Decoded

IDS and IPS Systems

Study and Application of Open Source tools in Linux Environments

IDS/IPS have long been considered a distinct market, and many are available as standalone products. However, security vendors are increasingly eager to wrap a suite of security tools in “platforms” or other similarly unified offerings. Sometimes they sell products or services with an IPS in the center and other elements added.

What is an IDS/IPS?

The acronym IDS stands for Intrusion Detection System, the acronym IPS stands for Intrusion Prevention System. It is a set of systems that complement each other to provide greater security to networks of different sizes. Especially those networks that require a high level of response and service. These systems can be applied both at the software level or at the hardware level using specialized equipment. It is commonly referred to as IDS / IPS because they work together. Years ago, the availability of these systems was limited. It was reserved for those organizations that, above all, had the possibility of paying for the costs involved in its implementation. However, cyber attacks have multiplied in recent years and the outlook indicates that organizations of any size are vulnerable. For this reason, many companies, specialized in their provision, offer them as part of a package of products and services. However, it is also customary to sell IDS/IPS as separate products.

Free and Affordable IDS/IPS Recommendations

It is good to bear in mind that a good part of the offer of this type of system may have not very accessible costs. Some solutions from leading brands, such as Cisco, exceed thousands of Euros without much difficulty. This is so, mainly because of the type of clients they have and the complete package of additional services linked to the IDS/IPS system in question. Technical support, resources, and a fairly substantial reputation make many large organizations opt for brands like this.
On the other hand, are there free solutions? Or maybe one of more accessible cost or, in any case, one that is open source for greater customization? This guide has some recommendations.

OSSEC

It is a host-based IDS system that is developed by a group of people who are part of an open source project. This project has been working for many years and OSSEC has a significant level of acceptance. It has a large team of developers dedicated to this system, as well as an active community that is oriented to helping users, creating translations, supporting documentation and much more. OSSEC already passes 500,000 annual downloads and the best of all is that it is multi-platform: it is available on Windows, macOS. Do you use a system based on Unix or Linux? No problem, this IDS system has its compatible host.
This is the operating scheme:
OSSEC monitors the logs of the various components of your system in real time. It is capable of detecting all kinds of changes to individual files, including the most important Windows registries. This solution is an IDS system, but it also has some IPS features, these IPS features consist of responding to attacks through its own capabilities and its integrations with third-party tools.
Would you like to start testing this tool? You can access the official site where you will have access to the details of this solution. In addition, it will be possible to sign up to an email distribution list to keep up to date with news and access their Slack channel to communicate directly with other members of the community. If you do not need a corporate-level solution with more advanced features such as integrations with SIEM systems, data storage, cloud services such as AWS and much more, you have the option of OSSEC Atomic Enterprise.
Note: Host-based systems focus on protecting the hosts in question, not precisely the network to which it is connected. The latter is very useful if the protection is focused on a single user or a small group. The scenario is different if we talk about IDS/IPS systems that operate at the network level (or based on the network), they are of a critical nature. Now, the latter can be more useful because as a network administrator, you will have more visibility about the potential problems that would affect one or more hosts.

Snort

It is an open source project that initially started as a packet analyzer-type solution. Time has passed and this has become a complete IDS system from which any network can greatly benefit. The application rules are configurable through various parameters, so that the packets that travel through your network can be analyzed accurately and efficiently. It has the ability to detect various types of attacks using signature-based detection algorithms and also, anomaly detection (unusual activity).
One of the great advantages of Snort is that it has a large and active community. Anyone who needs it can receive assistance or give assistance, so that everyone can get more out of this solution. In addition, it is completely free, open to modifications through contributions. Updates to this IDS system are frequently made based on community rules and the GPL license, that is, General Public License.
They also have solutions that are paid, which are somewhat more accessible in relation to others that have this particularity. One of the distinctions is that it is updated 30 days in advance in relation to the rules established by the Snort community. The available plans range from approximately 27.41 Euros (per month) to almost 366 Euros per year. A curiosity is that Snort is under the management of the giant Cisco and several of the functionalities respond considering the rules of its proprietary NGIPS system. These acronyms correspond to Next Generation Intrusion Prevention System.
To start using this system, you can use this link as a guide, which will guide you through these steps:
• Installation on Windows, FreeBSD, Fedora and CentOS. You also have the option of directly downloading the source code to adapt the system completely according to your needs.
• Downloading the set of rules to configure and launch Snort as soon as possible.
• Steps to keep your system up to date with the latest updates. Security Onion It is a Linux distribution that works as a robust security solution. It includes its own IDS/IPS system and works through base solutions such as OSSEC and Snort. In addition, it also works based on the Suricata system in relation to network-based IDS / IPS functionalities. A fascinating point that can make a difference when choosing the solution you need is that it comes integrated with various tools.
Some of them are the following:
  • Elasticsearch (distributed search engine)
  • Logstash (log management tool)
  • Kibana (open source data visualization panel)
  • Bro (network security monitor)
  • Sguil (network security monitor)
  • Squert (display of stored event data)
  • NetworkMiner (network analysis tool) and other more security-oriented tools
They can access its official repository on GitHub where you will get the image file (in ISO format), as well as all the necessary instructions to be able to use it as soon as possible.

WinPatrol

Most likely, this is the lightest IDS / IPS solution we can find. It does not occupy even 2MB, so the installation does not require more than 4.5 MB. Once installed, you can run it very quickly.
You will count a view like this:

Is it possible to replace the use of the firewall with IDS/IPS?

We are sure you have asked yourself this question. What does an IDS/IPS have that doesn’t have a firewall? Or vice versa? The first thing to keep in mind is that the benefits may be similar in terms of core purpose, but they do not operate in the same way. A firewall uses rules that prevent the entry or exit of certain network traffic considering aspects such as the protocol, source and destination addresses, port numbers and other aspects. It is a shield against insecure protocols and any other suspicious activity that could impact the network.
However, unfortunately, there are attacks that affect networks that also comply with the rules established by the firewall. An example that we could cite is a brute force attack using SSH. The latter is one of the most widely used secure protocols for remote administration via CLI that we currently have, however, it is possible to execute attacks in this way. In situations like this, IDS/IPS systems are very useful to detect that a brute force attack is being carried out. We must not forget that they are capable of detecting any type of malicious activity, even if it “complies” with the rules configured in the firewall. What happens is that the firewalls and IDS/IPS work together, the IDS detects the anomaly, and “tells” the firewall to block connections?
It’s firewalls and IDS/IPS systems are becoming increasingly essential as part of any network’s security suite. Take advantage of this opportunity to have accessible tools and a high level of post-implementation support.

Manish Gehlot

I am a privacy, security, encryption and software freedom enthusiast. I am into VPNs, TLS security. Recently I also got into technical writings including guides.

Related Articles

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker