Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Network Intrusion Detection and Prevention?

Cliff posted more than 9 years ago | from the security-assistance-from-code dept.

Security 264

c0dyd asks: "Lately, computer attacks have gained much popularity in the news; however, it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions. Obviously, the need is present. I've searched thoroughly for network intrusion detection and prevention systems, but the choices and technologies seem somewhat limited or proprietary-- Snort appears an obvious open source solution for intrusion detection but many users many find it lacking in intrusion prevention capabilities. What do you, the experienced network admin, use for detecting intrusions on the network and how does your network react to those intrusions?"

cancel ×


Sorry! There are no comments related to the filter you selected.

FIRST POST :D (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#13116943)

Snape is the half-blood prince and kills Dumbledore. :D


Anonymous Coward | more than 9 years ago | (#13117010)

I have to say, that is the best troll I have ever seen. Congratulations on that! I'll still finish the book, though.

intrusion detection (-1)

drewfuss (872683) | more than 9 years ago | (#13116959)

All you need is the who command. Choosing an operating system, distribution, and version that releases security patches quickly is a key part of preventing an intrusion.

Re:intrusion detection (0)

Anonymous Coward | more than 9 years ago | (#13116979)

Not all OS's have distributions you know... Or free UNIX-like OS's for that matter.

Re:intrusion detection (4, Funny)

TobyWong (168498) | more than 9 years ago | (#13117009)

Which who command would that be? The one that was on your system originally or the "new and improved" version I just put on there?

BTW nice pr0n collection, your space lego photo series in particular is very kinky.

Re:intrusion detection (0)

Anonymous Coward | more than 9 years ago | (#13117072)

All you need is the who command.

Ex-fucking-cuse me?

Choosing an operating system, distribution, and version that releases security patches quickly is a key part of preventing an intrusion.

Hoping to be ahead of any security hole at any given time is plain stupid. Why did you reply at all if you have nothing to say?

Re:intrusion detection (3, Interesting)

pHZero (790342) | more than 9 years ago | (#13117106)

Why isn't there a 'bad advice' mod category?

ASL (2, Informative)

skarphace (812333) | more than 9 years ago | (#13116960)

I've searched thoroughly for network intrusion detection and prevention systems, but the choices and technologies seem somewhat limited or proprietary-- Snort appears an obvious open source solution for intrusion detection but many users many find it lacking in intrusion prevention capabilities.

You can balance FLOSS and proprietary techs with something like Astaro Security Linux [] . They do appliances or standalone software.

Re:ASL (0, Offtopic)

consolidatedbord (689996) | more than 9 years ago | (#13117103)


Re:ASL (2, Funny)

alfrin (858861) | more than 9 years ago | (#13117176)

You mean: 43/m/moms basement

second post (-1, Offtopic)

00RUSS (549125) | more than 9 years ago | (#13116962)

second post

Re:second post (0, Offtopic)

Nom du Keyboard (633989) | more than 9 years ago | (#13116977)

second post

This was funny the first time.

Don't underestimate just paying attention. (4, Informative)

jafo (11982) | more than 9 years ago | (#13116964)

You're already doing bandwidth monitoring right? Graphing with rrdtool or the like? If you aren't you probably should be. It's a great tool for not only current troubleshooting, but also capacity analysis and more. However, I've also found that it's a fantastic tool for detecting successful intrusions. Detecting attempted intrusions tends to produce many false positives, but if you are watching the bandwidth utilization of your systems and networks, it's pretty easy to tell within a few hours that you have some unusual use going on, usually tracked down to a particular machine or network at least.

So, don't underestimate the usefulness of watching your network traffic graphs. With rrdtool it's pretty easy to pull out information and average it. For example, we watch not only our overall 95th %ile utilization, but also rank each user based on their utilization. If use suddenly goes up, increasing their rank, it's probably something we should look at. It's been extremely effective for detecting open HTTP proxies, SMTP relays, and people compromised with various vulneribilities.


Re:Don't underestimate just paying attention. (5, Insightful)

Anonymous Coward | more than 9 years ago | (#13117069)

A bandwidth graph may help you catch a noisy worm or a script kiddy. It's almost useless against a determined intruder.

Any good intruder knows to be quiet and spread their attack out over hours or days. Hence they are practically invisible to any sort of bandwidth analysis, until they start downloading larger amounts of your data (at which point it is often too late).

I use... (-1)

Anonymous Coward | more than 9 years ago | (#13116968)

wild monkeys to prevent intrusions. The system works surprisingly well.

Re:I use... (0, Troll)

Rei (128717) | more than 9 years ago | (#13117017)

Are you in the coalition as well? :)

What do you use? (-1)

Anonymous Coward | more than 9 years ago | (#13116973)

What do you, the experienced network admin, use for detecting intrusions on the network

Trained spider monkeys. Costa Rica donated them for our cause.

Re:What do you use? (0)

Anonymous Coward | more than 9 years ago | (#13117064)

Trained monkeys are overrated. They will have an uprising and retaliate. You must use wild monkeys.

Re:What do you use? (1)

fsterman (519061) | more than 9 years ago | (#13117074)

lol, without reading either of those, my post included monkeys too. Maybe this is a computing trend. Fuck, I am too lazy to find some free polling thingy as my DNS is down.

Snort-Inline+IPTables+Scripts = Decent IPS (1)

kensai (139597) | more than 9 years ago | (#13116974)

If you use Snort-Inline along with IPTables and some scripts in Linux, you can come up with a pretty decent IPS.

Re:Snort-Inline+IPTables+Scripts = Decent IPS (1)

TCM (130219) | more than 9 years ago | (#13117094)

Quick question: could Snort handle IP traffic in PPPoE? I have a DSL modem and a router in a separate VLAN with the modem's port mirrored to another port. The modem only sees PPPoE, hence the question.

Re:Snort-Inline+IPTables+Scripts = Decent IPS (0)

Anonymous Coward | more than 9 years ago | (#13117126)

Snort + Perl + PF = Decent IPS. Snort is highly flexible,dont sell it short guys:)

How do I do my job? (5, Funny)

smileyy (11535) | more than 9 years ago | (#13116976)

Ask Slashdot: I've been wondering how to do my job. I figure other people out there have jobs too, and know how to do them. Maybe they can share their experiences, or even do my job for me!

Re:How do I do my job? (5, Insightful)

Rosco P. Coltrane (209368) | more than 9 years ago | (#13117117)

I know you're trying to be funny (or troll, I don't know), but your comment is actually unfair: the entire software engineering world (not just OSS) is built on people sharing competences. Formal education and self-teaching only account for a small part of a computer engineer's know-how.

Asking Slashdot is as good a way as any to reach a wide audience and get a handful of good advices amongst the hundreds of trolls. All it takes is asking, and you never know what precious tidbit of information you might get.

Re:How do I do my job? (2, Funny)

op12 (830015) | more than 9 years ago | (#13117146)

you never know what precious tidbit of information you might get

Or how long you'll have to sort through the trolls/awful jokes to find it :)

1992 Called... (1)

1992 Called (893858) | more than 9 years ago | (#13116978)

they want to keep Zero Cool out. Any ideas?

NV ActiveArmor (3, Interesting)

AKAImBatman (238306) | more than 9 years ago | (#13116981)

I have no idea if this help or not, but NVidia has a technology called ActiveArmor [] that may be of interest. In a nutshell, it's a Gigabit hardware firewall solution that is built into many inexpesive boards. [] Supposedly it can be used in both incoming and outgoing directions, allowing you to know immediately if a penetrator attempts to access improper network resources. Here's the schpiel:

ActiveArmor Firewall supports stateless and stateful inspection, Web-based management, pre-defined security profiles, port block filtering, remote administration, and provides an easy-to-use set-up wizard. In addition, ActiveArmor Firewall has anti-hacking features such as anti-IP-spoofing, anti-sniffing, anti-ARP-cache-poisoning, and anti-DHCP server-important security controls for corporate network environments. In a corporate setting, an end-point firewall (such as a desktop firewall) with anti-hacking capabilities can reduce the internally originated security breaches, and can inhibit desktops from generating unauthorized traffic. The result is improved overall security, with reduced requirements from the IT staff.

Again, I'm not sure if it's what you're looking for, but it's at least a very interesting product.

bad for a server! (1)

EvilStein (414640) | more than 9 years ago | (#13117343)

"anti-DHCP server"

"Hey, Bob.. maybe it's this new motherboard we put in to the DHCP server that's causing the problems."

Just wait, it'll take out the DNS server next and maybe a mail server, just to show you who's boss.

What about good old fashion? (0)

Anonymous Coward | more than 9 years ago | (#13116992)

What about good old fashion time-outs, .htaccess, and traditional methods? Nothing seems to work for keeping a secure system secure than no connection to the outside world.

turn it off (0)

Anonymous Coward | more than 9 years ago | (#13116994)

turn your system off, then it will be secure.

Ethereal (5, Funny)

fsterman (519061) | more than 9 years ago | (#13116995)

As soon as any Ethereal activity occurs I have shell script flash the screen red where a trained monkey pulls out the cat-5 cable.

Re:Ethereal (1)

darkith (183433) | more than 9 years ago | (#13117227)

Would that be Ether-Ape? oh....wait....

My complaint about intrusion detection devices. (5, Informative)

Anonymous Coward | more than 9 years ago | (#13116997)

An intrusion detection device without anyone responding to it is as silly as a silent burglar alarm that noone responds to. All too often I look back at month old logs and see "hey, that's cool, somone was trying to hack us" (typically some windows hack against our bsd box). Had they succeeded it wouldn't have mattered at all that we had the intrusion detection device.

The one feature I'd look for in an intrusion detection device is that it can quickly escalate a detected intrusion attempt to real people (through email, phone, calls, etc).

For real enterprise needs, companies like counterpane [] not only install the intrusion detection devices; but offer services that monitor them just like the physical alarm companies do.

Re:My complaint about intrusion detection devices. (2, Insightful)

paenguin (311404) | more than 9 years ago | (#13117095)

I get about 1000 probes and somewhere near 50 IDS events a day. Something tells me I won't like what I have to deal with if my firewall/IDS starts telling me about it in emails.

All of these logs are history. Fortunately I'm running Linux and 99% of these probes and attacks are of little interest and are no threat.

Now, when you get a tool that will tell me when at attack is about to happen, that's when I want to know about that tool. Especially if it can not only give me advance warning, but warnings appropriate for what it is guarding.

Re:My complaint about intrusion detection devices. (0)

Anonymous Coward | more than 9 years ago | (#13117217)

Then properly configure your IDS so that it only triggers an alert when that alert pertains to your system. Running a linux/bsd box and triggering alarms at every nimda scan is kinda counter productive...

Having alerts sent through email,page,etc is trivial....well it is if your using snort.

What's your point? (-1)

Anonymous Coward | more than 9 years ago | (#13117123)

Trying to tone down my buzzword-driven paranoia and luring me away from a security detection system that would count/graph/classify every butterfly that lands on my property? Get away from me!

Snort can act as an IPS (1)

dangermen (248354) | more than 9 years ago | (#13116999)

Snort can act as an IPS. It has been able to do this for a while. It integrates with IPTables and can inline drop/reset connections based on rules.

My solution (4, Funny)

DanThe1Man (46872) | more than 9 years ago | (#13117007)

When I find an attacker getting into my company's network I start pulling my hair out and run around screaming "Aww! Aww! The crackers are taking over my network! Aww! Aww!"

By the way, I just got laid off, does anyone need a Sys Admin?

Re:My solution (1)

Karma_fucker_sucker (898393) | more than 9 years ago | (#13117151)

By the way, I just got laid off, does anyone need a Sys Admin?

Sorry man!

I thought you guys were immune from that type shit.

I've been looking for a while (I'm not an Admin, BTW) but when it comes to job postings, going directly to a company's website is much better than going to the job sites - ComputerJobs, Monster, Dice, etc... I don't know why, but companies post less or none at all on those sites these days. Of course, personal contacts are the best, but sometimes they can't come through for you so you have to hit the net.

Re:My solution (1)

Rosco P. Coltrane (209368) | more than 9 years ago | (#13117298)


Bro (4, Informative)

pythonguyy (880807) | more than 9 years ago | (#13117008) []
I'd rave more, but bro is watching me and wants me to get back to real work.

Re:Bro (1)

BancBoy (578080) | more than 9 years ago | (#13117075)

Beat me to it. Mod this one up. Bro watched over the network at the Nat'l Lab that I used to work at. Impressive stuff.

Re:Bro (1)

drpimp (900837) | more than 9 years ago | (#13117305)

Yes. Bro is very good, and scriptable if you want to learn another configuration language. It's really not that complicated.

As long as you can weed out the false positives, your life will be much easier and beats sitting scanning logs getting a gut.

Realistically.... (1)

AsbestosRush (111196) | more than 9 years ago | (#13117014)

There shouldn't be *anything* incoming that you don't already know about. Dedicated firewalls are a great boon to security. There are several linux and BSD based distros that are specifically for this purpose. Corperate environments, or those well heeled, have even more options.

A true DMZ is also a good thing to have, seperated by another firewall, if you have enough infrastructure to justify an (n)tiered network.

Firewalls aren't the end-all-be-all, but They do make compromises much less likely.

As to other other combative techniques, I'm shure there's a way to have a daemon monitor the Snort (or other IDS) log and if you get x connections on y port in x time frame, you can add the IP to your firewall. A daemon to clean up said firewall would be good as well...

Re:Realistically.... (1)

dat (11543) | more than 9 years ago | (#13117310)

This is just stupid (sorry). There are so many attacks that come over well-defined ports and services. IPS isn't just about stopping the random hacker port-scanning, it's also about deep packet inspection, eg when one of your users is file-sharing with a P2P app that tunnels over HTTP and they bring in something they didn't expect, or look at all the 0-day IIS attacks. What about SMTP attacks or SSH attacks? You might legitimately let SMTP between your DMZ and your internal network thinking "I've got a firewall and a virus scanner", but sometimes it's not enough.

If you really want assurance, go for Defence In Depth - adaptive firewalls, intrusion detection at the network level with prevention, host-based intrusion detection agents and most importantly the right management tools to ensure you see the hacks from the scans.

Re:Realistically.... (1)

monkeydo (173558) | more than 9 years ago | (#13117319)

That's great for the 15% of the attacks that come from the outside. But what about the rest of them?

Trained Monkeys (0, Funny)

Anonymous Coward | more than 9 years ago | (#13117019)

I find the most effective solution to be an army of trained monkeys (similar to the trunk monkey ( who monitor my snort alerts and subsequently fling fecal matter at the would be attackers. This may not stop the initial attack, but it generally prevents an attacker from coming back.

snort patch (1)

bitkid (21572) | more than 9 years ago | (#13117024)

I recall that there was a patch for snort that was specifically designed to prevent people from breaking into other systems from a compromised honeypot machine. It did some good stuff like replacing NOP-slides with breakpoints etc. I don't have the URL handy, but this might help you with your intrusion prevention...

Cisco IOS IPS (1)

Cramer (69040) | more than 9 years ago | (#13117028)

I've found IPS (formerly ip audit) in Cisco's IOS, while programmed by monkeys who don't pay much attention to what they're typing, does a pretty good job of cutting off a host of attacks at the router. Of course, it'll only look at what it's configured to watch and only knows about a select number of things -- the more it's told to watch for, the more memory and time it takes.

I have it watching web traffic and it's knocking down just about every script kiddie's IIS probe. (I don't run ISS, btw.)

Personalized Login System (3, Interesting)

Compholio (770966) | more than 9 years ago | (#13117029)

I think the best way to prevent intrusions is to design a personalized login system (and have the system install updates regularly). Just about everyone uses the same system (username then password), so changing the login program to do something funky is enough to screw up any script. Ex:

Please enter todays date (MM/DD/YY):
Please enter your username:
Please enter a valid email address:
Please enter your password:

Just randomize the questions (or have a bunch of questions and randomly ask a few of them) and unless someone is really dedicated to get into your system they're just going to choose another target rather than go after your weird setup.

Re:Personalized Login System (4, Funny)

Rosco P. Coltrane (209368) | more than 9 years ago | (#13117183)

changing the login program to do something funky is enough to screw up any script.

Even simpler: drop the user straight to a working shell. That way, scripts will wait for the "ogin:" and "assword:" strings indefinitely until the connection times out, and legit users won't even have to enter their logins. As for hackers, they'll see the "~$" prompt, won't believe their eyes, will think it's a clever trap or something, and they'll promply disconnect out of paranoid fear :-)

Re:Personalized Login System (1)

temojen (678985) | more than 9 years ago | (#13117210)

You have only telnet services running on your network? Or do you crack all your CIFS, HTTP, SMTP, POP, IMAP, LDAP etc clients and servers to do this?

Most networks have a variety of protocols running on them, any of which could be an attack vector or used by an attacker once they've compromized your site.

Re:Personalized Login System (1)

Compholio (770966) | more than 9 years ago | (#13117276)

HTTP, SMTP, POP, IMAP, LDAP: Regular updates
SSH: Weird login protocol
All Other: Only available internally

Re:Personalized Login System (1)

poopdeville (841677) | more than 9 years ago | (#13117259)

That's not even security through obscurity, since your modification will be immediately apparent to anyone trying to log in. Awful advice.

Re:Personalized Login System (0)

Anonymous Coward | more than 9 years ago | (#13117336)

Please see subject.... Re:Personalized Login System (Score:3, Funny)

The program of choice for all Network Admins is (4, Funny)

jim_v2000 (818799) | more than 9 years ago | (#13117031)

Obviously Norton Internet Security!

Norton Internet Security provides a COMPLETE security solution for your machine by promptly blocking all programs on your machine from having any internet access, AT ALL! Buy it today!

Re:The program of choice for all Network Admins is (0)

Anonymous Coward | more than 9 years ago | (#13117083)


ahh, the 90's where good.

IBM Has You Covered (3, Informative)

The Last Gunslinger (827632) | more than 9 years ago | (#13117032)

IBM Tivoli Risk Manager provides intrusion detection and automated remediation based on correlated input gathered from numerous sensors in your network. These include network intrusion detection systems (NIDS), host IDS, webserver logs, Windows Event Logs, *nix syslogs, firewall events, SNMP traps, and just about any other device, appliance, or application that writes a log event or generates an SNMP message. The correlation engine at the center is smart enough to take hundreds of thousands of individual input events and display or respond to a handful of meaningful alarms. Read on... sk-mgr/ []

Ask a good question get a stupid answer (0)

Anonymous Coward | more than 9 years ago | (#13117035)

What do you, the experienced network admin...
Huh? I thought this was ask Slashdot.

Astaro (1)

ehaggis (879721) | more than 9 years ago | (#13117038)

Astaro [] offers a good all -in-one appliance.

VMS (1)

msbsod (574856) | more than 9 years ago | (#13117045)

Why not start with a real operating system that already comes with both features? VMS (also known as OpenVMS) version 8.2 was released a few months ago and runs on VAX, Alpha and Itanium. You should be able to find a fairly cheap VMS machine at sites like eBay. For hobbyists and educational purposes the VMS license is available at no charge. Have a look at [] [] [] news:comp.os.vms [os.vms]

Re:VMS (1)

LurkerXXX (667952) | more than 9 years ago | (#13117152)

VMS is great, but you either have to run it on huge/old/slow equipment (Vax) or older somewhat slower (older alpha), or modern $$$ equipment. Itaniums aren't cheap (neither are more modern Alpah machines I've seen on ebay).

It's a great OS, but hard to run on equipment most of us have or can afford. If Itaniums were down around the cost of P4's, it would likely draw much more interest.

Re:VMS (0)

Anonymous Coward | more than 9 years ago | (#13117284)

jesus fucking christ, why don't you arcane-os-trolls die with dignity just as the dead platforms you are proposing?

Re:VMS (0)

Anonymous Coward | more than 9 years ago | (#13117314)

Does anyone know how to build a VAX/VMS disk image on an IA-32 Linux machine with a scsi card? I don't have a tape drive for my VAX.

How About. (1)

capitalj (461890) | more than 9 years ago | (#13117056)

Linux, AIDE, IPTables, Snort, tough passwords, and disabling all unused services.

Re:How About. (0)

Anonymous Coward | more than 9 years ago | (#13117207)

That's good for Linux, & you "Jedi" (or, are you the Sith? Depends on your point-of-view, now, doesn't it?) can use that.

Here is what I use for my own system @ home, with some variation, it can be applied to Microsoft-Style networks as well (minding the NetBIOS/LanManager stuff in its content if you have a home LAN or larger one @ work):

Like your ideas for Linux? This one just cuts off the doorways into the system basically, & a BIT more:

All you need to do, is these steps, with a 1/2 hour time using regedit &/or notepad @ most, check it, & never get infected AGAIN (on Windows no less), ever, & most certainly NOT in 4 minutes time as was said here recently!

I posted this for those that have been victims because it works... @ least until nothing NEW that's malicious comes along that beats this list that is, & it's worked for myself & others online for 8 years running now almost in its techniques, which ALL work harmoniously in conjunction simultaneously with one another/concurrently... what "spooks" me some? Rootkit technology - that's GOING to appear in the virii of tomorrow, guaranteed: More on that towards the end & my opinions on it!

APK Online Security 20-points basic checklist. A combination of things really, layered security is the idea!

DETAILS: [] [] []


1.) IP Security Policy in place for adbanner servers blocking OR other "undesirable" IP addresses.

2.) A custom adbanner blocking HOSTS file with 35,000++ entries in it with known banner ad servers in it (which have been shown in some cases even as bearing malicious javascript etc. in them as well as just plain slowing you down as you surf the web by calling out to DNS' servers for URL to IP resolution & loading their remote data).

3.) Tcp/IP filtering @ the IP Stack levels (UDP & TCP) allowing ONLY port 80. Need others? Open then up, this is all I need personally here.

4.) Using up to date AntiVirus & AntiSpyware.

5.) Using .PAC file proxy filters in all web-browsers vs. adbanners & such.

6.) IE Restricted Zones (added to via .reg files which the first body of code in the HOSTS file I use is prepped for the .reg filedata for via a program I built in ObjectPascal delphi console mode ripping away the URL from the loopbacks I equate adbanner servers to, etc. & then insert these here and into IPSecPols also).

7.) Custom adbanner filtering Cascading Style Sheets in webbrowsers when possible (via Opera).

8.) ZoneAlarm Pro or Native Windows Firewall. ZA is the better overall, the Windows one works though.

9.) Disable Java-javascript &/or ActiveX-activescripting in your webbrowsers.

Sorry webmasters, but too many holes popup here and ONLY IE gets that enabled here for Windows Update really only or sites that "demand" I use either. You will also find, as a bonus, that your webbrowser speeds go up IMMENSELY, with java &/or javascript (active X too) turned off. By FAR, it's way faster.

10.) Making sure the Operating System is up-to-date/fully hotfix or service pack patched.

11.) Disabling uneeded services (especially remote oriented ones, e.g.-> Remote Registry, Messenger service (this WILL hit you in minutes & I have seen this on initial setups getting folks online, generally JUST a message though not payload carrying), UPnP, RDP & yes, Terminal Services vulnerabilities) gaining not only memory & CPU cycles back, but also security:

The terminal services & RDP one are recent, MS is aware of them, & has "workarounds": That which I suggest in this point, see here: _1.html?source=rss&url= ticle/05/07/18/HNmsflaw_1.html []

They will patch it properly though. Ms is GOOD this way, once they acknowledge & test a potential vulnerability? Patch Tuesday (2nd one of a month) usually has the fix, IF not issued before that, depending on criticality rating.

Microsoft is even into this one now, evidenced by Windows Server 2003 Security Configuration Wizard run by the installation of SP #1 final onto it.

(I've been doing it for YEARS now, better than a decade since Windows NT 3.51 in fact: It WORKS!)

12.) Using restricted Registry &/or FileSystem ACL rights to disks/folders/files + Registry Hives.

13.) Amending secpol.msc & gpedit.msc security polices local to my system for better security.

14.) Using User-Rights & restricting them to my usual logged on user & the system entity SID itself only on most rights, denying all other groups.

15.) Applying registry hacks known to fortify the system BOTH remotely & locally per Microsoft guides for this on Windows Server 2003 for "OS Hardening" &/or "Tcp/IP Hardening".

16.) Being sure applications are up-to-date & patched current as well.

17.) Lastly here, by using a LinkSys BEFSX41 "NAT" & true CISCO technologies based stateful-packet-inspecting firewall router!

18.) Disabling NetBIOS over Tcp/IP & stopping Client for Microsoft Networks AND the File and Printer Sharing Client (all you need to get online IS Tcp/IP), if you don't run on a LAN/WAN, etc. & need them!

However, Ms Lans need these for file and printer sharing and networking properly/fully. THIS changes on LANS, but can be secured better than the default so IF you need it? Patch/harden for it IF you have to use it.


RUNNING IE in a "runas limited user class" sandbox effect! It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage. Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user. Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using "Run as" doesn't seem to work. What did work for me was the following. Say the limited account is called "IEuser". Then create a shortcut to "runas /user:IEuser cmd". on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with "start iexplore".

Or create a batchfile c:windowsie.bat that just contains the line "start iexplore" and you can start IE by just typing "ie".

Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits

You can basically also use

runas /u Administator /p (the admin password) /e (the path to the exe) /a (whatever the arguments are)as well. Hold down SHIFT key while in Explorer.exe & Right-Click on exe types and run RUNAS also via GUI too. :)

* Absolutely as safe as you can get online in terms of security online afaik! At least for a PERSONAL computer...

AGAIN - For networks, I'd use a variation of the above (especially on ports &/or NetBIOS/lanmanager client needs IF needed etc.), changing/amending what I had to in order to account for in-house app idiosyncracies, or ports needed open, etc.


P.S.=> As long as you DON'T do something DUMB like haul in bogus files & open them from email or illegal filesharing circuits? This will do you well...

Of course, you won't be able to use some "features" of some sites, but that's the price of safety!

Educating users to STOP popups & use HOSTS files and popup blockers and to NOT click on those windows "close window" buttons (mislabeled planters of malware)? Is key also... takes time!

NOW, on rootkits, finally:

Because, mark my words?

The next level of virii? WILL have rootkit abilities in them...

1 of 2 ways & tricky:

1.) System call hooking (RPL0/Ring0 kernel level calls) &/or intercepting API's like (On Windows for instance in RPL3/Ring3 usermode)

Ones like FindFirstFile/FindNextFile evading searches for their files they use or even folders


2.) Hiding them in memory vs. GetProcessID etc. type API calls...

(NOW, these don't survive reboots well, but the former? Does!)

OR possibly, even replacing existing DLL's, but Windows System File Protection SHOULD help here, as it does vs. DLL Hell!

Use my list of 20 points, & actually do it, taking 1/2 hour to implement it?

You won't get owned... See, I KNOW so.

I.E.-> From 1994-1999, I was a admin/mod on the official Windows technical help channel (#Windows95) for ALL Windows based OS' out on Dalnet IRC, endorsed in fact, by MIRC's creator, K. Mardem Bey, showed me all of what's in that list via actually getting into 'hack/crack' fights out there on it with #Linux, regularly.

The damn #Linux nuts? ALMOST each day, would start up a 'hacking' war with us.

(As it is EASY to get an IP addy there as I am sure you most likely know out on IRC for nearly anyone)!

I enjoyed it in fact, & learned much... it wasn't really "mean" after awhile, but a chance for them vs. us as a 'friendly' competition.

ANYHOW, see this URL & read on afterwards:

Still, in 2005, there is vulnerabilities in OpenBSD!

An attacker could leverage systrace vulnerabilities on OpenBSD to this day: [] [] 731&seqNum=7&rl=1 []

"Second, system calls have no exclusive or. For example, an application might be permitted to open a file or a device, but not both. This weakness could ultimately be leveraged by an attacker who seeks to do more than a program was intended to do."

As much as the BSD crowd's LOATHE to admit it, no OS is 100% safe & secure AND I "had this out" with an OpenBSD zealot here in fact about it, VERY recently:

Local exploits? CAN be 'turned into' Remote exploits, even if the OS itself is declared C2 or better secure? The holes are in the apps you use, themselves, imo, & specifically webbrowsers mostly imo:

ALSO, due to the systrace vulnerability I noted that is THIS YEAR and current (with others, some out of date some not) above, that simply showed OpenBSD is not the "magically secure automatic security panacea formula" impression I got from many here they are laboring under.

AND, like I point out in my list? BE SURE YOUR OS IS PATCHED but also?


ESPECIALLY Browsers! Why, well... because the "local hole" you said I found, can be a REMOTE one, easily!

Browsers: They're notorious for holes, especially remote execution ones: See MS latest bugfixes for IE, & FireFox 1.05 is on it too and has been subject to remote code executions & buffer overflows which CAN be turned to remote execution system backdoors...!

NOW, If you think remoted & run by impersonation is not something the SysTrace weakness I noted is not something that can happen?

Well... Anyone here that IS a coder? Knows EXACTLY how & what I mean here!

I.E.-> It is possible to run an app as Administrator/Root by privelege escalation, & REMOTELY, not just locally, via holes in your apps...

If you thought otherwise? WELL, sorry to disillusion anyone there!

(Think I could not use a hole like that via a buggy browser & do it? Absolutely!)

Anyways - Were I really ANY of you? BSD users, Linux Users, or Windows users, etc./et all?

I would apply @ least a NAT true stateful inspection firewalling router, packet filtering, & more!

(Really, whatever you can apply from my list including javascript advice & the BLOCKING HOSTS FILES)

Your OPEN (literally) BSD (freebsd or openbsd) of any type can use HOSTS & java/javascript as well as other Tcp/IP bearing OS' universally!

AND? HOSTS can block out sites known for those bogus scriptbomb ads!

The Free & OpenBSD' type OS' runs HOSTS files and Javascript too!

Both run ANYWHERE that uses TcpIP (in HOSTS, in fact that's where MS got their IP stack, the BSD world) because hate to tell you this:

Javascript/Java is another one that runs on TONS of Os' as well, & is what (or part of what) malicious adbanners use! The browser (apps to patch) are the gateway!

See, new things popup ALL the time #1, & new threats ARE coming (rootkits, more on that later)...

SO, my ideas on layered security in my list you busted on (& ANY security pro will tell you this)?


This is not just myself stating it, here is another one regarding that: [] [] [] inux.htm []

"The default OpenBSD install is much more secure but also much less functional than a Windows NT or 2000 default install and most"

Keyword = DEFAULT! AND, less functional. BIG sticking points vs. Windows Server 2003.

Which is WHY I put up my list for Windows 2000/XP/2003 server users.

To teach them how to REALLY secure these Os' from MS, far above the DEFAULT security settings they ship with and how + why... those steps above?

WORK! Plus, they keep you from getting "infected" or compromised, again... ever, afaik! Permanently too, if my system uptimes that span years @ a time, stands for anything. Of course, AGAIN, you may sacrifice SOME internet 'functionality' on certain websites due to my list above, but that is the price of security nowadays in my estimation... beats rebuilding your system ever 4 weeks or so, that is FOR SURE!


Re:How About. (1)

saintp (595331) | more than 9 years ago | (#13117275)

AIDE [] rocks! It's easy to configure and has great payoff.

Size (5, Insightful)

chrome (3506) | more than 9 years ago | (#13117061)

The biggest problem facing anyone looking at implementing an IDS into an existing system is the size of the network.

If you're doing 500mbit/sec+ of traffic, it requires a somewhat beefy snort box just to process that data let alone do something about anything that looks like an attack.

Snort CAN do it, it just takes a lot of effort to pair down the ruleset to the point where it can handle your traffic. But, pairing down the ruleset has some drawback ... :)

Or, if you can segregate your network, that can help a lot too. But unfortunately, a lot of networks suffer from a lack of design and you end up with huge VLANs that span thousands of hosts, and other nightmares.

IMHO If you're worried about intrusion, start with host security. If you have a huge farm of linux boxes, then great. Use iptables and keep everything up to date. If you MUST have sun boxes, try not to put them on the edge of your network - NAT specific ports via linux NAT firewalls. Same goes for windows machines. Don't bare them to the internet for any reason.

Have some aggressive ACLs on your border routers. Don't allow SSH into all your machines directly. Use jumphosts. Consider using token based authentication, like SecurID. Consider Kerberos to replace the use of public key auth in your ssh infrastructure.

once you have that down, putting in an IDS can wait :)

Re:Size (1)

chrome (3506) | more than 9 years ago | (#13117278)

Oh, and as an addendum to this, 99% of ALL the intrusions I see hitting the network right now are SSH dictionary attacks. At the very least, you should get rid of password auth, and go with RSA key auth. Carrying the key around on a USB keychain isn't such a bad idea, though not perfect. It should be considered a temporary solution until you've had time to implement a full blown security policy.

How much do you wanna spend? (1)

pLnCrZy (583109) | more than 9 years ago | (#13117062)

There are a lot of factors when deciding on a solution. How big is the network? What are the throughput requirements? How much money do you have?

We just picked up a couple Juniper Netscreen ISG2000 boxes with IDP blades in them. 2Gb/sec throughput with full IDP implemented in hardware. Granted, those bad boys will set ya back almost as much as a house.

I know it's illegal, but (2, Funny)

Rosco P. Coltrane (209368) | more than 9 years ago | (#13117065)

what I'd really like is a network intrusion product that not only detects "bad guys" but also automatically retaliates, i.e. deluges said bad guy with ping floods, winnukes (yes I know, it's old), tries to root the bad guy's box and wipe the hard disk, or install backorifice, etc...

I reckon if the majority of network admins did that, perhaps intruders would think twice about playing that game. Not to mention the feeling of satisfaction when (if) the intruder's box is trashes in real-time before his eyes :-)

Re:I know it's illegal, but (2, Insightful)

Anonymous Coward | more than 9 years ago | (#13117136)

Two words: Address spoofing.

Bad guys would not need zombies anymore for a DDOS: They would simply "attack" a couple of people like you with a forged source address, and let you do the dirty work. Bad Idea[tm] indeed.

Re:I know it's illegal, but (1)

Rosco P. Coltrane (209368) | more than 9 years ago | (#13117235)

Bad guys would not need zombies anymore for a DDOS:

Sorry, I thought we were talking about network intrusion here: surely someone trying to subvert a service (like getting a working shell account, snooping on a Windows box or perusing an intranet) would need a valid IP to do that. Of course, my nasty piece of imaginary software wouldn't fight back DDOSes or spam, since those are essentially impossible to trace back to the original perpetrator.

Re:I know it's illegal, but (0)

Anonymous Coward | more than 9 years ago | (#13117312)

So you think that when somone is trying to intrude on your network that they are not using many gateway machines?

Re:I know it's illegal, but (0)

Anonymous Coward | more than 9 years ago | (#13117234)

Yes, because the people who are attacking our systems are using their own machines to launch such attacks. Any retailation would just hurt some poor sob's machine and he would have no clue what was going on.

Re:I know it's illegal, but (1)

PaxTech (103481) | more than 9 years ago | (#13117297)

The intruder is probably hitting you from another box that he hacked somewhere, so all you'd be doing is attacking that poor slob's machine.

The reason no network admins do what you propose isn't because it's illegal, it's because it's incredibly stupid. :)

Re:I know it's illegal, but (1)

Flower (31351) | more than 9 years ago | (#13117322)

Why would the intruder care? You make it sound like they are using their own personal box to launch the attack.

Abstinence (1)

Jailbrekr (73837) | more than 9 years ago | (#13117067)

Just like the best way to prevent pregnancy is abstinence, the best way to prevent intrusion is to eliminate the avenue that they get in. While it is not feasible to simply deny your users access to the internet and email, you can prevent them from installing material which otherwise might cause a hacker to gain remote access. A conbination of whitelisting sites and denying certain address blocks from sending you email goes a long way.

In short, comprehensive intrusion detection and prevention is only needed on an open network.

All you can really do is monitor... (1)

Fallen Kell (165468) | more than 9 years ago | (#13117070)

What I mean to say is this. Once you have your standard security suite in place (firewalls, ip-chains, standard configs locked down, etc.), all that is left is to simply monitor the activity logs. That is all that CAN be done, since there will always be new security holes found and exploits created. Having a well planned and documented monitoring process involving going through the log files on a daily/constant basis is the best that you can do. Yes, this is time consuming and arduous redundant process. There are products out there to help minimize the task, but they can only help to a point. You simple just have to look at the logs being generated from your firewall, routers, and all your local systems. With seting up services that scan the default system configurations and monitor critical file changes, as well as watching your firewall logs, you can catch and stop most attacks as they are occuring, before major damage can be done. But again, most places will not do this because it is time consuming to actually look at all the log files. This is why months pass sometimes before someone finally sees the log which shows a change to the password file which added a new user...

We use... (2, Informative)

mengel (13619) | more than 9 years ago | (#13117099)

...a little package called AutoBlocker [] which analyzes netflow data in real time, and blocks sites at the border router for a while when they appear to be trying to do bad things.

Of course, it's needed some tuning so it wouldn' think that things that should be talking to multiple systems in a short time window don't get blocked...

big on Linux advocacy, small on windows solutions (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#13117105)

Linux is great etc etc but it doesnt really help the majority of people who use Windows where most of the threats (to all users) lie

adding a firewall blocking facility to a win32 version of snort (with autoupdates) would help a *lot* of windows users

but iam sure its all falling on deaf ears, linux is NOT an option for most users, and as long as developers keep ignoring the majority of users they will keep using Norton and other such "crap" solutions

Re:big on Linux advocacy, small on windows solutio (1)

mrbooze (49713) | more than 9 years ago | (#13117246)

there are perfectly good softwar firewalls for windows. I use BlackIce, personally, but there are other perfectly good ones, not to mention the one built-in to Windows XP sp2.

And most decent cheap home routers provide prefectly usable hardware firewall services as well.

No reason for windows users to claim they don't have solutions available.

Insufficient background info (0)

Anonymous Coward | more than 9 years ago | (#13117109)

How about giving us some details about your application, your network and budget? Are you sysadmin at the corner store or a Fortune 500 multinational? Is your budget $0 or $250k? Are you on a 100 meg ethernet with a DSL or a gigabit core network across the country with 40 egress points to the Internet? Are you likely to be the target of worms, viruses, script kiddies - or highly paid professional hackers trying to break into your network?

There are a multitude of products but your question gives us almost zero context - hence the glut of meaningless answers, like telling you to run a certain distribution or OSS product.

Re:Insufficient background info (0)

Anonymous Coward | more than 9 years ago | (#13117291)

I think you should do an ASK SLASHDOT with those exact questions.

Combating versus not allowing in the first place (1)

noidentity (188756) | more than 9 years ago | (#13117122)

it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions.

Instead of thinking of defense as adding extra code to stop malicious code, think of it as changing the system so that the attack isn't even possible to begin with. Fundamentally a computer system does nothing but allow things; nothing happens without it being made possible via software.

intrusion prevention (4, Interesting)

uqbar (102695) | more than 9 years ago | (#13117127)

Real prevention is a double edged sword. To really prevent an attack, your device needs to sit in line - or it reacts too late. As such you introduce latency, and the more sophisticated you get, the more the time spent on analysis before the traffic is allowed through. NIDS and HIDS analyse after the fact, so they have the luxury of time since they aren't in line with your traffic. If you have good event correlation, you can raise alerts to appropriate support personnel. But all these don't directly prevent attacks - they just let you know to respond to an attack.

Companies like Tipping Point have devices that claim to do intrusion prevention with low latency - I'd test that claim before purchase, but the demo I saw seemed to indicate it was worth checking out.

Tipping Point is what you want.... (0)

Anonymous Coward | more than 9 years ago | (#13117303)

Tipping Point is the way to go. I work for a reseller of Tipping Point products and am the lead engineer for TP support in our company. The Tipping Point boxes can go up to 2GB/s throughput, with a 5GB/s box coming soon. Updates are released every few days, with automatic updates available. Tipping Point also provided much of the info used by SANS for compiling their @RISK Vuln report every week. Check those reports out if you never have....

SNORT is a old technology that is for the most part worthless today. What do I care if I notice after the fact that an intruder r00ted one of my boxen? Too late....already 0wned. With Tipping Point inline, the malicious data is stopped before it even hits my firewall. (Yes, TP can be installed outside the firewall...)

The great intrusion prevention debate (2, Informative)

anandpur (303114) | more than 9 years ago | (#13117141)

No security topic generates more spirited debate than intrusion prevention. Deployed on the edge -- and increasingly, deep inside -- the network, IPSes (intrusion prevention systems) purport to identify and stop attacks before they start based on constantly updated threat profiles. In this Point/Counterpoint, we've pitted Marc Willebeek-LeMair, CTO and Chief Strategy Officer of 3Com's (Profile, Products, Articles) security division, TippingPoint, against Martin Roesch, CTO and founder of Sourcefire (and the inventor of Snort). TippingPoint's Willebeek-LeMair is bullish on the supreme effectiveness of his IPS approach; Sourcefire's Roesch positions IPSes, which his company also sells, as just one component of an integrated network defense system. The clash of these two partisans reveals much about the state of network protection and the rivalry between hardware and software security vendors. ds_1.html []

Astaro! (0)

Anonymous Coward | more than 9 years ago | (#13117147) for super easy snort integration via a gui in about 5 minutes. im never going back.

plenty of appliances... (1, Informative)

Anonymous Coward | more than 9 years ago | (#13117157)

Juniper IDP (3, Informative)

Anonymous Coward | more than 9 years ago | (#13117181)

I use a Juniper IDP, and love it. Then again, I have to, since I work there. :)

Seriously, though, it's a good system - our sigs are for the most part, open-source - you can see how we detect things, and make a copy and twiddle it yourself. Those few that are closed are generally to protect Intellectual Property concerns.

They're a bit spendy for home use, though. I think the cheapest unit is in the $15-17k range.

Some things also not covered in the question, but imporant issues to raise, are:

1. Ease-of-Use vs. Functionality/Features
2. Performance vs. Security
3. Completeness/Timeliness of Coverage
4. Accuracy

Each IPS vendor has their own angle on these issues, and they're all betting that their angle will be the best - in the end, you as the customer have to decide which of these issues is most important to you, and then find the corresponding vendor.

Juniper has dominant market share, but there are things that other companies do better, but generally at the cost of something we do better at - it's a real mixed bag. See RFC-1925, Section 2, Paragraph 7a for details on this concept.

Juniper IDP is focused on delivering current, feature-rich, accurate detection, generally at the expense of speed and simplicity. Don't get me wrong, though, we're not slugs - our high-end products are currently pushing 2 gig (which in some environments is fast enough). If you want a cheap, 10-gig box with a single "Secure Me" panic button and a single "You Got Owned" idiot light, we're not for you.

Where to start? (3, Interesting)

mysfitt (704313) | more than 9 years ago | (#13117196)

I'm an IDS engineer by trade and I could go on for days about this topic. Yes, snort is great. No, it's not anywhere near enough by itself. That's why you take a varied approach. Snort is probably one of the best signature based IDSes available. The user community behind it is very strong and produces some great sigs, usually same day as the vulnerability is announced. But the downside is no protection against 0 day attacks. Therefore you have to have some behavioral systems in place as well. Problem with those is tuning out the false positives can be very difficult and time-consuming. Add a Honey pot/IPS with blocking capabilities like activescout [] to the mix and you're starting to get there. Add a SIM (security information management) product that can correlate data from all of your sensors and issue blocks to your firewalls and you're well on your way.

Re:Where to start? (1)

Autonin (322765) | more than 9 years ago | (#13117307)

One of the biggest strengths of Snort is also its biggest weakness - the "User Community". Literally anyone and their mom can write a sig for Snort and submit it. Are you going to vet every sig they write? If you could, why not just do it yourself then?

Or do you wait a few days until they've been vetted by the "regulars" and the signature is stable? Well by then you've lost your 'same day sig' advantage.

People who know enough to make their own IPS' from scratch generally already have a clue about network security enough that this thread isn't going to help them.

Someone who really needs to read this thread is generally going to need a non-DIY solution - the product they buy is as much signature research and development subscription as the physical box.

Almost Perfect Network Security (1)

spaztech (899194) | more than 9 years ago | (#13117198)

1: Write your own OS
2: Design a proprietary (revolutionary) TCP/IP stack replacement
3: Install it on two identical machines that you designed and manufactured yourself
5: Watch closely for anyone to come near them.. very, very closely.

Nessus (2, Informative)

MattW (97290) | more than 9 years ago | (#13117216)

Snort isn't designed as a vulnerability scanner; Nessus is [] . And don't forget than nmap [] is pretty useful in the hands of someone who knows what they're doing.

As far as "intrusion prevention", there's not a "tool" that does that. You can firewall off unwanted and unneeded traffic; you still need to patch your public services. If you run public services, someone should be responsible for making certain everything you run is up to date and no unpatched vulnerabilities are public (and if the latter is the case, find a workaround or preventative measure until a real patch is out).

ass lickers!!! (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#13117270)

lick my ass all you dirty bastards!!!!

Sonicwall has the best IPS features. (0)

Anonymous Coward | more than 9 years ago | (#13117283)

I have tested Astaro Linux and Sonicwall. The Sonicwall TZ 150 or 170 is the best SOHO security gateway with IPS, gateway antivirus, gatewaye antispam, content filtering, email filter, and ViewPoint comprehensive logging application.

ASL is slow and IPS is unreliable (5.2xx). Sonicwall is always fast and small. It's rock solid. I got mine from with security suite (1-year subscription to Antivirus, antispyware, IPS signature, Basic content filering update and support).

I have to say Sonicwall has the best support system. Forget ASL, support also sucks and pricy licensing, damn pricy. Can;t believe they use Linux and overcharge us.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?