Description
Corporate networks are exposed to numerous threats from both within and without:
On the one hand, servers that provide Internet services – such as a corporate website – may become just as much a target for external crackers as public servers – such as mail servers – that offer services to internal users. On the other hand, employees may unintentionally – by handling difficult technologies carelessly - or even deliberately - by taking advantage of gaps in provided services - put a company's intranet at risk. Examples include, for example, using plug-ins or active content in web browsers or setting up non-authorised tunnels from the intranet to external systems via HTTP/S. It is typical of such hazards that they leave tracks in the dark areas of the network only – that is, in areas hidden to most security mechanisms.
tacIDS
MonitoringCustomer Benefit
The main features of an intrusion detection system are as follows:
Early Detection of Problems
Many attacks can be detected and combated at the first signs of them – but others cannot. However, the damage can almost always be minimised: network anomalies will point to an attack and countermeasures can be initiated immediately. But even network problems not caused by malicious actions can be detected and addressed. For example, it is an easy matter to isolate and correct errors in firewall, system or application configurations that tend to become noticeable only in the network. In either case, the (consequential) damage caused by attacks or attempted attacks will be minimised.
Creating Network Transparency
Whereas logs for systems and applications are often stored and occasionally even analysed, the network is usually still "terra incognita". An intrusion detection system provides some insight into this new frontier and can thus detect problems or anomalies before they make it into the log files. Today's anomalies are tomorrow's problems. Therefore, using an IDS is a great help in understanding your network and in guaranteeing network functionality.
Systematic Control and Preservation of Evidence
One application for intrusion detection systems is as a logger of network activities. For example, they can automatically and systematically log the traffic from or to specific systems for any period of time at all. They can also trigger logs of certain events in order to record attempted attacks in their entire context. These logs can then be analysed automatically or manually. In the event of an attack, they may even stand up as evidence of illegal activities in a court of law.
Scope of Services
terreActive's intrusion detection system tacNIDS is based on Snort, one of the most powerful IDS sensor engines on the market and a flagship of open source development. On tacPAB, the especially secure and optimised terreActive Linux distribution, Snort can release its full potential. You receive a detailed report on anomalies that have occurred, such as port scans, failed attacks etc., on a weekly basis. If there is an indication of a successful attack, the pre-defined escalation mechanisms will be executed. A globally active open source community that is always striving to keep the signature base of Snort up-to-date, not to mention terreActive's many years' experience in intrusion detection, guarantees top quality and efficiency of the signatures used. We test the latest signatures, termed "experimental" in Snort parlance, for usability in our customers' environment. Along with the signatures that we develop (for example to discover unauthorised tunnels), this adds considerable value to the standard installation. We also install a customer-specific signature set that monitors network traffic and detects unauthorised connections via TCP/IP (layers 3/4).
This setup can be used in various ways: apart from discovering malicious actions, it can also check that the installed applications comply with their specifications and ensure that an upstream firewall is configured and working properly.
terreActive strives to offer customers maximum transparency with respect to the installed systems and therefore provides full read access to discovered "raw" events if so requested. Customers are given an easy-to-use web-based GUI allowing them to follow events in real-time. In addition, the GUI offers data mining in past events that have already been processed by terreActive.
Operating system
tacPAB (secure, performance-optimised terreActive Linux distribution)
IDS engine
Snort Version 2
Upgrades
Yes, as needed
Signature management
Done by tA, optimum results in combination with tacVA
Available layer 7 signatures
> 2,000
Layer 3/4 configuration
Optional, as required by customer
Periodical reports/attack profiles
Monthly, optionally in shorter intervals
Analysis and monitoring
24/7
Incident handling
As agreed with customer
Event correlation
Possible in combination with tagLOG
Topic overview:
- IT alarm system:
- Security Monitoring
- Alarming
- Reporting
- Compliance
- Monitoring:
- Netzwerk
- System
- Application
- LogManagement
- SIEM/SEM-Soutions
- Netzwork-Security
- Server-Security
- Application-Security
- E-Mail Security
terreActive AG is SPLUNK Partner in Switzerland
We offer:
- Consulting & Offering
- Workshops & Training
- Integration & Configuration
- Support & Maintenance