|
PacketAlarm Intrusion Detection
Network-based intrusion detection is an indispensable instrument in any enterprise-wide security solution. No other technology supports real-time monitoring and attack detection of communications in complete network segments. Intrusion detection systems can thus be implemented e.g. at core switches or, using TAP devices, at central locations in order to check all aspects of internal communication. According to recent studies, around 60-80% of all attacks are coming from the internal network. These cannot be detected by gateway security products, however. Since intrusion detection technology is also used passively in sniffing mode, the data stream is not influenced, thereby guaranteeing maximum availability.
PacketAlarm IDS has been developed specifically for monitoring complete network segments. PacketAlarm IDS’s proven scan and detection technology and the sensor/manager architecture deliver maximum performance and scalability. The integrated vulnerability scanner continuously monitors the protected systems in order to identify any vulnerability that is present. The intelligent correlation between attacks that have been identified and any existing vulnerabilities is used to calculate in real time which attacks are actually relevant and dangerous for the network. All attack data and system vulnerabilities are output in clearly structured reports. PacketAlarm IDS thus helps the administrator separate important from unimportant information and thereby creates greater security while reducing administration costs.
Optimum monitoring, forensic analysis and auto-reporting
PacketAlarm IDS supports a detailed forensic analysis of attacks on the network. A user-friendly query and display option lists the incidents occurring in a freely definable period into various categories. The risk of the events is shown (High, Medium, Low, Info). All attacks are displayed, even by default including the entire attack packet. PacketAlarm IDS displays attacks sorted by attack target and attacker and thus creates an optimum overview of the attacked systems. All data required for the analysis can be exported easily. A special AutoReport function automatically reports the most important attacks and rule violations in a clearly structured e-mail report. The question of whether reports are to be sent daily, weekly or monthly can be freely configured. Output of diagrams and tables can also be combined to suit individual needs. This ensures that management, IT managers and administrators have the means to display precisely the data that is most important to them.
Secure monitoring, secure management
PacketAlarm IDS can perform sniffing with multiple interfaces simultaneously as standard and can thereby monitor several network segments in a system. Sniffing interfaces do not have a dedicated IP address (stealth mode). This means that PacketAlarm IDS itself cannot be attacked. The management interface can simply be positioned in, for example, a segment protected by a firewall. In addition, management access can be limited to specific IP addresses via the PacketAlarm management console. Communication between the browser and manager is encrypted.
 |
PacketAlarm IDS integrates a SNMP interface that can be used to retrieve statistical data from PacketAlarm IDS in order to obtain information about, for example, CPU utilisation and hard disk capacity.
|
Vulnerability Scanner
The powerful PacketAlarm IDS Vulnerability Scanner checks systems that need to be protected for vulnerabilities. PacketAlarm continuously runs tests and lists the vulnerabilities it finds. In addition to being well structured, these lists present detailed information on any vulnerability found and recommend how they can be removed.
Event Correlation
PacketAlarm IDS uses a special function known as Event Correlation to check whether each specific attack that is identified could be carried out on the target system. This decision is based on defined system attributes or the vulnerabilities detected by the vulnerability scanner. Each correlation increases the probability that an attack will be successful. Attacks with a low probability rating can be filtered from the output, thereby preventing false alarms. The administrator can naturally also create his own system attributes, establish correlations between rules and attributes or vulnerabilities and determine the extent to which these increase or decrease the probability of a successful attack.
Anomaly Detection
Attacks and the effects of attacks often cause irregularities in data traffic. A sudden increase in data volume or the shutdown of an Internet service can be signs of an attack. PacketAlarm IDS’s Anomaly Detection displays and notifies deviations from “normal” data volumes. PacketAlarm IDS can learn what data volume is considered “normal”, and this can also be configured by administrators. Anomalies can be defined for networks, individual machines and even individual ports on machines. If a value deviates from a normal value by a specified percentage for a defined time range, this is reported.
Simple creation of individual signatures
Simple creation of individual signatures PacketAlarm IDS provides users with a fast and straightforward means to create their own signatures using the management interface. Combinations of rules can also be determined using the rule editor, e.g. by source or destination address, port, packet type, packet size or content (e.g. keywords, text or hexadecimal) and by frequency of occurrence within a defined time span. This can be used to customise alarm signalling or termination of specific connections, or to respond to these in another way.
Sensor/manager operation
All PacketAlarm products can be operated as a distributed system. Individual sensors are distributed over the entire infrastructure and are configured, managed and monitored centrally using a manager. The sensors can communicate with the manager locally, but also in branch offices via the Internet or VPNs.
Intrusion Prevention in sniffing mode
If the Intrusion Prevention Engine is activated, PacketAlarm IDS can respond to attacks and prevent them by means of a TCP reset or firewall hardening. In order to enable firewall hardening with systems from third-party manufacturers or systems developed in-house, a special interface definition, Open PacketAlarm Architecture (OPA), is used for communication.
|
The automatic software and pattern update ensures users always have the very latest version of PacketAlarm IDS.
|
|
