The 7 Best Intrusion Prevention Systems (IPS) for 2020
Everyone wants to prevent intruders from entering their homes. Additionally, and for similar reasons, network administrators go to great lengths to keep intruders out of the networks they manage. One of the most important assets of many organizations today is their data. It is so important that many malicious people go to great lengths to steal this data. To do this, they use a wide range of techniques to gain unauthorized access to networks and systems. The number of such attacks seems to have increased exponentially recently and, in response, systems are being put in place to prevent them. These systems are called intrusion prevention systems or IPS.Today we're taking a look at the best intrusion prevention systems we could find.
> We will start> This, of course, implies that we will also define what an intrusion is. Next, we will explore the different detection methods commonly used and corrective actions taken after detection. Next, we'll talk briefly about passive intrusion prevention. These are static measures that can be implemented and could significantly reduce the number of intrusion attempts. You might be surprised to find that some of them have nothing to do with computers. Only then, with everyone on the same page, can we finally go over some of the best intrusion prevention systems we've been able to find.
Intrusion Prevention - What is it?
Years ago, viruses were pretty much the only concern of system administrators. Viruses reached a point where they were so common that the industry responded by developing anti-virus protection tools. No serious and sane user today would think of running a computer without virus protection. While we don't hear much about viruses, intrusions, or unauthorized access to your data by malicious users, this is the new threat. With data often being an organization's most important asset, corporate networks have become the target of malicious hackers who go out of their way to gain access to data.Just as virus protection software was the answer to the proliferation of viruses, Intrusion Prevention Systems is the answer to intruder attacks.
Essentially, intrusion prevention systems do two things. First, they detect intrusion attempts and when they detect suspicious activity, they use different methods to stop or block it. There are two different ways to detect intrusion attempts. Signature-based detection works by analyzing data and network traffic and looking for specific patterns associated with intrusion attempts. This is similar to traditional virus protection systems based on virus definitions. Signature-based intrusion detection is based on signatures or intrusion patterns. The main disadvantage of this detection method is that it requires loading the appropriate signatures into the software.And when a new attack method is used, there is usually a delay before the attack signatures are updated. Some vendors are very quick at delivering up-to-date attack signatures, while others are much slower. The frequency and speed of signature updates is an important factor to consider when choosing a provider.
Anomaly-based detection provides better protection against zero-day attacks, those that occur before detection signatures have had a chance to update. The process looks for anomalies rather than trying to recognize known intrusion patterns. For example, it would trigger if someone tried to access a system with the wrong password multiple times in a row, a common sign of a brute force attack. This is just one example, and there are usually hundreds of different suspicious activities that can trigger these systems. Both detection methods have their advantages and disadvantages. The best tools are those that use a combination of signature and behavior analysis for the best protection.
Detecting intrusion attempts is one of the first steps in preventing them. Once detected, intrusion prevention systems actively work to stop detected activities. These systems can take several different corrective actions. They could, for example, suspend or deactivate user accounts. Another typical action is to block the source IP address of the attack or change the firewall rules. If the malicious activity originates from a specific process, the prevention system could stop the process. Initiating a protection process is another common reaction, and in the worst case, entire systems can be shut down to limit potential damage.Another important task of intrusion prevention systems is to alert administrators, log the event, and report any suspicious activity.
Passive intrusion prevention measures
While intrusion prevention systems can protect you against many types of attacks, nothing beats the good old passive intrusion prevention measures. For example, requiring strong passwords is a great way to protect against many intrusions. Another simple safeguard is to change the default passwords on your computer. Although it is less prevalent on corporate networks, although it is not unheard of, too often I have seen Internet gateways that always had their default administrator password. When it comes to passwords, aging passwords is another specific step that can be taken to reduce intrusion attempts.Any password, even the best, can potentially be cracked, with sufficient time. The age of the passwords ensures that the passwords will be changed before they are hacked.
There are only examples of what can be done to passively prevent intrusions. We could write a full article on the passive measures that can be implemented, but that is not our goal today. Instead, our goal is to introduce some of the best active intrusion prevention systems.
The best intrusion prevention systems
Our list contains a combination of several tools that can be used to protect against intrusion attempts. Most of the tools included are true intrusion prevention systems, but we also include tools which, although not marketed as such, can be used to prevent intrusions. Our first article is an example. Remember that, more than anything, your choice of which tool to use should be guided by your specific needs. So let's take a look at what each of our best tools has to offer.
1. SolarWinds Log and Event Manager (FREE TRY)
SolarWinds is a household name in networking. It has a solid reputation for creating some of the best system and network management tools. Its flagship product, Network Performance Monitor, consistently ranks among the best network bandwidth monitoring tools available. SolarWinds is also famous for its many free tools, each addressing a specific need of network administrators. Two great examples of these free tools are the Kiwi Syslog server or the SolarWinds TFTP server.
Do not let yourself mislead by name SolarWinds Log & Event Manager . There is much more than what we see. Some of the advanced features of this product qualify it as an intrusion detection and prevention system, while others place it in the SIEM (Security Information and Event Management) range. The tool, for example, offers real-time event correlation and real-time correction.
>> FREE TRY: SolarWinds Log & Event Manager
Le SolarWinds Log and Event Manager has instant detection of suspicious activity (intrusion detection feature) and automated responses (an intrusion prevention feature). This tool can also be used to conduct investigations of forensic and security events. It can be used for mitigation and compliance purposes. The tool features audited reports that can also be used to demonstrate compliance with various regulatory frameworks such as HIPAA, PCI-DSS, and SOX. The tool also has file integrity monitoring and USB device monitoring.All the advanced features of the software make it an integrated security platform rather than the event and log management system the name would have you believe.
The intrusion prevention features of SolarWinds Log & Event Manager work by implementing actions called active responses whenever threats are detected. Different responses can be linked to specific alerts. For example, the system can write to firewall tables to block network access from a source IP address that has been identified as performing suspicious activity. The tool can also suspend user accounts, stop or start processes, and shut down systems. You will recall that these are precisely the corrective measures that we identified previously.
The price of SolarWinds Log & Event Manager varies depending on the number of nodes monitored. Pricing starts at $ 4 for up to 585 monitored nodes and licenses for up to 30 nodes can be purchased, making the product highly scalable. If you want to try the product and see for yourself if it is right for you, A try free full 30 days is available .
2. Splunk
Splunk is probably one of the most popular intrusion prevention systems. It comes in several different editions with different sets of features. Splunk Enterprise Security, ou Splunk ES , as it's often called, is what you need for true intrusion prevention. The software monitors your system data in real time, looking for vulnerabilities and signs of abnormal activity.
> The> Uses what the provider calls the Adaptive Response Framework (ARF). It integrates with the teams of more than 55 security providers and can perform an automated response, speeding up manual tasks. This combination of automated sanitation and manual intervention can give you the best chance to gain the upper hand quickly. The tool has a simple and clean user interface, which makes it a winning solution. Other great protection features include the "Notable" feature which displays user-customizable alerts and "Asset Investigator" to report malicious activity and prevent further problems.
The pricing information Splunk Enterprise Security are not available. You will need to contact Splunk sales for a detailed quote. This is a great product for which a free trial is available.
3. History
History is essentially a free intrusion detection system. However, the tool with scripting capabilities may place it in the Intrusion Prevention Systems category. History detects intrusion attempts by monitoring log files. You can also combine History with Snort, who can send his output to sagan, giving the tool network-based intrusion detection capabilities. In fact, History can receive information from many other tools such as Bro or Suricata, combining the capabilities of various tools for the best possible protection.
> However , there is a trap in the script capabilities by Sagan . You need to write the remediation scripts. While this tool may not be best used as your sole defense against intrusion, it could be a key part of a system that integrates multiple tools by correlating events from different sources, giving you the best of many products.
While History can only be installed on Linux, Unix and Mac OS, it can connect to Windows systems to get its events. Other cool features of Sagan include IP address location tracking and distributed processing.
4. OSSEC
Open Source Security , or OSSEC , is one of the leading open source host-based intrusion detection systems. We include it on our list for two reasons. Its popularity is such that we had to include it, especially since the tool allows specifying actions that are performed automatically whenever specific alerts are triggered, giving it intrusion prevention capabilities. OSSEC is owned by Trend Micro, one of the leading names in computer security and the maker of one of the best virus protection suites.
> When> Creates checksums for important files and periodically checks them, alerting you or triggering corrective action whenever something strange happens. It will also monitor and alert on any abnormal attempts to gain root access. In Windows, the system is also looking for unauthorized registry changes as they could be a telltale sign of malicious activity. Any detection will trigger an alert which will be displayed on the centralized console, while the notifications will also be sent via email.
OSSEC is a host-based intrusion protection system. As such, it should be installed on every computer that you want to protect. However, a centralized console consolidates information from each protected computer for easy administration. La consul OSSEC only works on Unix-like operating systems, but an agent is available to protect Windows hosts. Alternatively, other tools such as Kibana or Graylog can be used as an interface with the tool.
5. Open WIPS-NG
We weren't sure if we should include Open WIPS NG in our list. More on that in a moment. It did so primarily because it's one of the only products that specifically targets wireless networks. Open WIPS NG –Where WIPS stands for Wireless Intrusion Prevention System– is an open source tool made up of three main components. First of all, there is the sensor. It's a silly process that just captures wireless traffic and sends it to the server for analysis. As you have probably guessed, the next component is the server. Consolidate data from all sensors, analyze collected data and respond to attacks.This component is the heart of the system. Finally, there is the Interface component, which is the graphical interface that you use to manage the server and display information about threats detected on your wireless network.
The main reason why we hesitate before including Open WIPS NG in our list is that, as good as it is, not everyone likes the developer of the product. It comes from the same developer as Aircrack NG, a wireless packet tracker and password cracker that is part of every WiFi hacker's toolkit. This opens the debate on developer ethics and makes some users wary. On the other hand, the developer's experience can be taken as a testament to their in-depth knowledge of Wi-Fi security.
6. Fail2Ban
Fail2Ban is a relatively popular free host intrusion detection system with intrusion prevention features. The software works by monitoring system log files for suspicious events such as failed login attempts or exploit searches. When the system detects something suspicious, it responds by automatically updating local firewall rules to block the source IP address of the malicious behavior. This, of course, implies that a firewall process is running on the local machine. This is the main drawback of the tool.However, any other arbitrary action can be configured, such as running a fix script or sending email notifications.
> Fail2Ban > As we said, the actions of correction are accomplished by modifying the host's firewall tables. Fail2Ban supports Netfilter, IPtables, or the TCP wrapper hosts.deny table. Each filter can be associated with one or more actions. Together the filters and actions are called prison.
7. Bro Network Security Monitor
Le Bro Monitor Network Safety is another free network intrusion detection system with IPS-like functionality. It works in two phases, first it records the traffic and then it analyzes it. This tool works in multiple layers up to the application layer, which represents better detection of split intrusion attempts. The product analysis module is made up of two elements. The first element is called the event engine and its purpose is to track trigger events such as TCP connections or HTTP requests. The events are then analyzed by policy scripts, the second element. The job of policy scripts is to decide whether to raise an alarm, take an action, or ignore the event.It is the possibility of launching an action which gives the Bro Network Security Monitor its IPS functionality.
> The> Bro Network Security Monitor has certain limitations. It will only track HTTP, DNS and FTP activity and also monitor SNMP traffic. However, this is a good thing, as SNMP is often used to monitor the network despite its severe security holes. SNMP has little built-in security and uses unencrypted traffic. And since the protocol can be used to change settings, it could be easily exploited by malicious users. The product will also monitor device configuration changes and SNMP traps. It can be installed on Unix, Linux and OS X but it is not available for Windows which is perhaps its main drawback.Otherwise, it's a very cool tool worth trying.
