Network detectives sniff for snoops

Just a few short years ago, an IDS was a luxury. Before the rise of the Web application and the worm, most networks were adequately defended by a firewall at the perimeter and a virus scanner at the mail server. Today, the firewall remains effective against clumsy DoS attacks and run-of-the-mill exploits, but it’s hard-pressed to thwart application-layer attacks that piggyback on welcome protocols and worms that wind their way inside the network through any overlooked port or a mobile user’s laptop.

Not only are perimeter defenses less adequate than they used to be, but internal network resources -- including business-critical applications exposed to the Web -- are more valuable to their companies than ever. Naturally, the double whammy of a hole-ridden perimeter and an invaluable core has network managers looking for an edge. The IDS is becoming part of the standard toolkit.

We tested four network IDS products in May, June, and July at the Naval Postgraduate School in Monterey, Calif., pitting Internet Security Systems (ISS) Proventia G200, Lancope StealthWatch 4.0, Snort 2.10, and StillSecure Border Guard 4.3 against both live Internet traffic and a variety of attacks we launched from penetration testing tool Core Impact 4.0.

Our manual attacks included OS fingerprinting, privilege escalation, DoS, banner grabbing, traversal attacks, and Microsoft IIS and Apache Web server exploits, among others. More significantly, on the live network, the products were exposed to nearly a thousand unique “attackers” targeting more than 50 ports, detecting thousands of “events” coming in from the Internet or from several thousand hosts inside the network. Among the live threats our IDS products confronted were the Sasser worm and Gator spyware.

As we expected, all four products did a good job detecting threats. With only one exception, in which one IDS initially failed to identify the Sasser worm, the products successfully alerted us to the presence of all the manual attacks and live threats they confronted. Although the four proved roughly equal in terms of recognizing attacks, important differences -- ranging from ease of setup and management to depth of packet analysis and reporting, but especially the fundamental approach taken in detecting threats -- may help dictate which solution best suits your network.

Snort with ACID

Snort is the famous free and open source IDS. It’s supported by an active community of users and developers who regularly and promptly update Snort’s signatures in response to newly discovered threats. Snort is a great choice if you have more time than money. When regularly maintained, Snort can be very effective. The downside is that maintenance doesn’t come easy. Snort requires care from a dedicated expert, and you’ll need to roll up your sleeves and wrestle with a difficult installation and setup.

You can pull all the files you need off the Snort project, where you’ll also find many tutorials, FAQs, and Snort manuals to help you out. The standard installation of Snort -- ACID (Analysis Console for Intrusion Databases); PHP, which is required by ACID; and MySQL on Red Hat Linux -- is the best-documented. A Windows XP installation is also well-documented. Deviations such as Windows 2000 and Microsoft SQL Server 2000 aren’t supported as thoroughly.