packetalarm NG Intrusion Detection
Network-based Intrusion Detection is an indispensable instrument in any enterprise-wide security solution: No other technology supports real-time monitoring and attack detection of communications in complete network segments. Intrusion Detection Systems can thus be implemented at for example core switches or, via TAP devices, at central locations in order to monitor all aspects of internal communication.
According to recent studies, around 60-80 pc of all attacks come from the internal network – however, these cannot be detected by gateway security products. But the packetalarm Intrusion Detection Systems detect even these attacks reliably. Since Intrusion Detection technology is also used passively in sniffing mode, the data stream remains unaltered – which guarantees maximum availability.
The packetalarm IDS NG product line has been specially developed for monitoring complete network segments. The packetalarm IDS’ proven scan and detection technology and the Sensor/Manager architecture deliver maximum performance and scalability.
The intelligent correlation between attacks that have been identified and the system attributes is used to calculate in real time which attacks are actually relevant and dangerous for the network. All attack data are output in clearly structured reports. The packetalarm IDS NG thus helps the administrator separate important from unimportant information and helps to create greater security while reducing administration costs.
The packetalarm IDS NG-System includes an SNMP interface that can be used to retrieve data from all systems in order to obtain information about, for example, CPU utilisation and hard disk capacity.
Secure Monitoring and Management
packetalarm IDS NG can by default can perform sniffing with multiple interfaces simultaneously and thereby monitor several network segments in a system. Sniffing interfaces do not have a dedicated IP address (stealth mode). This means that the Intrusion Detection System itself cannot be attacked.
The management interface can simply be positioned in, for example, a segment protected by a firewall. In addition, access can be limited to specific IP addresses via a management console. All communication between the browser and the manager is always encrypted.
Intrusion Prevention in Sniffing Mode
If the Intrusion Prevention engine is activated, packetalarm IDS NG can respond to attacks and prevent them by means of a TCP reset or firewall hardening.
packetalarm IDS NG uses a special function known as Event Correlation to check whether each specific attack that is identified could possibly be carried out on the target system. This decision is taken based on the rule definition and the targeted system’s attributes. Each correlation increases or decreases the probability that an attack will be successful.
Attacks with a low probability rating can be filtered from the output in order to prevent false alarms. The administrator can of course also create his own system attributes, establish correlations between rules and attributes and determine the extent to which this will increase or decrease the probability of a successful attack.
The systems can correlate in real time events with other Information and support the import from external correlation data, such as Nessus™ or prelude. Thereby prelude is directly supported via the internal transmission protocol. The events detected by packetalarm NG-Systems can be transferred to external evaluation systems.
Simple Creation of Individual Signatures
packetalarm IDS NG provides the user with a fast and straightforward tool to create their own signatures using the management interface. Combinations of rules can also be defined using the rule editor, for example by source or destination address, port, packet type, packet size or content (e.g. keywords, text or hexadecimal) and by frequency of occurrence within a predefined time span. This way, the data traffic can be alarmed upon or blocked individually.
Attacks and the effects of attacks often cause irregularities in the normal data traffic. A sudden increase in data volume or the shutdown of a service can be signs of an attack. packetalarm IDS NG Anomaly Detection displays deviations from “normal” data volumes and notifies the administrator. The packetalarm IDS NG-System can learn what data volume is considered “normal”, and this can also be configured by administrators.
Anomalies can be defined for networks, individual machines and even individual ports on machines. If a value deviates from a normal value by a specified percentage for a predefined time range, this incident is reported.
Optimum Monitoring, Forensic Analysis and Auto-Reporting
packetalarm IDS NG supports a detailed forensic analysis of attacks in the network. A user-friendly query and display option lists the incidents occurred in a freely definable period into various categories. The Threat posed by the events is shown (High, Medium, Low, Info). All attacks are by default displayed together with the entire IP packet. packetalarm IDS NG displays attacks even sorted by attack target and attacker.
All data required for the analysis can easily be exported. A special Auto-Reporting function automatically reports the most important attacks and rule violations in a clearly structured email report. The question of whether reports are to be sent daily, weekly or monthly can be freely configured. Output of diagrams and tables can also be combined to suit individual needs. This ensures that management, IT managers and administrators have the means to display precisely what data is most important to them.
The automatic software and pattern update ensures users always have the very latest version of packetalarm IDS NG.