Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firewall with IDS & IPS


  • Please log in to reply
12 replies to this topic

#1 Nzyme

Nzyme

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:06 PM

Posted 18 July 2017 - 11:27 AM

Hello folks,
 
Can you suggest a good security software for home that includes IPS (Intrusion Prevention System) and IDS (Intrusion Detection Systems) along with any other latest technology in networking. Thanks!

Edited by Al1000, 21 July 2017 - 08:41 AM.
moved from Firewall Software and Hardware


BC AdBot (Login to Remove)

 


#2 Nzyme

Nzyme
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:06 PM

Posted 23 July 2017 - 12:07 PM

Anyone?



#3 malwaredpc

malwaredpc

  • Members
  • 141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 23 July 2017 - 03:09 PM

I can't help recommending one but I can point you to get to this wikipedia page to find what you need.

 

About 2 years ago I did a research on the subject and I can give you some tips (it happened that I never deployed one; that is why I can't recommend any to you).

 

  • Some are installable on a running OS, others are an entire OS. Few can be used thrugh a Live System.
  • Some comes along with or the possibility to be servers, others don't.
  • Some are for routers as embedded devices you have on your home but not all works with Wireless. Others needs PCs; but others are sell with its own hardware.
  • Some are free. Others are paid. Some others has free on some points but need paying for more services (Untangle for example).
  • Some has GUI. Others CLI. Others both.

 

Snort and Suricata are probably the most used in Linux. I bet the most popular is Untangle. Sophos uses snort I guess, because some are IDS/IPS solutions but not just that. I can't tell you which ones on the page has the ability to have IDS/IPS.


Edited by malwaredpc, 23 July 2017 - 03:14 PM.


#4 arlattimor

arlattimor

  • Members
  • 591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Beaufort, SC.
  • Local time:01:36 AM

Posted 23 July 2017 - 06:04 PM

If you have the resources to purchase a Cisco 5510 Firewall its as simple choice. But if you are strapped for cash and still require enterprise level security the answer is simple Pfsense. Get your self a used system from goodwill. Add a couple of NICs and install the latest version of Pfsense with all the updates and you are golden.  :bounce:


A. Lattimore

CCNA, CWNA, MCITP, MCSA, MCT, MCP, Security+, Server+, Linux+, Network+, A+, CNST

Network Security Engineer

 


#5 arlattimor

arlattimor

  • Members
  • 591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Beaufort, SC.
  • Local time:01:36 AM

Posted 23 July 2017 - 06:07 PM

I have used Pfsense on many deployments that required IDS/IPS. Pfsense is the all in one shop you can't go wrong with it. You can administer Pfsense from the command line like any Cisco Router or from a web browser like a soho router. Most importantly Pfsense is free just download and burn the ISO file to a dvd and install. https://nyifiles.pfsense.org/mirror/downloads/


Edited by arlattimor, 23 July 2017 - 06:13 PM.

A. Lattimore

CCNA, CWNA, MCITP, MCSA, MCT, MCP, Security+, Server+, Linux+, Network+, A+, CNST

Network Security Engineer

 


#6 Nzyme

Nzyme
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:06 PM

Posted 24 July 2017 - 10:27 AM

I can't help recommending one but I can point you to get to this wikipedia page to find what you need.

 

About 2 years ago I did a research on the subject and I can give you some tips (it happened that I never deployed one; that is why I can't recommend any to you).

 

  • Some are installable on a running OS, others are an entire OS. Few can be used thrugh a Live System.
  • Some comes along with or the possibility to be servers, others don't.
  • Some are for routers as embedded devices you have on your home but not all works with Wireless. Others needs PCs; but others are sell with its own hardware.
  • Some are free. Others are paid. Some others has free on some points but need paying for more services (Untangle for example).
  • Some has GUI. Others CLI. Others both.

 

Snort and Suricata are probably the most used in Linux. I bet the most popular is Untangle. Sophos uses snort I guess, because some are IDS/IPS solutions but not just that. I can't tell you which ones on the page has the ability to have IDS/IPS.

Hmm, I was thinking of some home based firewall software like ZoneAlarm, Privatefirewall, etc. I don't think these ones have IDS/IPS though. I do not want to buy another router nor do I have another system that I can dedicate just for security. All I am looking for is a "install and forget" kind of home based firewall software with enterprise level features like IDS/IPS/HIPS/etc with the top priority of blocking all kinds of network attacks. Not sure why there are none/very few of these for home and why do companies have much better protection and products for enterprise.



#7 arlattimor

arlattimor

  • Members
  • 591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Beaufort, SC.
  • Local time:01:36 AM

Posted 24 July 2017 - 10:40 AM

I see well if that's the case try this Suricata https://suricata-ids.org looks like it has everything you're looking for. Personally, I prefer a hardware based system I built or have purchased. But this looks like it can meet your requirements, here are the features.

 

Complete list of Suricata Features Engine
  • Network Intrusion Detection System (NIDS) engine
  • Network Intrusion Prevention System (NIPS) engine
  • Network Security Monitoring (NSM) engine
  • Off line analysis of PCAP files
  • Traffic recording using pcap logger
  • Unix socket mode for automated PCAP file processing
  • Advanced integration with Linux Netfilter firewalling
Operating System Support
  • Linux
  • FreeBSD
  • OpenBSD
  • macOS / Mac OS X
  • Windows
Configuration
  • YAML config file — human and machine readable
  • well commented and documented
  • support for including other files
TCP/IP engines
  • Scalable flow engine
  • Full IPv6 support
  • Tunnel decoding
    • Teredo
    • IP-IP
    • IP6-IP4
    • IP4-IP6
    • GRE
  • TCP stream engine
    • tracking sessions
    • stream reassembly
    • target based stream reassembly
  • IP Defrag engine
    • target based reassembly
Protocol parsers
  • Support for packet decoding of
    • IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE
    • Ethernet, PPP, PPPoE, Raw, SLL, VLAN, QINQ, MPLS, ERSPAN
  • App layer decoding of:
    • HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP, SSH, DNS, Modbus, ENIP/CIP, DNP3
HTTP engine
  • Stateful HTTP parser built on libhtp
  • HTTP request logger
  • File identification, extraction and logging
  • Per server settings — limits, personality, etc
  • Keywords to match on (normalized) buffers:
    • uri and raw uri
    • headers and raw headers
    • cookie
    • user-agent
    • request body and response body
    • method, status and status code
    • host
    • request and response lines
Detection engine
  • Protocol keywords
  • Multi-tenancy
  • xbits – flowbits extension
  • PCRE support
  • fast_pattern
  • Rule profiling
  • File matching
    • file magic
    • file size
    • file name and extension
    • file MD5 checksum — scales up to millions of checksums
  • multiple pattern matcher algorithms that can be selected
  • extensive tuning options
  • live rule reloads — use new rules w/o restarting Suricata
  • delayed rules initialization
  • Lua scripting
  • Hyperscan integration
Outputs
  • Eve log, all JSON alert and event output
  • Lua output scripts
  • Redis support
  • HTTP request logging
  • TLS handshake logging
  • Unified2 output — compatible with Barnyard2
  • Alert fast log
  • Alert debug log — for rule writers
  • Traffic recording using pcap logger
  • Prelude support
  • drop log — netfilter style log of dropped packets in IPS mode
  • syslog — alert to syslog
  • stats — engine stats at fixed intervals
  • File logging including MD5 checksum in JSON format
  • Extracted file storing to disk
  • DNS request/reply logger, including TXT data
  • Signal based Log rotation
  • Flow logging
Alert/Event filtering
  • per rule alert filtering and thresholding
  • global alert filtering and thresholding
  • per host/subnet thresholding and rate limiting settings
Packet acquisition
  • High performance capture
    • AF_PACKET
    • PF_RING
    • NETMAP
  • Standard capture
    • PCAP
    • NFLOG (netfilter integration)
  • IPS mode
    • Netfilter based on Linux (nfqueue)
      • fail open support
    • ipfw based on FreeBSD and NetBSD
    • AF_PACKET based on Linux
    • NETMAP
  • Capture cards and specialized devices
    • Endace
    • Napatech
    • Tilera
Multi Threading
  • fully configurable threading — from single thread to dozens of threads
  • precooked “runmodes”
  • optional CPU affinity settings
  • Use of fine grained locking and atomic operations for optimal performance
  • Optional lock profiling
IP Reputation
  • loading of large amounts host based reputation data
  • matching on reputation data in the rule language using the “iprep” keyword
  • live reload support
  • supports CIDR ranges

A. Lattimore

CCNA, CWNA, MCITP, MCSA, MCT, MCP, Security+, Server+, Linux+, Network+, A+, CNST

Network Security Engineer

 


#8 arlattimor

arlattimor

  • Members
  • 591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Beaufort, SC.
  • Local time:01:36 AM

Posted 24 July 2017 - 10:42 AM

Let me know how it works out if you decide to use it.  :bubbles:


A. Lattimore

CCNA, CWNA, MCITP, MCSA, MCT, MCP, Security+, Server+, Linux+, Network+, A+, CNST

Network Security Engineer

 


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:36 AM

Posted 25 July 2017 - 08:47 AM

ESET Antivirus and Smart Security uses a Host-based Intrusion Prevention System (HIPS) to monitor system activity with a pre-defined set of rules to recognize suspicious system behavior. When this type of activity is identified, HIPS stops the offending program from carrying out potentially harmful activity. ESET Antivirus (and Smart Security) includes Exploit Blocker which is designed to fortify applications that are often exploited (i.e. web browsers, PDF readers, email clients, MS Office components). This feature monitors the behavior of processes, looks for and blocks suspicious activities that are typical for exploits including zero-day attacks. ESET's Java Exploit Blocker looks for and blocks attempts to exploit vulnerabilities in Java. ESET Antivirus (and Smart Security) also includes script-based attack protection which protects against javascript in web browsers and Antimalware Scan Interface (AMSI) protection against scripts that try to exploit Windows PowerShell.

Emsisoft Internet Security (EIS) is a complete security suite which combines Emsisoft Anti-Malware with an efficient powerful new firewall created using the same core previously found in Emsisoft Online Armor with HIPS. The rest of the software code is hand·made by the Emsisoft team. However, EIS [b]does not include HIPS[/b[. Instead EIS utilizes the EAM Behavior Blocker which fulfills the same "niche" that a HIPS was designed to do...it continually monitors the behavior of all active programs looking for any anomalies that may be indicative of malicious activity and raises an alert as soon as something suspicious occurs. This advanced behavior blocking technology is able to detect unknown zero-day attacks, file-less malware that resides only in memory, zombies (the hijacking of host processes to load malicious code which execute via script parser programs), and file-encrypting malware (ransomware) attacks.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Nzyme

Nzyme
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:06 PM

Posted 16 August 2017 - 09:16 AM

I can't help recommending one but I can point you to get to this wikipedia page to find what you need.

 

About 2 years ago I did a research on the subject and I can give you some tips (it happened that I never deployed one; that is why I can't recommend any to you).

 

  • Some are installable on a running OS, others are an entire OS. Few can be used thrugh a Live System.
  • Some comes along with or the possibility to be servers, others don't.
  • Some are for routers as embedded devices you have on your home but not all works with Wireless. Others needs PCs; but others are sell with its own hardware.
  • Some are free. Others are paid. Some others has free on some points but need paying for more services (Untangle for example).
  • Some has GUI. Others CLI. Others both.

 

Snort and Suricata are probably the most used in Linux. I bet the most popular is Untangle. Sophos uses snort I guess, because some are IDS/IPS solutions but not just that. I can't tell you which ones on the page has the ability to have IDS/IPS.

Thank you for your response. Will check out the page



#11 Nzyme

Nzyme
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:06 PM

Posted 16 August 2017 - 09:18 AM

 

I see well if that's the case try this Suricata https://suricata-ids.org looks like it has everything you're looking for. Personally, I prefer a hardware based system I built or have purchased. But this looks like it can meet your requirements, here are the features.

 

Complete list of Suricata Features Engine
  • Network Intrusion Detection System (NIDS) engine
  • Network Intrusion Prevention System (NIPS) engine
  • Network Security Monitoring (NSM) engine
  • Off line analysis of PCAP files
  • Traffic recording using pcap logger
  • Unix socket mode for automated PCAP file processing
  • Advanced integration with Linux Netfilter firewalling
Operating System Support
  • Linux
  • FreeBSD
  • OpenBSD
  • macOS / Mac OS X
  • Windows
Configuration
  • YAML config file — human and machine readable
  • well commented and documented
  • support for including other files
TCP/IP engines
  • Scalable flow engine
  • Full IPv6 support
  • Tunnel decoding
    • Teredo
    • IP-IP
    • IP6-IP4
    • IP4-IP6
    • GRE
  • TCP stream engine
    • tracking sessions
    • stream reassembly
    • target based stream reassembly
  • IP Defrag engine
    • target based reassembly
Protocol parsers
  • Support for packet decoding of
    • IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE
    • Ethernet, PPP, PPPoE, Raw, SLL, VLAN, QINQ, MPLS, ERSPAN
  • App layer decoding of:
    • HTTP, SSL, TLS, SMB, SMB2, DCERPC, SMTP, FTP, SSH, DNS, Modbus, ENIP/CIP, DNP3
HTTP engine
  • Stateful HTTP parser built on libhtp
  • HTTP request logger
  • File identification, extraction and logging
  • Per server settings — limits, personality, etc
  • Keywords to match on (normalized) buffers:
    • uri and raw uri
    • headers and raw headers
    • cookie
    • user-agent
    • request body and response body
    • method, status and status code
    • host
    • request and response lines
Detection engine
  • Protocol keywords
  • Multi-tenancy
  • xbits – flowbits extension
  • PCRE support
  • fast_pattern
  • Rule profiling
  • File matching
    • file magic
    • file size
    • file name and extension
    • file MD5 checksum — scales up to millions of checksums
  • multiple pattern matcher algorithms that can be selected
  • extensive tuning options
  • live rule reloads — use new rules w/o restarting Suricata
  • delayed rules initialization
  • Lua scripting
  • Hyperscan integration
Outputs
  • Eve log, all JSON alert and event output
  • Lua output scripts
  • Redis support
  • HTTP request logging
  • TLS handshake logging
  • Unified2 output — compatible with Barnyard2
  • Alert fast log
  • Alert debug log — for rule writers
  • Traffic recording using pcap logger
  • Prelude support
  • drop log — netfilter style log of dropped packets in IPS mode
  • syslog — alert to syslog
  • stats — engine stats at fixed intervals
  • File logging including MD5 checksum in JSON format
  • Extracted file storing to disk
  • DNS request/reply logger, including TXT data
  • Signal based Log rotation
  • Flow logging
Alert/Event filtering
  • per rule alert filtering and thresholding
  • global alert filtering and thresholding
  • per host/subnet thresholding and rate limiting settings
Packet acquisition
  • High performance capture
    • AF_PACKET
    • PF_RING
    • NETMAP
  • Standard capture
    • PCAP
    • NFLOG (netfilter integration)
  • IPS mode
    • Netfilter based on Linux (nfqueue)
      • fail open support
    • ipfw based on FreeBSD and NetBSD
    • AF_PACKET based on Linux
    • NETMAP
  • Capture cards and specialized devices
    • Endace
    • Napatech
    • Tilera
Multi Threading
  • fully configurable threading — from single thread to dozens of threads
  • precooked “runmodes”
  • optional CPU affinity settings
  • Use of fine grained locking and atomic operations for optimal performance
  • Optional lock profiling
IP Reputation
  • loading of large amounts host based reputation data
  • matching on reputation data in the rule language using the “iprep” keyword
  • live reload support
  • supports CIDR ranges

 

I have installed Suricata and it is really complicated to setup with one having to type many commands and so on...

 

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup

 

I have uninstalled this as I am looking for something more simpler for home use. Anyway, thanks for the suggestion.



#12 Nzyme

Nzyme
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:06 PM

Posted 16 August 2017 - 09:20 AM

ESET Antivirus and Smart Security uses a Host-based Intrusion Prevention System (HIPS) to monitor system activity with a pre-defined set of rules to recognize suspicious system behavior. When this type of activity is identified, HIPS stops the offending program from carrying out potentially harmful activity. ESET Antivirus (and Smart Security) includes Exploit Blocker which is designed to fortify applications that are often exploited (i.e. web browsers, PDF readers, email clients, MS Office components). This feature monitors the behavior of processes, looks for and blocks suspicious activities that are typical for exploits including zero-day attacks. ESET's Java Exploit Blocker looks for and blocks attempts to exploit vulnerabilities in Java. ESET Antivirus (and Smart Security) also includes script-based attack protection which protects against javascript in web browsers and Antimalware Scan Interface (AMSI) protection against scripts that try to exploit Windows PowerShell.

Emsisoft Internet Security (EIS) is a complete security suite which combines Emsisoft Anti-Malware with an efficient powerful new firewall created using the same core previously found in Emsisoft Online Armor with HIPS. The rest of the software code is hand·made by the Emsisoft team. However, EIS [b]does not include HIPS[/b[. Instead EIS utilizes the EAM Behavior Blocker which fulfills the same "niche" that a HIPS was designed to do...it continually monitors the behavior of all active programs looking for any anomalies that may be indicative of malicious activity and raises an alert as soon as something suspicious occurs. This advanced behavior blocking technology is able to detect unknown zero-day attacks, file-less malware that resides only in memory, zombies (the hijacking of host processes to load malicious code which execute via script parser programs), and file-encrypting malware (ransomware) attacks.

 

 

These two are on my list and will check them out. Thanks!



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:36 AM

Posted 16 August 2017 - 03:46 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users