An Overview of Open Source Security - Intrusion detection and prevention
(Page 3 of 5 )
It should go without saying that it’s impossible to assess the effectiveness of a security system without knowing when and how it has been breached. This has led to the development of a range of utilities designed to detect intrusions (network intrusion detection systems or NIDS) and, where possible, prevent them (network intrusion prevention systems or NIPS).
The two primary approaches to intrusion security are network-based and host-based. Each approach has its advantages and strengths, so in order to provide the most effective possible resistance, the better systems utilize both approaches simultaneously.
Snort
Snort has become the de facto standard open source intrusion protection software. It functions as both an NIDS and an NIPS, using rules-based protocol analysis and content searching and matching. In other words, it assesses network traffic in real time, matches it against a set of rules pre-determined by the system administrator, and generates alerts and/or blocks suspected attack traffic when necessary. It can detect a wide range of common and more obscure varieties of attack and probe traffic. Rules can be configured to protect against, for example, web application attacks, buffer overflows and SMB probes.
Like Snort, the Untangle Intrusion Prevention System uses pre-configured rules to detect and prevent hack attempts in real time. Untangle’s developers claim that it works well out of the box, using a default set of thousands of industry standard rules and signatures. However, it also allows for custom rules to be added to meet individual requirements. It uses automatic updates to defend against newly identified attack signatures.
Many different types of scanning software are available, to provide a variety of functions such as port scanning, web vulnerability scanning and application-specific scanning. Similar in function to vulnerability detection systems, scanners typically launch a comprehensive sequence of tests against their target, and produce reports, logs and alerts based on what these tests reveal. An administrator or security implementer selects scanners based on the specific software running on their systems, although certain types of scanner, such as a port scanner, should be in every admin’s toolkit.
Unicornscan
Released under the GPL licensing scheme, Unicornscan is a complex and sophisticated port scanner that is designed for the security and networking specialist. It consists of a full set of features, including TCP and UDP scanning, active and passive remote OS, application and component identification, relational database output and support for custom modules.
Designed as an application fingerprinting scanner, Amap attempts to identify quickly and reliably what application is listening on a particular port. It doesn’t concern itself with what ports applications are expected to be bound to according to standard configurations. Instead, it attempts to identify the application from its behavior by looking up its response string in a rule database. This is an important tool for the security specialist, as it allows a network to be examined for unauthorized applications running in non-standard configurations which might otherwise be missed by a standard port scanner.
A comprehensive web scanner, Nikto thoroughly tests web servers for potentially dangerous files and CGI scripts, plus version-specific security issues on more than 250 server versions. It makes little attempt to disguise itself, being designed for speed rather than stealth. Nikto is built on LibWhisker, which is a Perl module designed for testing of the HTTP protocol.
