funkwerk packetalarm IDS Systems: High Performance Intrusion Detection
Network-based intrusion detection is an indispensable instrument in any enterprise-wide security solution. No other technology supports real-time monitoring and attack detection of communications in complete network segments. Intrusion detection systems can thus be implemented e.g. at core switches or, using TAP devices, at central locations in order to check all aspects of internal communication.
According to recent studies, around 60-80% of all attacks are coming from the internal network. These cannot be detected by gateway security products, however. Since intrusion detection technology is also used passively in sniffing mode, the data stream is not influenced, thereby guaranteeing maximum availability.
The funkwerk packetalarm IDS has been developed specifically for monitoring complete network segments. The funkwerk packetalarm IDS’s proven scan and detection technology and the sensor/manager architecture deliver maximum performance and scalability.
The intelligent correlation between attacks that have been identified and the system attributes is used to calculate in real time which attacks are actually relevant and dangerous for the network. All attack data are output in clearly structured reports. The funkwerk packetalarm IDS thus helps the administrator separate important from unimportant information and thereby creates greater security while reducing administration costs.
According to recent studies, around 60-80% of all attacks are coming from the internal network. These cannot be detected by gateway security products, however. Since intrusion detection technology is also used passively in sniffing mode, the data stream is not influenced, thereby guaranteeing maximum availability.
The funkwerk packetalarm IDS has been developed specifically for monitoring complete network segments. The funkwerk packetalarm IDS’s proven scan and detection technology and the sensor/manager architecture deliver maximum performance and scalability.
The intelligent correlation between attacks that have been identified and the system attributes is used to calculate in real time which attacks are actually relevant and dangerous for the network. All attack data are output in clearly structured reports. The funkwerk packetalarm IDS thus helps the administrator separate important from unimportant information and thereby creates greater security while reducing administration costs.
Secure monitoring, secure management
The funkwerk packetalarm IDS can perform sniffing with multiple interfaces simultaneously as standard and can thereby monitor several network segments in a system. Sniffing interfaces do not have a dedicated IP address (stealth mode). This means that the funkwerk packetalarm IDS itself cannot be attacked. The management interface can simply be positioned in, for example, a segment protected by a firewall. In addition, management access can be limited to specific IP addresses via the funkwerk packetalarm management console. Communication between the browser and manager is encrypted.
The funkwerk packetalarm IDS can perform sniffing with multiple interfaces simultaneously as standard and can thereby monitor several network segments in a system. Sniffing interfaces do not have a dedicated IP address (stealth mode). This means that the funkwerk packetalarm IDS itself cannot be attacked. The management interface can simply be positioned in, for example, a segment protected by a firewall. In addition, management access can be limited to specific IP addresses via the funkwerk packetalarm management console. Communication between the browser and manager is encrypted.
Intrusion Prevention in sniffing mode
If the Intrusion Prevention Engine is activated, funkwerk packetalarm IDS can respond to attacks and prevent them by means of a TCP reset or firewall hardening. In order to enable fi rewall hardening with systems from thirdparty manufacturers or systems developed in-house, a special interface definition, Open funkwerk packetalarm Architecture (OPA), is used for communication.
Event Correlation
The funkwerk packetalarm IDS uses a special function known as Event Correlation to check whether each specific attack that is identified could be carried out on the target system. This decision is based on the integrated rule set and on defined system attributes. Each correlation increases the probability that an attack will be successful.
Attacks with a low probability rating can be filtered from the output, thereby preventing false alarms. The administrator can naturally also create his own system attributes, establish correlations between rules and attributes and determine the extent to which these increase or decrease the probability of a successful attack.
Anomaly Detection
Attacks and the effects of attacks oft en cause irregularities in data traffic. A sudden increase in data volume or the shutdown of an Internet service can be signs of an attack. The funkwerk packetalarm IDS’s Anomaly Detection displays and notifies deviations from “normal” data volumes. Funkwerk packetalarm IDS can learn what data volume is considered “normal”, and this can also be configured by administrators. Anomalies can be defined for networks, individual machines and even individual ports on machines. If a value deviates from a normal value by a specified percentage for a defined time range, this is reported.
Simple creation of individual signatures
The funkwerk packetalarm IDS provides users with a fast and straightforward means to create their own signatures using the management interface. Combinations of rules can also be determined using the rule editor, e.g. by source or destination address, port, packet type, packet size or content (e.g. keywords, text or hexadecimal) and by frequency of occurrence within a defined time span. This can be used to customise alarm signalling or termination of specific connections, or to respond to these in another way.
Optimum monitoring, forensic analysis and auto-reporting
The funkwerk packetalarm IDS supports a detailed forensic analysis of attacks on the network. A user-friendly query and display option lists the incidents occurring in a freely definable period into various categories. The risk of the events is shown (High, Medium, Low, Info). All attacks are displayed, even by default including the entire attack packet. Funkwerk packetalarm IDS displays attacks sorted by attack target and attacker and thus creates an optimum overview of the attacked systems.
All data required for the analysis can be exported easily. A special AutoReport function automatically reports the most important attacks and rule violations in a clearly structured e-mail report. The question of whether reports are to be sent daily, weekly or monthly can be freely configured. Output of diagrams and tables can also be combined to suit individual needs. This ensures that management, IT managers and administrators have the means to display precisely the data that is most important to them.
Open PacketAlarm Architecture (OPA)
If the Intrusion Prevention Engine is activated, the funkwerk packetalarm IDS can respond to attacks and prevent them by means of a TCP reset or firewall hardening. In order to enable firewall hardening with systems from third-party manufacturers or systems developed in-house, a special interface definition, Open funkwerk packetalarm Architecture (OPA), is used for communication.
The funkwerk packetalarm IDS supports a detailed forensic analysis of attacks on the network. A user-friendly query and display option lists the incidents occurring in a freely definable period into various categories. The risk of the events is shown (High, Medium, Low, Info). All attacks are displayed, even by default including the entire attack packet. Funkwerk packetalarm IDS displays attacks sorted by attack target and attacker and thus creates an optimum overview of the attacked systems.
All data required for the analysis can be exported easily. A special AutoReport function automatically reports the most important attacks and rule violations in a clearly structured e-mail report. The question of whether reports are to be sent daily, weekly or monthly can be freely configured. Output of diagrams and tables can also be combined to suit individual needs. This ensures that management, IT managers and administrators have the means to display precisely the data that is most important to them.
Open PacketAlarm Architecture (OPA)
If the Intrusion Prevention Engine is activated, the funkwerk packetalarm IDS can respond to attacks and prevent them by means of a TCP reset or firewall hardening. In order to enable firewall hardening with systems from third-party manufacturers or systems developed in-house, a special interface definition, Open funkwerk packetalarm Architecture (OPA), is used for communication.
Central management of funkwerk
packetalarm IDS/IPS systems with
sensor/manager operation
All funkwerk packetalarm products can be operated as a distributed system. Individual sensors are distributed over the entire infrastructure and are configured, managed and monitored centrally using a manager. The sensors can communicate with the manager locally, but also in branch offices via the Internet or VPNs.
