IS315: IS Risk Management and Intrusion Detection
Course Project: Part II
intrusion detection and Prevention
Intrusion Detection and Prevention both can be classified as imperative for any organization or business network. For the sake of business continuity, protecting the network components, its applications and accounts is the key to remaining in business and having integrity and trust. To do so, a network must have a watchful eye embedded within the network itself. Following are just a few options for network and host intrusion detection and prevention.
Dragon Squire – looks at system logs for evidence of malicious or suspicious application activity in real time. It also monitors key system files for evidence of tampering. It monitors key system files for change, which includes access time, file size and an MD5 cryptographic checksum. The checksum is stored at the Dragon Server for off-line verification. Also Dragon Squire has the ability to monitor log files from a diverse selection of open source or commercial firewalls. These logs may be read from a local syslog server or sent directly to Dragon Squire directly via SNMP. Dragon Squire’s signature library includes suspicious events from a wide variety of operating systems.
... T. , Levitt, K. N. (May/June, 1994). Network Intrusion Detection.IEEE Network. pp. 28-42.  Porr as, P.& ... our preliminary analysis of this approach. Keywords: Intrusion detection, misuse detection, neural networks, computer security. 1. Introduction Because of the ... the initial implementation of a neural network-based intrusion detection system for misuse detection it will be essential for the ...
Tripwire Enterprise 7– The latest version supports multiple platforms including Windows, Linux, Solaris, etc. It audits configuration change enterprise-wide and reduces risk by detecting unauthorized system changes. It then corrects the problem automatically or alerts IT officials for intervention. Tripwire offers thousands of pre-defined standardized report which have real-time views. It also allows creation of custom reports capable of drilling down. Tripwire also reduces outages and SLA penalties. Tripwire online support offers support requests submission, product downloads, knowledge base, support forums and documents. In order to attain updates, you must have a valid support & service agreement.
The Mazu Profile Network Behavior Analysis (NBA) v8 is a network based IDS system which provides continuous universal visibility into how users, applications, hosts, and devices are behaving on the network, and reports how their present activity differs from their normal behavior across an extensive span of threats. Its alerts are based on real-time changes in the behavior of users, hosts, or network traffic. This can be done all with the use of flow data from the existing architecture of routers and switches on the network. Deployment is quick without the need for agent or in-line devices. All subscribers to Mazu technical support services receive software updates and access to the support website
OSSEC v1.3 – an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, root kit detection, real-time alerting and active response. A small listing of the platforms it runs on include GNU/Linux, FreeBSD 5.2.1, AIX 5.2 ML-07, Solaris 2.8, 2.9, AIX 5.2 ML-07, and Windows 2000, XP and 2003. The installation of the OSSEC HIDS is very simple. OSSEC provides a wide variety of community support options available for our users. Patrons can subscribe to a mailing list for updates, General installation, configuration and usage issues.
... a LAN protocol or protocols that match those supported by the RAS server and network. The client computer must also be outfitted with ... that allows it to remotely connect to the RAS server. Supporting a remote access system is no small task. Managing user accounts and ... modems. X. 25 is an old, slow, wide area network protocol based on packet switching. It is limited to 56 Kbps and ...
FCheck: v2.7.51 – an Open Source freely available host IDS that will run on both UNIX and Windows systems. It can use any system executable or script for reporting. It comprises the fcheck Perl script, the fcheck.cfg configuration file (which is normally kept in /usr/local/etc/), the database directory, and files it uses to determine whether changes have been made to the system. FCheck can but does not have to be run as root.
Snare Server v4.0 – an InterSect Alliance product is a proprietary Log Monitoring solution that provides a central audit event collection, analysis, reporting and archival system. It is a Linux-based appliance, with minimal administrative overhead. Snare Server carries very strict hardware specifications to run it. It comes with an Installation manual in the form of a PDF file ending with a checklist to make sure it’s configured properly. InterSect Alliance offers upgrade PDF files and forums for support of its products.
Nepenthes – runs on a UNIX server and provides enough emulation of common Windows services to fool most automated attacks. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities. You will then receive a report of the characteristics of the malware to your given email address.
For a big company I recommend commercial Tripwire because of its pre-defined standardized reports which have real-time views. Able to span multiple platforms, a company can choose the most ideal report for its setup making it quick and easy to test and modify for peak performance. Tripwire would be setup right behind the first router to the Intranet. The RedHat server could save the company money with the Snare Server v4.0 as an open source log monitoring solution. Protecting the VPN server is as important as the other servers to detect and protect. Access should be filtered if at all possible. Monitoring with OSSEC v1.3 would further cut cost. Nepenthes would be the honeypot of the network reporting malware and redirecting them from the network and other forms of attacks.
... MP3.com ist somit kein File ? Sharing ? System (kein P2P Kommunikationsmodell), sondern ein nach der Client ? Server ? Struktur organisierter Dienst. ... quasi unidentifizierbar wird. Beim anschliessenden Download ?ber das http ? Protokoll wird diese Anonymit?t jedoch aufgehoben, ... Simple Mail Transfer Protocol (SMTP) - Hypertext Transfer Protocol (HTTP) Dies ist nur eine Handvoll der Protokolle, die im ...