packetalarm NG Intrusion Prevention
Pure firewall systems without an integrated intrusion prevention system are inconceivable today – the attacks of Worms, Trojans, hackers and so on have become just too numerous and too clever. A security system based exclusively on IP and port addresses represents just a marginal barrier. But is a simple intrusion prevention add-on to a firewall sufficient to avert the many threats systems now face?
packetalarm IPS NG employs quite a different strategy in dealing with this problem – it focuses not on simply reducing the communication options, but on a detailed examination of each individual packet and the possibilities that this offers for specifically identifying attacks.
At the heart of the packetalarm IPS NG-System is the intrusion prevention engine, supplemented by a Layer 2/Layer 3 firewall. After all, whether it’s a matter of event correlation, anomaly detection or Auto-Prevention, cutting edge security technology is crucial and is constantly being enhanced.
The packetalarm IPS NG Intrusion Prevention System operates inline in bridging mode in layer 2. Although packetalarm IPS is “invisible” during communication, the firewall and prevention engine remain active.
packetalarm IPS NG can also be deployed in front of WLAN hotspots, server farms or individual servers – the network configuration does not need to be changed in any way. DHCP, BootP, NT domain logins and other broadcast communications continue to function properly without intervention by an administrator.
Layer 2/Layer 3 Firewall
The packetalarm IPS NG Layer 2/Layer 3 Firewall is the first checkpoint for all data traffic. It monitors all data packets between the protected network and external networks in real time. Only the desired data traffic may pass unhindered. The rules of the firewall can be configured easily and without effort.
The packetalarm Intrusion Prevention engine uses several thousand rules and signatures to identify attacks. The system actively intervenes in the data stream and blocks attacks before they can infiltrate the network.
A special Auto-Prevention function simplifies configuration and enables rules and rule groupsso they can quickly adapt to changing security needs in the protected systems. The Auto-Prevention function is an exclusive feature offered only by the packetalarm NG, and the automatic rule update means they are protected against attacks more quickly than any other systems.
All packetalarm NG products can be combined at your own taste in a distributed system. Administration, configuration and analysis are performed via a central manager
packetalarm NG uses a special function known as Event Correlation to check whether each specific attack that is identified could possibly be carried out on the target system. This decision is taken based on the rule definition and the targeted system’s attributes. Each correlation increases or decreases the probability that an attack will be successful.
Attacks with a low probability rating can be filtered from the output in order to prevent false alarms. The administrator can of course also create his own system attributes, establish correlations between rules and attributes and determine the extent to which this will increase or decrease the probability of a successful attack.
The systems can correlate in real time events with other information and support the import of external correlation data, such as Nessus™ or prelude. Thereby prelude is directly supported via the internal transmission protocol. The events detected by packetalarm NG-Systems can be transferred to external evaluation systems.
packetalarm IPS NG provides users with a fast and straightforward means to create their own intrusion prevention signatures using a user-friendly rule editor.
Simple Creation of Individual Signatures
packetalarm IPS NG provides the user with a fast and straightforward tool to create their own signatures using the management interface. Combinations of rules can also be defined using the rule editor, for example by source or destination address, port, packet type, packet size or content (e.g. keywords, text or hexadecimal) and by frequency of occurrence within a predefined time span. This way, the data traffic can be alarmed upon or blocked individually.
Attacks and the effects of attacks often cause irregularities in the normal data traffic. A sudden increase in data volume or the shutdown of a service can be signs of an attack. The packetalarm IPS NG-Systems Anomaly Detection displays and notifies deviations from “normal” data volumes and notifies the administrator. The packetalarm IPS NG-System can learn what data volume is considered “normal”, and this can also be configured by administrators.
Anomalies can be defined for networks, individual machines and even individual ports on machines. If value deviates from a normal value by a specific percentage for a predefined time range, this incident is reported.
Optimum Monitoring, Forensic Analysis and Auto-Reporting
packetalarm NG supports a detailed forensic analysis of attacks on the network. A user-friendly query and display option lists the incidents occurred in a freely definable period into various categories. The risk of the events is shown (High, Medium, Low, Info). All attacks are displayed by default together with the entire IP packet. The packetalarm IPS NG-System displays attacks even sorted by attack target and attacker.
All data required for the analysis can be exported easily. A special Auto-Reporting function automatically reports the most important attacks and rule violations in a clearly structured email report. The question of whether reports are to be sent daily, weekly or monthly can be freely configured. Output of diagrams and tables can also be combined to suit individual needs. This ensures that management, IT managers and administrators have the means to display precisely what data is most important to them.