Sheepykins
Daemon Poster
- Messages
- 556
- Location
- Worcestershire, England
Hello fellow techies,
As none of you really know me, I shall fill you in - currently I work as an Information Security Analyst which sounds like a pretty boring job and to some extent, you are right.
It is my job to dig through packet decodes, stop infiltration and protect business networks for a modest fee
this is done in many ways including:
1. knowing your setup and any vulnerabilities
2. keeping abreast of information that might make you a possible target
3. keeping a tight reign on your employees but not too tight as to make them want to break your rules.
I saw a little topic called Enterprise Security so I thought I would give everyone a little intro into one specific way of controlling data, Intrusion Prevention systems and Intrusion Detection system.
Do you have a small business, website or hosted platform you wish to keep secure? This could be for you!
IPS/IDS
Essentially IPS and IDS devices work by sniffing packets. They work on a detection system governed by rules and then alert the user in the form of signatures or software guardian watching.
For example, I have a rule set up on my IDS system that states if Computer A sends over 20 TCP based packets to Computer B which are observed on 20 or more unique ports then this will flag the signature
"TCP-PORT SCAN ATTEMPT" in some sort of GUI which will tell me that someone may be attempting to see if one or more of my ports is responding to incoming connections. By trying to determine what ports I have open on my system a malicious user can tailor an attack to any open ports I have.
IPS and IDS sensors differ in only one aspect, one is active and the other is passive. This may seem obvious as one is Intrusion PREVENSION, and the other Intrusion DETECTION however I thought it'd buff my thread out to clarify the two
IPS sensors act in the same way as a hardware firewall, just a little smarter. Sniffing packets, if an IPS detects something untoward (for example an attempt to gain access to my etc/passwd file on a linux box) the IPS sensor will take it upon itself to block those incoming packets.
An IDS sensor on the other hand would merely tell me that this is happening and as an administrator I would have to take it upon myself to actively block the IP address or deny the connection.
I know what you're thinking! why hire someone like me if devices can block intuitively, the answer is simple! ... I'm smarter. Using a set of rules doesnt account for user error, adlibbing to new traffic that is now being seen on the network but expected and of course theres no accounting for good old fashioned human gut feeling.
Software and Hardware
There are two types of IPS/IDS devices, in the trade we call them HIDS and NIDS or Host IDS and Network IDS.
The difference between the two is that one can be installed on a host machine and monitor connections to and from those hosts and the other is a device you can purchase which will sit on a link (or most commonly connected to a switch with port mirroring enabled) and watch for traffic coming through it.
Cisco have a ton of NIDS sensors which are available to buy and supply network definitions or rule sets for commonly known events (abit like firewalls and anti-viruses) however using host sensors you could easily set up your own device to do the same thing for cheaper.
I would say the 3 main players in the business of IPS/IDS sensors today are Enterasys Dragon, Cisco and the Open source sniffing software SNORT which has been around a long time.
All of them offer a premium service however SNORT is completely free if you need it (and available for anyone to try) and on their websites you can find signature rule sets, triggers for events and information which is updated regularly, as you would imagine there is SERIOUS money in the security industry these days.
As an analyst my job is to check these signatures and determine their threat severity regarding current systems. I mean, if i see Windows based exploits being used against a Linux webserver then i'm not going to fret
Whilst there are packet sniffers such as wireshark which can give you detailed packet decodes, the scale of which an IPS/IDS device can manage these events is much better depending on the GUI and if you've ever seen a packet decode, can cut out the BS data thats not important.
Using IPS/IDS devices isnt all about connections, with the right setup you can read peoples emails (hilarious) or find out what kinds of google searches they do which is great for market research
Hopefully I havent forgotten anything and I hope somebody at least found this introduction informative, I am relatively new to the industry myself but am wholeheartedly getting on the security bandwagon as catching hackers is fun ;D
Below I have supplied some links to Snort, Dragon and some other reading material.
Regards!
Sheepykins.
Snort's Wikipedia page
Some Cisco IPS sensors you can browse to see what they look like and features
Enterasys Dragon IPS systems
The Snort Homepage, if you wish to browse and try! its free, dont hold back
As none of you really know me, I shall fill you in - currently I work as an Information Security Analyst which sounds like a pretty boring job and to some extent, you are right.
It is my job to dig through packet decodes, stop infiltration and protect business networks for a modest fee
this is done in many ways including:1. knowing your setup and any vulnerabilities
2. keeping abreast of information that might make you a possible target
3. keeping a tight reign on your employees but not too tight as to make them want to break your rules.
I saw a little topic called Enterprise Security so I thought I would give everyone a little intro into one specific way of controlling data, Intrusion Prevention systems and Intrusion Detection system.
Do you have a small business, website or hosted platform you wish to keep secure? This could be for you!
IPS/IDS
Essentially IPS and IDS devices work by sniffing packets. They work on a detection system governed by rules and then alert the user in the form of signatures or software guardian watching.
For example, I have a rule set up on my IDS system that states if Computer A sends over 20 TCP based packets to Computer B which are observed on 20 or more unique ports then this will flag the signature
"TCP-PORT SCAN ATTEMPT" in some sort of GUI which will tell me that someone may be attempting to see if one or more of my ports is responding to incoming connections. By trying to determine what ports I have open on my system a malicious user can tailor an attack to any open ports I have.
IPS and IDS sensors differ in only one aspect, one is active and the other is passive. This may seem obvious as one is Intrusion PREVENSION, and the other Intrusion DETECTION however I thought it'd buff my thread out to clarify the two
IPS sensors act in the same way as a hardware firewall, just a little smarter. Sniffing packets, if an IPS detects something untoward (for example an attempt to gain access to my etc/passwd file on a linux box) the IPS sensor will take it upon itself to block those incoming packets.
An IDS sensor on the other hand would merely tell me that this is happening and as an administrator I would have to take it upon myself to actively block the IP address or deny the connection.
I know what you're thinking! why hire someone like me if devices can block intuitively, the answer is simple! ... I'm smarter
. Using a set of rules doesnt account for user error, adlibbing to new traffic that is now being seen on the network but expected and of course theres no accounting for good old fashioned human gut feeling.Software and Hardware
There are two types of IPS/IDS devices, in the trade we call them HIDS and NIDS or Host IDS and Network IDS.
The difference between the two is that one can be installed on a host machine and monitor connections to and from those hosts and the other is a device you can purchase which will sit on a link (or most commonly connected to a switch with port mirroring enabled) and watch for traffic coming through it.
Cisco have a ton of NIDS sensors which are available to buy and supply network definitions or rule sets for commonly known events (abit like firewalls and anti-viruses) however using host sensors you could easily set up your own device to do the same thing for cheaper.
I would say the 3 main players in the business of IPS/IDS sensors today are Enterasys Dragon, Cisco and the Open source sniffing software SNORT which has been around a long time.
All of them offer a premium service however SNORT is completely free if you need it (and available for anyone to try) and on their websites you can find signature rule sets, triggers for events and information which is updated regularly, as you would imagine there is SERIOUS money in the security industry these days.
As an analyst my job is to check these signatures and determine their threat severity regarding current systems. I mean, if i see Windows based exploits being used against a Linux webserver then i'm not going to fret
Whilst there are packet sniffers such as wireshark which can give you detailed packet decodes, the scale of which an IPS/IDS device can manage these events is much better depending on the GUI and if you've ever seen a packet decode, can cut out the BS data thats not important.
Using IPS/IDS devices isnt all about connections, with the right setup you can read peoples emails (hilarious) or find out what kinds of google searches they do which is great for market research
Hopefully I havent forgotten anything and I hope somebody at least found this introduction informative, I am relatively new to the industry myself but am wholeheartedly getting on the security bandwagon as catching hackers is fun ;D
Below I have supplied some links to Snort, Dragon and some other reading material.
Regards!
Sheepykins.
Snort's Wikipedia page
Some Cisco IPS sensors you can browse to see what they look like and features
Enterasys Dragon IPS systems
The Snort Homepage, if you wish to browse and try! its free, dont hold back
