| |
Description Network intrusion detection and prevention systems are software- and hardware-based programs designed to detect unauthorized attacks on a computer network system.
While other applications, such as firewalls and anti-virus software, share similar objectives with network intrusion systems, network intrusion systems provide a deeper layer of protection beyond the capabilities of these other systems because they evaluate patterns of computer activity rather than specific files.
It is worth noting that attacks may come from either outside or within the system (i.e., from an insider), and that network intrusion detection systems may be more applicable for detecting patterns of suspicious activity from inside a facility (i.e., accessing sensitive data, etc.) than are other information technology solutions. Attributes and Features Network intrusion detection systems employ a variety of mechanisms to evaluate potential threats. The type of search and detection mechanisms are dependent upon the level of sophistication of the system. Some of the available detection methods include:
- Protocol analysis - Protocol analysis is the process of capturing, decoding, and interpreting electronic traffic. The protocol analysis method of network intrusion detection involves the analysis of data captured during transactions between two or more systems or devices, and the evaluation of these data to identify unusual activity and potential problems. Once a problem is isolated and recorded, problems or potential threats can be linked to pieces of hardware or software. Sophisticated protocol analysis will also provide statistics and trend information on the captured traffic.
-
Traffic anomaly detection -Traffic anomaly detection identifies potential threatening activity by comparing incoming traffic to "normal" traffic patterns, and identifying deviations. It does this by comparing user characteristics against thresholds and triggers defined by the network administrator. This method is designed to detect attacks that span a number of connections, rather than a single session.
-
Network honeypot - This method establishes non-existent services in order to identify potential hackers. A network honeypot impersonates services that don't exist by sending fake information to people scanning the network. It identifies the attacker when they attempt to connect to the service. There is no reason for legitimate traffic to access these resources because they don't exist, therefore any attempt to access them constitutes an attack.
-
Anti-intrusion detection system evasion techniques - These methods are designed to identify attackers who may be trying to evade intrusion detection system scanning. They include methods called IP defragmentation, TCP streams reassembly, and deobfuscation.
While these detection systems are automated, they can only indicate patterns of activity, and a computer administer or other experienced individual must interpret activities to determine whether or not they are potentially harmful. Monitoring the logs generated by these systems can be time consuming, and there may be a learning curve to determine a baseline of "normal" traffic patterns from which to distinguish potential suspicious activity. Cost The cost of network instruction detection systems varies depending on the level of sophistication of the system and the corresponding protection provided. Basic intrusion detection systems begin at around $100 and can be installed on a single machine in a few hours by a person who is knowledgeable in computers. A typical small network system of hardware and software designed for a system of 10-50 computers would cost approximately $1,000-$5,000 and would require an initial installation time of between 20-60 hours of man-hour time by an information technology specialist. Larger systems will have additional costs for more software license fees, hardware equipment capable of handing more traffic, and increased installation and testing time for additional workstations. Routine maintenance of the software or hardware system is required to analyze the information collected and update the system with information on new threats. Vendors
Disclaimer: The information provided in this guide does not constitute an endorsement by the Environmental Protection Agency of any non-Federal entity, its products or its services. In addition, EPA does not endorse the vendors and products listed on this site. EPA is publishing lists of vendors on this site in an effort to further public awareness of vendors identified as possible contacts for further information and possible purchase of the different types of security equipment. The Agency has selected the listed vendors on that basis. The list of vendors is not a complete list, and EPA does not endorse the products or services of these vendors. Zone Labs
1060 Howard Street
San Francisco, California 94103
(415) 341-8200
www.zonelabs.com
| Cisco Systems
170 West Tasman Dr.
San Jose, California 95134
(800) 553-6387
www.cisco.com
| Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, California 95014
(408) 517-8000
www.symantec.com
| Lucent Technologies
600 Mountain Avenue
Murray Hill, New Jersey 07974
(888) 426-2252
www.lucent.com
| Sygate Technologies
6595 Dumbarton Circle
Fremont, California 94555
(510) 742-2600
www.sygate.com
| Net Screen Corporation
805 11th Ave., Building 3
Sunnyvale, California 94089
(408) 543-2100
www.netscreen.com
| Check Point Software Technologies
Three Lagoon Drive, Suite 400
Redwood City, California 94065
(650) 628-2000
www.checkpoint.com
| SonicWALL
1143 Borregas Avenue
Sunnyvale, California 94089-1209
(408) 745-9600
www.sonicwall.com
| Internet Security Systems (ISS)
6303 Barfield Road
Atlanta, Georgia 30328
(888) 901-7477
www.iss.net
| TippingPoint Technologies, Inc.
7501B North Capital of Texas Highway
Austin, Texas 78731
(888) 648-9663
www.tippingpoint.com
|
|
