Everyone wants to keep intruders out of their house. Likewise—and for similar reasons, network administrators strive to keep intruders out of the networks they manage. One of the most important assets of many of today’s organizations is their data. It is so important that many ill-intentioned individuals will go to great lengths to steal that data. They do that by using a vast array of techniques to gain unauthorized access to networks and systems. The number of such attacks seems to have exponentially grown recently and, in reaction, systems are being put in place to prevent them. Those systems are called Intrusion Prevention Systems, or IPS. Today, we’re having a look at the very best intrusion prevention systems we could find.
We’ll start out by trying to better define what Intrusion Prevention is. This, of course, entails that we’ll also define what intrusion is. We’ll then explore the different detection methods that are typically used and what remediation actions are taken upon detection. Then, we’ll briefly talk about passive intrusion prevention. They are static measures that can be put in place which could drastically reduce the number of intrusion attempts. You might be surprised to find out that some of those have nothing to do with computers. Only then, with all of us on the same page, will we be able to finally review some of the best Intrusions Prevention Systems we could find.
Intrusion Prevention – What Is This All About?
Years ago, viruses were pretty much the only concerns of system administrators. Viruses got to a point where they were so common that the industry reacted by developing virus protection tools. Today, no serious user in his right mind would think of running a computer without virus protection. While we don’t hear much of viruses anymore, intrusion—or the unauthorized access to your data by malicious users—is the new threat. With data often being an organization’s most important asset, corporate networks have become the target of ill-intentioned hackers which will go to great lengths to gain access to data. Just like virus protection software was the answer to the proliferation of viruses, Intrusion Prevention Systems is the answer to intruder attacks.
Intrusion Prevention Systems essentially do two things. First, they detect intrusion attempts and when they detect any suspicious activities, they use different methods to stop or block it. There are two different ways that intrusion attempts can be detected. Signature-based detection works by analyzing network traffic and data and looking for specific patterns associated with intrusion attempts. This is similar to traditional virus protection systems which rely on virus definitions. Signature-based intrusion detection relies on intrusion signatures or patterns. The main drawback of this detection method is that it needs the proper signatures to be loaded into the software. And when a new attack method, there is usually a delay before attack signatures are updated. Some vendors are very fast at providing updated attack signatures while others are much slower. How often and how fast signatures are updated is an important factor to consider when choosing a vendor.
Anomaly-based detection offers better protection against zero-day attacks, those that happen before detection signatures have had a chance to be updated. The process looks for anomalies instead of trying to recognize known intrusion patterns. For example, it would be triggered if someone tried to access a system with a wrong password several times in a row, a common sign of a brute force attack. This is just an example and there are typically hundreds of different suspicious activities that can trigger these systems. Both detection methods have their advantages and disadvantages. The best tools are those that use a combination of signature and behaviour analysis for the best protection.
Detecting intrusion attempt is one the first part of preventing them. Once detected, Intrusion Prevention Systems work actively at stopping the detected activities. Several different remedial actions can be undertaken by these systems. They could, for instance, suspend or otherwise deactivate user accounts. Another typical action is blocking the source IP address of the attack or modifying firewall rules. If the malicious activity comes from a specific process, the prevention system could kill the process. Starting some protection process is another common reactions and, in the worst cases, whole systems can be shut down to limit potential damage. Another important task of Intrusion Prevention Systems is alerting administrators, recording the event, and reporting suspicious activities.
Passive Intrusion Prevention Measures
While Intrusion Prevention Systems can protect you against numerous types of attacks, nothing beats good, old-fashioned passive intrusion prevention measures. For instance, mandating strong passwords is an excellent way of protecting against many intrusions. Another easy protection measure is changing equipment default passwords. While it is less frequent in corporate networks—although it is not unheard of—I’ve seen only too often Internet gateways that still had their default admin password. While on the subject of passwords, password ageing is another concrete step that can be put in place to reduce intrusion attempts. Any password, even the best one, can eventually be cracked, given enough time. Password ageing ensures that passwords will be changed before they have been cracked.
There were just examples of what could be done to passively prevent intrusions. We could write a whole post about what passive measures can be put in place but this is not our objective today. Our goal is instead to present some of the best active Intrusion Prevention Systems.
The Best Intrusion Prevention Systems
Our list contains a mix of various tools that can be used to protect against intrusion attempts. Most of the tools included are true Intrusion Prevention Systems but we’re also including tools which, while not being marketed as such, can be used to prevent intrusions. Our first entry is one such example. Remember that, more than anything, your choice of which tool to use should be guided by what your specific needs are. So, let’s see what each of our top tools has to offer.
SolarWinds is a well-known name in network administration. It enjoys a solid reputation for making some of the best network and system administration tools. Its flagship product, the Network Performance Monitor consistently scores among the top network bandwidth monitoring tools available. SolarWinds is also famous for its many free tools, each addressing a specific need of network administrators. The Kiwi Syslog Server or the SolarWinds TFTP server are two excellent examples of these free tools.
Don’t let the SolarWinds Log & Event Manager’s name fool you. There is much more to it than meets the eye. Some of the advanced features of this product qualify it as an intrusion detection and prevention system while others put it in the Security Information and Event Management (SIEM) range. The tool, for example, features real-time event correlation and real-time remediation.
- FREE TRIAL: SolarWinds Log & Event Manager
- Official Download Link: https://www.solarwinds.com/log-event-manager-software/registration
The SolarWinds Log & Event Manager boasts instantaneous detection of suspicious activity (an intrusion detection functionality) and automated responses (an intrusion prevention functionality). This tool can also be used to perform security event investigation and forensics. It can be used for mitigation and compliance purposes. The tool features audit-proven reporting which can also be used to demonstrate compliance with various regulatory frameworks such as HIPAA, PCI-DSS, and SOX. The tool also has file integrity monitoring and USB device monitoring. All the advanced features of the software make it more of an integrated security platform than just the log and event management system that its name would lead you to believe.
The Intrusion Prevention features of the SolarWinds Log & Event Manager works by implementing actions called Active Responses whenever threats are detected. Different responses can be linked to specific alerts. For example, the system can write to firewall tables to block the network access of a source IP address that has been identified as performing suspicious activities. The tool can also suspend user accounts, stop or start processes, and shut down systems. You’ll recall how these are precisely the remediation actions we identified before.
Pricing for the SolarWinds Log & Event Manager varies based on the number of monitored nodes. Prices start at $4,585 for up to 30 monitored nodes and licenses for up to 2500 nodes can be purchased making the product highly scalable. If you want to take the product for a test run and see for yourself if it’s right for you, a free full-featured 30-day trial is available.
Splunk is likely one of the most popular Intrusion Prevention Systems. It is available in several different editions sporting different feature sets. Splunk Enterprise Security–or Splunk ES, as it is often called–is what you need for true Intrusion Prevention. The software monitors your system’s data in real time, looking for vulnerabilities and signs of abnormal activity.
Security response is one of the product’s strong suits and what makes it an Intrusion Prevention System. It uses what the vendor calls the Adaptive Response Framework (ARF). It integrates with equipment from more than 55 security vendors and can perform automated response, speeding up manual tasks. This combination if automated remediation and manual intervention can give you the best chances of quickly gaining the upper hand. The tool has a simple and uncluttered user interface, making for a winning solution. Other interesting protection features include the “Notables” function which shows user-customizable alerts and the “Asset Investigator” for flagging malicious activities and preventing further problems.
Splunk Enterprise Security’s pricing information is not readily available. You’ll need to contact Splunk’s sales to get a detailed quote. This is a great product for which a free trial is available.
Sagan is basically a free intrusion detection system. However, the tool that has script execution capabilities which can place it in the Intrusion Prevention Systems category. Sagan detects intrusion attempts through the monitoring of log files. You can also combine Sagan with Snort which can feed its output to Sagan giving the tool some network-based intrusion detection capabilities. In fact, Sagan can receive input from many other tools such as Bro or Suricata, combining the capabilities of several tools for the best possible protection.
There’s a catch to Sagan’s script execution capabilities, though. You have to write the remediation scripts. Although this tool might not best be used as your sole defence against intrusion, it could be a key component of a system that incorporates several tools by correlating events from different sources, giving you the best of many products.
While Sagan can only be installed on Linux, Unix, and Mac OS, it can connect to Windows systems to get their events. Other interesting features of Sagan include IP address location tracking and distributed processing.
Open Source Security, or OSSEC, is one the leading open-source host-based Intrusion Detection System. We’re including it on our list for two reasons. Its popularity is such that we had to include it, especially considering that the tool lets you specify actions that are performed automatically whenever specific alerts are triggered, giving it some Intrusion Prevention capabilities. OSSEC is owned by Trend Micro, one of the leading names in IT security and maker of one of the best virus protection suites.
When installed on Unix-like operating systems, the software’s detection engine primarily focuses on log and configuration files. It creates checksums of important files and periodically verifies them, alerting you or triggering a remedial action whenever something odd happens. It will also monitor and alert on any abnormal attempt at getting root access. On Windows, the system also keeps an eye for unauthorized registry modifications as they could be the tell-tale sign of malicious activity. Any detection will trigger an alert which will be displayed on the centralized console while notifications will also be sent by email.
OSSEC is a host-based intrusion protection system. As such, it needs to be installed on each computer you want to protect. However, a centralized console does consolidate information from each protected computer for easier management. The OSSEC console only runs on Unix-Like operating systems but an agent is available to protect Windows hosts. Alternatively, other tools such as Kibana or Graylog can be used as the tool’s front end.
5. Open WIPS-NG
We weren’t too sure if we should include Open WIPS NG on our list. More about it in a moment. It made it mainly because it’s one of the only product that specifically targets wireless networks. Open WIPS NG–where WIPS stands for Wireless Intrusion Prevention System–is an open source tool which is made of three main components. First, there is the sensor. This is a dumb process that simply captures wireless traffic and sends it to the server for analysis. As you probably have guessed, the next component is the server. It aggregates data from all sensors, analyzes the gathered data and responds to attacks. This component is the heart of the system. Last but not least is the interface component which is the GUI that you use to manage the server and display information about threats found on your wireless network.
The main reason why we hesitated before including Open WIPS NG on our list it that, as good as it is, not everyone likes the product’s developer. It is from the same developer as Aircrack NG a wireless packet sniffer and password cracker that is part of every WiFi hacker’s toolkit. This opens the debate on the developer’s ethics and it makes some users wary. On the other hand, the developer’s background can be seen as a testament to his deep knowledge of Wi-Fi security.
Fail2Ban is a relatively popular free host intrusion detection system with intrusion prevention features. The software works by monitoring system log files for suspicious events such as failed login attempts or exploits seekings. When the system detects something suspicious, it reacts by automatically updating the local firewall rules to block the source IP address of the malicious behaviour. This, of course, implies that some firewall process is running on the local machine. This is the tool’s primary drawback. However, any other arbitrary action–such as executing some remedial script or sending email notifications–can be configured.
Fail2Ban is supplied with several pre-built detection triggers called filters, covering some of the most common services such as Apache, Courrier, SSH, FTP, Postfix and many more. As we said, remediation actions are accomplished by modifying the host’s firewall tables. Fail2Ban supports Netfilter, IPtables, or the hosts.deny table of TCP Wrapper. Each filter can be associated with one or many actions. Together, filters and actions are referred to as a jail.
7. Bro Network Security Monitor
The Bro Network Security Monitor is another free network intrusion detection system with IPS-like functionality. It works in two phases, it first logs traffic and it then analyzes it. This tool operates at multiple layers up to the application layer which accounts for better detection of split intrusion attempts. The product’s analysis module is made up of two elements. The first element is called the Event Engine and its purpose is tracking triggering events such as TCP connections or HTTP requests. The events are then analyzed by Policy Scripts, the second element. The Policy Scripts’ job is to decide whether to trigger an alarm, launch an action, or ignore the event. It is the possibility of launching an action which gives the Bro Network Security Monitor its IPS functionality.
The Bro Network Security Monitor has some limitations. It will only track HTTP, DNS, and FTP activity and it will also monitor SNMP traffic. This is a good thing, though, because SNMP is often used for network monitoring despite its serious security flaws. SNMP has barely any built-in security and uses unencrypted traffic. And since the protocol can be used to modify configurations, it could easily be exploited by malicious users. The product will also keep an eye on device configuration changes and SNMP Traps. It can be installed on Unix, Linux, and OS X but it is not available for Windows, which is perhaps its main drawback. Otherwise, this is a very interesting tool which is well worth trying.