undesired network traffic the IDS ensures that bandwidth and network usage is reserved for common office applications like OA and ERP.

> Administrator-defined regular expression monitoring

Prevents data leakage by enabling transmission control and blocking of sensitive data such as credit card and social security numbers, or specific file attachments to personal web mail services and corporate SMTP or POP3 email.

> IPv4 and IPv6 support

The IPS platform supports a wide variety of traffic types and protocols. It provides uncompromising IPv6/v4 simultaneous payload inspection and support for related tunneling variants.

Also supports inspection of IPv6/v4 traffic with VLAN and MPLS tags, mobile IPv4 traffic, GRE and GTP (GPRS tunneling), and jumbo frames.

> Active response

Although you can detection and block intrusions of zero-day vulnerabilities and attacks, but if a device or end point is already infected (a BYOD device that has been on a public network), the IDS / IPS system can integrate with other security management systems to quarantine or initiate a vulnerability scan of endpoints.

> Attack signatures

Quickly identify common signatures in malicious packets

Performs a second level analysis to confirm that the attack is real

Discover attacks based on clues identified over multiple protocol part

> Combine technologies for more accurate protection and performance

Enterprises can realise increased efficiency in their IPS infrastructures by offloading SSL termination and deploying a high-performance to their Application Delivery Controllers / Load-Balancers (ADC). Some of the more recent technologies / models are equipped with SSL decryption and Layer 7 Application IPS features. The ADC can intelligently steer incoming waves of traffic.

> Network flow correlation & detection

Network flow collection technologies to provide even higher levels of network security and visibility. This is helpful in combating new, multi-faceted threats, such as advanced persistent threats (APTs). This data can then be analysed to identify deviations from normal behaviour.

Collect network flow data and send it to SIEM solutions.

> System patching

Shields vulnerabilities from exploitation, independent of a software patch

> Bi-directional, full stack inspection

Provides inbound and outbound inspection of critical application traffic. Includes protection for a wide variety of attacks, such as SQL injection, cross-site scripting, remote code execution, shell code payloads and remote procedure calls.

> Performance

Prevention System solutions provide the performance you need, while delivering high levels of security.

Offering industry-leading performance beyond 60 Gbps of inspected throughput.

Allows administrators to configure performance

Thresholds based on a gateway's CPU and memory usage. If the high threshold is surpassed, IPS analysis is automatically suspended. IPS analysis is then resumed when the resource falls below the low threshold, thus guaranteeing firewall / gateway / network throughput and operations.

IDS Business Benefits

> Compliance

Helps merchant companies to comply with the core requirements of PCI DSS, including: developing and maintaining secure systems and applications; tracking and monitoring all access to network resources and card holder data; and regularly testing security systems and processes. By combining network and wireless intrusion detection, log management, vulnerability scanning and reporting tools into a single plug and play appliance.

PCI DSS requirements 10.2, 10.3, 10.5, 10.6 and 10.7.

Specifically, these solutions:

Analyse event log data for potential security incidents, such as account lockouts, failed logins, new user accounts and improper access attempts
Identify incidents that warrant investigation and send notifications to you for review
Create an incident audit trail for auditors and regulators
Provide daily reports mapped to the PCI DSS standard

> MDM integration

MDM (Mobile Device Management) systems typically do not control access to the network, they typically control access to applications (for example, Microsoft Exchange). Thus, MDM does not prevent unauthorised access to data on the network, nor does MDM prevent infected or compromised devices from attacking the network.

> SIEM integration

SIEM (Security,Information and Event Management) is not aware of all the network endpoints on a continuous basis, then it is not able to produce an accurate security snapshot of your network. By itself, an SIEM system doesn’t have any enforcement capabilities. Some SIEM systems are able to send commands to IPS security systems to automatically respond to endpoint security issues. For example: update the operating system, disable USB devices, or quarantine the endpoints.

> Global Security Operation Centre Support

Research and development team tracks Internet threat levels around the world from its Global Threat Operations Center to enhance and update the protection in Security Network Intrusion Prevention System solutions.

> IDS Managed Service

Around-the-clock management and monitoring

Proactive intrusion detection, prevention, and incident response with escalation of unauthorised activities.

Enlist a team of expert threat analysts who monitor your networks and endpoints 24x7, applying the latest intelligence and methodologies to look for signs of compromise.

Network sensors (small appliances or software that can be installed on standard servers or VMs that continuously monitor network traffic through switch span ports) are placed on the customer network / data centers for intrusion detection / traffic analysis. When a potential compromise is detected, the team performs an in-depth analysis on affected systems to confirm the attack.

Our experienced security professionals serve as an extension of your security team, providing recommendations and expert guidance as needed at no additional cost to your organisation.

Configuration changes

Policy requests

Help desk tickets

Support from our expert SOC staff

Device provisioning and deployment

Performance and availability management

Device upgrades and patch management

Policy and signature management

Real-time threat monitoring and response

Integrated Counter Threat Unit intelligence

On-demand security and compliance reporting

Flexible co-management options

Unlimited and unmetered expert support

Auditable and accurate change management

Enterprise class backup and recovery

Customisable reporting
Compliance requirement management with reports by device, group, or site.

Device flexibility
Virtually eliminates per-device restrictions when modifying configurations so change requests can be pooled across multiple devices.

Vendor-neutral approach
Works with a wide range of devices and virtual private networks to optimise your existing security investments.

Contact SecureNet Consulting today for solutions advise, professional services, engineering and proof of concept resources for Intrusion Detection / Prevention.