Most of us have heard that good network security is like an onion. With its many layers, it protects the core at its center. Today we’ll be looking at the top five Intrusion Prevention Systems (IPS), and exactly how they provide a unique layer of security to your own network.
Here is our list of the top five intrusion prevention systems:
- SolarWinds Security Event Manager (FREE TRIAL) Provides the perfect balance between network security, ease of use, and functionality. If you’re looking for a proven out-of-the-box IDS, Security Event Manager is for you.
- OSSEC Leverages automated active response and machine learning to detect evolving threats.
- Snort Utilizes a vast array of rule sets that give you flexibility when scanning and protecting your network.
- Zeek (Bro) A high-level network analyzer that provides you with the raw data you need to make the best security-related changes.
- Siracata Similar to Zeek, this tool runs via command line only and can quickly scale and record network traffic across enterprise environments.
The Best Intrusion Prevention Systems (IPS)
Starting at the top of our list is the Security Event Manager by SolarWinds, which is one of the most comprehensive and detailed security tools on the market. In a clean and easy-to-navigate interface you’ll have access to both historic logs and real-time security events that are happening on your network.
While logging hundreds of security events and logs might seem messy, Security Event Manager (SEM) does an excellent job not only prioritizing alerts but proactively taking corrective action to stop a threat from getting further into your network. SolarWinds SEM utilizes real-time event correlation to identify potential threats by even minuscule trace evidence intruders leave behind.
Instead of pouring over hours of logs, SEM can use its machine learning to see the precursor events to an attack and stop it in its tracks incredibly quickly, and arguably faster than any human manually could.
But stopping a single attack isn’t enough, especially once it’s already inside your network. One of my favorite features of SEM is the level of customization you can apply to how a threat is dealt with. SEM uses a feature called Active Response, which will automatically deal with specific attacks in the way you configure it.
You can choose to automatically disable user accounts, block IP addresses, kill processes, stop or reboot services, and even quarantine infected machines from your network.
SEM also provides detailed and elegant reporting that can not only give you a 30,000 foot view of your network security but also produce compliance reports for standards such as HIPAA and PDC-DSS. In a few clicks, you can schedule reports to be on customized intervals, making quarterly reports something you almost don’t have to even think about.
SEM really provides the best intrusion prevention product, not just because of its proven ability to protect a network, but because of its ease of use. Like most techs, I’ve spent a fair amount of time in the command line. So it’s really refreshing to see a product that allows for such an easy to use interface, or that doesn’t sacrifice the level of control for the sake of having a GUI.
SolarWinds Event Security Manager is simple to install and is deployed as a virtual application that is compatible with both VMware Vsphere ESX, ESXi, or Microsoft Hyper V.
You can try out SolarWinds Security Event Manager in your network through a completely free and fully functional 30-day trial.
A close number two on the list is OSSEC. This open-source, community-driven IDS leverages log-based monitoring to analyze security data on a network in real-time. One of the best features of OSSEC is its File Integrity Monitoring system which not only monitors system and registry changes managed on a machine but keeps a forensic copy of the data as it changes over time. This automatically gives you a deep insight into how an attack unfolded, as well as a possible legal chain of evidence to use in court.
Like other tools in this list, OSSEC leverages an automated active response approach to detect threats and breaches. You can configure OSSEC to perform a number of different actions such as enabling firewall policies, running custom scripts, and self-healing processes. The security system also collects machine data such as installed hardware, software, network services, and utilization. This is particularly useful to help identify the source of a network infection and track it down to a single machine or user.
OSSEC is highly customizable and really relies on proactive sysadmins to script different solutions depending on what the monitoring logs discover. With that being said, there are also some incredibly powerful built-in scans that can be easily started. Rootcheck for example taps into a constantly updated database of rootkits and rootkit file modifications, to compare against what it finds on the network.
It will also scan workstations to see if their NIC is in promiscuous mode, and check to see if there are any suspicious services running in the background. This acts almost as a high-level antivirus scan would. In addition to malicious file detection, OSSEC can also find file permission issues and alert you to them. Files or folders owned by root, for example, don’t follow best security practices. It can be hard to manually audit all of your network’s file structures, but with OSSEC it’s not a problem.
OSSEC is completely free to use and falls under the GNU Public License. It’s compatible with Windows, MacOS, and Linux systems.
Don’t let its playful name or mascot fool you. Snort is a powerful Intrusion Protection System that you won’t want to turn your nose up at. Snort is a flexible IPS that can run in almost any Windows, Linux, or MacOS system.
Snort might not be for everyone, as it does not come with a Graphical User Interface to run reporting and commands from; strictly command line only. You can configure the software in a number of different ways to suit your security needs.
Its most popular function is that of a packet sniffer, where Snort, well “snorts” all of the traffic across your network. There are a number of attack methods Snort can detect such as SMB probes, OS fingerprinting, port scans, and plenty more.
At the center of the operation, Snort uses something called Snort Rules to define and detect threats. These rules are constantly updated and community-focused. If you’re looking to detect or identify a very specific type of network traffic you can even create your own Snort rule file. Rather than having one big rule file, you can get rule files in categories ranging from java exploit detection, to know vulnerabilities in image extensions such as .jpg and .png.
Snort is free and open-source, but also offers a paid yearly subscription that gives you access to Snort rules faster, the ability to report false positives, and even the ability to become an authorized reseller. Pricing for the premium version starts at $29.99 (£24.47) a year.
Zeek, formerly known as ‘Bro’ was first started in the 1990s by a man named Vern Paxson, who wanted to know what was happening on the university’s network and in his laboratory. This modest pet project soon branched off into a much larger endeavor that positioned Zeek as a security tool used among researchers and administrators across the globe.
Unlike anti-malware software or a firewall, Zeek sits silently on a network and observes everything it can see. Zeek captures this traffic and builds high-fidelity logs and customizable outputs to be reviewed by data scientists, analysts, or forensic teams. Zeek is truly a high-level analysis tool, so you don’t find any fancy graphical interface or visualizations for the data you capture.
Like most open-source projects, Zeek is entirely open source and relies heavily on its community of users to add new features, and update documentation. If you’re looking for a done-for-you security solution, Zeek is not it.
If you’re running security or administering a network, Zeek can be a great tool that works in conjunction with a network firewall and other security measures to help you dial in and manually find suspicious or malicious events.
Zeek’s comprehensive logging means everything is captured, recorded, and stored. While some extremely savvy malware can erase its movements inside a network from log files and event viewers, it cannot escape the all-seeing eye of Zeek, which captures the raw network data.
With no front end to analyze this captured data with, you’ll need something to view it and better understand what you have. A popular tool you can use in tandem with Zeek is Kibana. Kibana is an open-source front-end tool that provides search and data visualization.
While most network administrators won’t need the level of detail Zeek provides, it’s still a great free and open-source tool you can use to comb through the intricacies of your network. The preferred operating system to install Zeek is Linux, but you can install Zeek on Windows using the Quick Start Guide.
Siracata is a flexible open-source IPS that can run on Linux, Windows, and MacOS. Much like Zeek, Siracata gathers network data through deep packet inspection and pattern matching, making it an excellent tool for analysis and threat detection.
You can configure Siracata in a number of different ways, two of the most popular being network detection, and intrusion prevention mode. When Siracata is operating under prevention mode, it will drop packets that you specify as a threat, whereas in detection mode it is passively scanning raw data and recording it for analysis.
The backend of Siracta was built to run lean and fast, making it ideal for large enterprise environments. Features like multi-threaded signature detection allow you to scale your port scanning capabilities very quickly across a network without having to tweak any settings or configurations.
A final key feature is that Siracata is application-aware. Simply put, this means Siracata is smart enough to detect protocols over non-standard ports and label their services. This is an area where tools such as Snort had fallen short in the past. You can download the software for free via this link here.
While intrusion prevention systems can’t protect you on their own, they are a vital key component when it comes to securing and auditing your network. If you’re looking for an IDS that provides an excellent balance between ease of use and effectiveness then SolarWinds Security Event Manager is a clear winner.
Need to dive deeper and perform a live audit on your network with forensic level granularity? Zeek will have you covered. No matter which system you choose, having an IDS on your network will add another layer to your security to keep you one step ahead of the bad guys.
Do you currently run an intrusion prevention system? What are your biggest challenges with it? Let us know in the comments below.