IDS For HOME USERS

Publié le par Kareldjag



Intrusion detection is a large subject, and concerns mostly organizations.
It's also important to note that IDS are supplanted by IPS/NIPS.
Therefore we'll focus here only on IDS available for home users and Windows systems.

First of all, the user must consider the need or not of an IDS on his line defense.
It's also important to note that a good knowledge of TCP/IP and network attacks is often required.

In most cases, an IDS is not necessary for a single computer: a software firewall is really enough.

Some good firewalls integrate IDS features: one of the most interesting of them is Injoy firewall (unfortunately not recommended for beginners and classical users); and we can also mention Outpost or BlackIce for instance.
Port scan detection and ICMP protocol configuration is a minimum required as IDS features.

An interesting paper about this subject is the diploma thesis of Candid Wuest: "Desktop firewalls and intrusion detection" (pdf).


A router is also an excellent solution against network attacks.

It's easy to find efficient products for a low price (80$/E>price<150$/E); but it can be suited for paranoiacs users to avoid leaders of the market such as Linksys or Netgear (their configuration and weaknesses are too well known) for alternative choices: Billion with MyGuard and USRobotics provide also excellent routers.

Free and paid (linklogger is a good one) packets loggers are available for routers, but can't be considered as IDS.



A short overview of IDS for home users:


-Securepoint/Nuzzler IDS:

This freeware is no longuer supported by Securepoint.
The installer package includes WinpCap library which needs to be updated with the latest version (3.1 or 3.2 alpha).
This is here an excellent choice for IDS experimentation.


-LogIt IDS

NGSEC is a serious spanish society which provides excellent products (against phishing, Buffer Overflow etc), and LogIt is one of them.
This IDS integrate most neccesary rules, is easy to use, and most of all: is supported and updated if necessary.

Excellent good value for money (25 $/E).


-XRay IDS

This product is new on the market (first release in december), and focus more on the last phase of an attack (shell code for instance, an example here just for fun).
But packets integrity are also under control.

It does not require time and coffee for the configuration and has a nice interface.
Just a little bit expensive.


-Easy Guard Intrusion Alert:

The main drawback of this product is its cost (about 180 $/E): for the same price, a router is more recommended.
On the other hand it's an excellent product (configuration, ease of use, efficiency, interface and splash screen!).



For a private network (LAN for instance) and advanced users/network managers:


-Snort:

This is the most famous IDS, continously improved by a generation of intrusion detection enthusiasts.
One of the most advantage of Snort is the number of tools available and compatible with Snort.
We can for instance mention TIAA which can be helpful for analyzing logs.


-Strata Guard Free:

This is currently one of the most interesting alternative to Snort.
This product is quite recent, and is not as popular as Snort (butcould an IDS be  more popular than Snort?).
Rules often updated from various sources (like Snort Rules Consortium) by a serious team.
A registration is required for using it.  


-SamHain:

This is here an IDS based on integrity checking, excellent on a Linux environment, but less interesting on Windows.



We can also mention honeypots which can be used as IDS, such as Labrea (free) or Kfsensor (paid) for instance.


(............)



IDS features can be easily tested with NMAP, Nessus, A.T.K, Hping, Netwox or any Packet Spoofer.

Since it's your private network, attacks and intrusions are not forbidden.

It can be suited to take a look at the IDS faq here.



IDS for Wireless Network


Wireless network is very confortable to deploy and to use.
On the other hand, it is less secure and intrusions are less difficult and consequently more frequent.

WPA2 provides a sufficient level of security, but attacks are always still possible.
A lot of tools are available for intrusions such as Kismet, Scapy, NetStumbler, AirSnort, AirCrack, AiroPeek, CowPatty or Wifitap.
And the risk must be considered in hotspots and in big towns where war-driving and war-chalking are practised.

At home, the first step for prevention is to isolate physically the network with "corpulent walls" for instance (it's not a reason to surf in the cellar!).

Best practises are necessary with a laptop connected on public access points (free or paid): it's for instance suited to use HTTPS authentication for the mail , or an HTTPS proxy.
An IDS can also be an interesting solution for mitigating risks on hotspots.


We can mention:


-AirSnare (free)


-AirDefense personal (free and paid versions)



 A few articles and papers about Wireless Intrusion Detection:

Securityfocus

Sans (pdf)

Overview of IDS tools here

A few screeshots are available here (just click on the image to enlarge)






Publié dans LINE DEFENSE

Commenter cet article

Chris 21/04/2006 16:15

Based on Snort: EagleX IDS: http://engagesecurity.com/products/eaglex/