Application Example

packetalarm IDS/IPS NG – Application Example


Location A as the companies headquarter and home of the IT-department wants to detect attacks inside the data stream and to react automatically on them.

Further requirements of this virtual company are the integration of their locations B, C and D to the new to implement security infrastructure. In addition, a centralized administration and an automated global reporting for all scheduled IDS & IPS systems, respectively a redundant design of the central manager and the location D is required. As the company has already implemented a firewall system in location A, the installation should be done without any changes on existing IP-addresses, and the IT-infrastructure.

Location A

packetalarm IPS operating in bridging mode allows a transparent integration behind the existing firewall. Through the integrated Layer2/Layer 3 Firewall in packetalarm IPS NG it is easily possible to realize a two stage firewall concept. Integrating packetalarm IPS NG in inline mode can specifically prevent attacks which are currently not identified by the existing firewall.

By using the Sensor/Manager functionality, all packetalarm NG systems that are integrated into the company network can be configured, administrated and monitored via a central manager unit.The required redundant system for the central manager should be installed in Location B, to allow the spatial seperation als back-up data processing centre.

The Auto-Prevention of packetalarm NG supports the administrator actively in his decisions on how an analysed attack should be handled. More than 6.000 signatures are integrated in packetalarm NG and are pre-classified within an expert system. When the Auto-Prevention is activated, there will be an automatic reaction to all found attacks. All new signatures that are delivered by the packetalarm NG software and pattern update will be classified within the expert system by default. Only the packetalarm products have an Auto-Prevention function, and the automatic rule update means that they are protected against attacks more quickly than other systems.


Location B

Location B is a subsidiary of location A. In course of a network reorganisation, location B shall get the possibility to react actively against attacks.At Location B the operation of the redundant manager systems is planned. By the spatial seperation of the HA-manager to the manager in Location A the requirement of a back-up are fulfilled.

The communication all of the packetalarm NG-systems underneath each other is done encrypted. All systems of the network do report to the central manager in Location A.

The data traffic will now be analysed by packetalarm IPS NG as well as through the Layer 2/Layer 3 Firewall to its reliability, as also through the active prevention engine.

packetalarm IPS NG uses a special function known as Event Correlation to check whether each specific attack that is identified could be carried out on the target system. The add on of own defined system attributes is possible at anytime. packetalarm NG offers in addition the possiblity to import data from external systems such as “ArcSightTM” or “prelude”.


Location C

Location C as development centre has the necessity to monitor the internal data traffic. The performance of the existing network may not be affected under any circumstances.

By the operation of packetalarm IDS NG and its installation in sniffing mode, this requirement is fulfilled at any time. The internal data traffic from client to server, from client to client and from network client to the Internet can be analysed and controlled. The events and attacks detected by packetalarm IDS NG are all transmitted to the centralized manager in location A, where global reports can be created.

Even implemented in sniffing mode, PacketAlarm IDS can actively respond to attacks and prevent them by means of a TCP-Reset or a firewall hardening. As all PacketAlarm products, PacketAlarm IDS contains the Traffic-Trace functionality. By using this function, all communication data during an event or attack can be stored and analyzed.


Location D

Location D carries on the webshop of the company as internal hosting and must assure under all circumstances a fail-safe access to the server.

packetalarm IPS NG build up as high-availability solution guarantees the availability for the shop users and the operator. In the event of failure, a second packetalarm system takes charge of all functions.


Overall view

The packetalarm IDS/IPS NG product family offers with its functionality range a technically sophisticated and with regard to price, an attractive solution, for networks of all sizes. By its flexibility as well as its easy installation and administration, high requirements to an scalable IP-security solution are fulfilled. The usage of multiple systems allows the uncomplicated and commercial development of a comprehensive security concept. The unique packetalarm management technology allows an easy and centralized administration—irrespective thereof, if just a single or multiple systems will be used.The packetalarm IDS/IPS NG systems guarantee investment security and technological advantage in term of attack detection an attack prevention.