Next Generation - Network Intrusion Detection and Prevention
Monitor & Protect Wired, Wireless, Application Layer and Virtual Networks
> Make sure your network is protected from attacks.
> Combine: Global threat intelligence, real-time visibility of your network and endpoints to detect and prevent intrusions.
> Monitor network, server hosts and mobile device activity across the enterprise.
> Packet inspection checks inside traffic packets
> Identify and model human and machine behaviours that represent threats with a high degree of accuracy - and without lots of false positives.
> Designed for both c-level executives and threat analysts
Organisations require or implement IDS / IPS to prevent outside hackers breaching networks to either steal information, bring down or disrupt systems / services or prevent data loss from internal leaks. Often compliance and audit requires that specific data and entry point activity be logged and reported.
Next generation IDS / IPS solutions available either as dedicated, integrated into holistic security solutions or as managed services.
Below we review the varying network intrusion detection and prevention solutions features and platforms.
In order to provide not only detection, but also pro-active prevention of ‘intrusions’, you may find that network security devices consist and tick boxes for one or more security functions, including firewall, intrusion prevention/detection (IPS/IDS), data leakage prevention (DLP), and content security filtering functions (e.g. anti-spam, antivirus, URL filtering). Those functions have increasingly been integrated into single platform solutions, also called Unified Thread Management (UTM) systems or Next Generation Firewalls.
> Hacking has mutated from a hobby to a successful business
> Protect your organisation’s assets without draining its resources.
> Security threats don’t have to compromise your organisation or your budget.
Intrusion detection systems protect you from a wide range of threats
|
|
IDS Solution Platforms
- Hardware Appliances
- Software
- Virtual
- Managed / Cloud Service
Network-based IDS
- Inline scanning ensures that all Internet traffic (inbound and outbound) can be inspected. This thorough approach ensures that all traffic, including active content attacks such as cross-site scripting can be detected and stopped. Inline scanning is also the only way to immediately stop detected threats. Compare this to hardware appliances that are deployed in TAP mode - so they can identify, but not block threats.
- Network anomaly detection - gathers network flow data and sends it to security information and event management (SIEM) solutions.
Host-based IDS
Host Sensors are security applications used to detect attacks on a network server in real time. Host Sensors monitor individual systems.IDS Sensors
- Provides complete visibility without data stream interference or introducing a point of failure.
- Provides deep forensics capabilities, including flexible packet capture and complete session reconstruction. Network Sensors are centrally managed.
- Monitoring device connected to the tap still sees all full-duplex traffic as if it were inline, including Layer 1 and Layer 2 errors.
Intrusion Detection Technology Solution Features
> Protect virtual servers
> Protect endpoints
Protects servers, mobile devices, fixed point devices – Desktops & POS.> Client protection
Protects end users against attacks targeting applications used every day, such as Microsoft Office files, Adobe PDF files, multimedia files (Flash and AVI files) and web browsers, plug-ins (Java and ActiveX), protection against web 2.0 threats, defence against operating system vulnerabilities, detection of infected systems, and detection of spyware and adware.> Server protection
All-round server protection, addressing problems including system and service vulnerability exploits, brute force, SQL injection, and cross site scripting.> Infrastructure protection
|
|
> Data security
Monitors and identifies unencrypted personally identifiable information and other confidential data.
> Application & protocol protection
Identifies and blocks application and protocol related probes and attacks- Database of patterns and rules Including:
- Probing, port scans, interrogations, host sweeps
- Attacks on application vulnerabilities
- Protocol exploitation's
> Highly effective protocol scanning
- Protocol compliance and anomaly detection.
- Scans all protocols, including HTTP, HTTPS, FTP, TCP, UDP, DNS, SMTP, and POP3 to block network, application, and protocol-based attacks.
- Web application security - Protects web applications, Web 2.0 and databases with the same level of protection as web application firewalls.
- Application Control - Reclaims bandwidth and blocks Skype, peer-to-peer networks and tunneling.
- Bi-directional, full stack inspection - provides inbound and outbound inspection of critical application traffic. Includes protection for a wide variety of attacks, such as SQL injection, cross-site scripting, remote code execution, shell code payloads and remote procedure calls.
> Context aware monitoring engine
Features full traffic visibility on end users, applications, sources, destinations, threat types, content and devices.> VPN cleaning
Inspects all incoming and outgoing VPN traffic for attacks and blocks malicious traffic.> Zone-based protection
Flexible, object-based policy engine enables quick and easy rule creation for specific systems, users, groups, hosts or networks.> Application traffic analytics
Offers comprehensive logging with filtering options, on-box reporting and administrator notification capabilities. Includes customised intrusion prevention templates for off-box IPFix exporting for long-term analytics reporting.> Application control
Provides the ability to monitor and manage over 4,500 applications including instant messaging and peer-to-peer file sharing programs, closing a potential back door that can be used to compromise the network, while improving employee productivity and conserving bandwidth.Covering mainstream application protocols including P2P, IM, online games, stock software, voice application, online video, streaming media, Web mail, mobile terminals, and remote login.
> Bandwidth control
Restrict the bandwidth used by harmful or unwanted applications. By removing undesired network traffic the IDS ensures that bandwidth and network usage is reserved for common office applications like OA and ERP.> Administrator-defined regular expression monitoring
Prevents data leakage by enabling transmission control and blocking of sensitive data such as credit card and social security numbers, or specific file attachments to personal web mail services and corporate SMTP or POP3 email.> IPv4 and IPv6 support
The IPS platform supports a wide variety of traffic types and protocols. It provides uncompromising IPv6/v4 simultaneous payload inspection and support for related tunneling variants.Also supports inspection of IPv6/v4 traffic with VLAN and MPLS tags, mobile IPv4 traffic, GRE and GTP (GPRS tunneling), and jumbo frames.
> Active response
Although you can detection and block intrusions of zero-day vulnerabilities and attacks, but if a device or end point is already infected (a BYOD device that has been on a public network), the IDS / IPS system can integrate with other security management systems to quarantine or initiate a vulnerability scan of endpoints.> Attack signatures
- Quickly identify common signatures in malicious packets
- Performs a second level analysis to confirm that the attack is real
- Discover attacks based on clues identified over multiple protocol part
> Combine technologies for more accurate protection and performance
Enterprises can realise increased efficiency in their IPS infrastructures by offloading SSL termination and deploying a high-performance to their Application Delivery Controllers / Load-Balancers (ADC). Some of the more recent technologies / models are equipped with SSL decryption and Layer 7 Application IPS features. The ADC can intelligently steer incoming waves of traffic.> Network flow correlation & detection
Network flow collection technologies to provide even higher levels of network security and visibility. This is helpful in combating new, multi-faceted threats, such as advanced persistent threats (APTs). This data can then be analysed to identify deviations from normal behaviour.Collect network flow data and send it to SIEM solutions.
> System patching
Shields vulnerabilities from exploitation, independent of a software patch> Bi-directional, full stack inspection
Provides inbound and outbound inspection of critical application traffic. Includes protection for a wide variety of attacks, such as SQL injection, cross-site scripting, remote code execution, shell code payloads and remote procedure calls.> Performance
Prevention System solutions provide the performance you need, while delivering high levels of security.Offering industry-leading performance beyond 60 Gbps of inspected throughput.
Allows administrators to configure performance
IDS Business Benefits
> Compliance
Helps merchant companies to comply with the core requirements of PCI DSS, including: developing and maintaining secure systems and applications; tracking and monitoring all access to network resources and card holder data; and regularly testing security systems and processes. By combining network and wireless intrusion detection, log management, vulnerability scanning and reporting tools into a single plug and play appliance.PCI DSS requirements 10.2, 10.3, 10.5, 10.6 and 10.7.
Specifically, these solutions:
- Analyse event log data for potential security incidents, such as account lockouts, failed logins, new user accounts and improper access attempts
- Identify incidents that warrant investigation and send notifications to you for review
- Create an incident audit trail for auditors and regulators
- Provide daily reports mapped to the PCI DSS standard
> MDM integration
MDM (Mobile Device Management) systems typically do not control access to the network, they typically control access to applications (for example, Microsoft Exchange). Thus, MDM does not prevent unauthorised access to data on the network, nor does MDM prevent infected or compromised devices from attacking the network.> SIEM integration
SIEM (Security,Information and Event Management) is not aware of all the network endpoints on a continuous basis, then it is not able to produce an accurate security snapshot of your network. By itself, an SIEM system doesn’t have any enforcement capabilities. Some SIEM systems are able to send commands to IPS security systems to automatically respond to endpoint security issues. For example: update the operating system, disable USB devices, or quarantine the endpoints.
> Global Security Operation Centre Support
Research and development team tracks Internet threat levels around the world from its Global Threat Operations Center to enhance and update the protection in Security Network Intrusion Prevention System solutions.> IDS Managed Service
Around-the-clock management and monitoring
Proactive intrusion detection, prevention, and incident response with escalation of unauthorised activities.
Enlist a team of expert threat analysts who monitor your networks and endpoints 24x7, applying the latest intelligence and methodologies to look for signs of compromise.
Network sensors (small appliances or software that can be installed on standard servers or VMs that continuously monitor network traffic through switch span ports) are placed on the customer network / data centers for intrusion detection / traffic analysis. When a potential compromise is detected, the team performs an in-depth analysis on affected systems to confirm the attack.
Our experienced security professionals serve as an extension of your security team, providing recommendations and expert guidance as needed at no additional cost to your organisation.
|
|
Customisable reporting
Compliance requirement management with reports by device, group, or site.
Device flexibility
Virtually eliminates per-device restrictions when modifying configurations so change requests can be pooled across multiple devices.
Vendor-neutral approach
Works with a wide range of devices and virtual private networks to optimise your existing security investments.
Contact SecureNet Consulting today for solutions advise, professional services, engineering and proof of concept resources for Intrusion Detection / Prevention.
