Having various tools to keep networks protected is no longer a matter for large organizations. The field of cybersecurity and information security is at the forefront at all times. However, there are specific solutions that may not be very accessible to certain businesses. This guide will familiarize you with IDS / IPS systems and we will also recommend some of the best free and affordable solutions you could find.
What is an IDS / IPS?
The acronym IDS corresponds to the Intrusion Detection System, the acronym IPS corresponds to Intrusion Prevention System. It is a set of systems that complement each other to provide greater security to networks of different sizes. Especially those networks that require a high level of response and service. These systems can be applied both at the software level or at the hardware level using specialized equipment. IDS / IPS is commonly referred to as they work together.
Several of these tools integrate the ability to detect cyber attacks, in addition to performing actions that can nullify their effects. Now, the latter specifically targets Intrusion Prevention Systems. It is highly recommended to opt for these systems, especially if we want to guarantee that the threats of computer attacks materialize or that they generate the least possible level of impact.
Years ago, the availability of these systems was limited. It was reserved for those organizations that, above all, had the possibility of paying for the costs involved in its implementation. However, computer attacks have multiplied in recent years, and the picture shows that organizations of any size are vulnerable. For this reason, many companies specialized in their provision offer them as part of a package of products and services. However, they are also used to selling IDS / IPS as separate products.
Free and affordable IDS / IPS recommendations
It is good to keep in mind that a good part of the offer of this type of system can have not very accessible costs. Some solutions from leading brands such as Cisco exceed thousands of Euros without much difficulty.
This is so, mainly due to the type of clients they have and the complete package of additional services linked to the IDS / IPS system in question. Technical support, resources, and quite a reputation make many large organizations go for brands like this.
On the other hand, are there free solutions? Or maybe one of more accessible costs or in any case, one that is open source for further customization? This guide has some recommendations.
It is a host-based IDS system that is developed by a group of people who are part of an open-source project. This project has been working for many years and OSSEC has an important level of acceptance.
It has a large team of developers dedicated to this system, in addition to an active community that is oriented to help users, create translations, support documentation and much more. OSSEC already passes 500,000 annual downloads and best of all, it is cross-platform: it is available on Windows, macOS. Do you use any Unix or Linux based system? No problem, this IDS system has its compatible host.
This is the operating scheme: OSSEC monitors the logs of the various components of your system in real-time. It is capable of detecting all kinds of changes to individual files, including the most important Windows registries. This solution is an IDS system, but it also has some IPS capabilities, these IPS capabilities consist of responding to attacks through its capabilities and integrations with third-party tools.
Would you like to start testing this tool? You can access the official site where you will have access to the details of this solution. Also, it will be possible to sign up for an e-mail mailing list to stay up-to-date with news and access their Slack channel to communicate directly with other members of the community. If you do not need a corporate-level solution with more advanced features such as integrations with SIEM systems, data storage, cloud services like AWS and much more, they have the option of OSSEC Atomic Enterprise.
Note: Host-based systems focus on protecting the hosts in question, not precisely the network to which you are connected. The latter is very useful if the protection is focused on a single user or a small group. The scenario is different if we talk about IDS / IPS systems that operate at the network level (or based on the network), they are critical. Now, the latter can be more useful because as a network administrator, you will have more visibility on the potential problems that would affect one or more hosts.
It is an open-source project that started as a packet parser type solution in the beginning. Time has passed and it has become a complete IDS system from which any network can benefit greatly.
The application rules are configurable through various parameters so that the packets traveling through your network can be analyzed accurately and efficiently. It can detect various types of attacks using signature-based detection algorithms and also anomaly detection (unusual activity).
One of the great advantages of Snort is that it has a large and active community. Anyone who needs it can receive assistance or assistance so that everyone can get more out of this solution. Also, it is completely free, open to modifications through contributions. Updates to this IDS system are made frequently based on community rules and the GPL license, that is, the General Public License.
They also have paid solutions, which are somewhat more accessible to others that have this particularity. One of the distinctions is that it is updated 30 days in advance about the rules established by the Snort community.
The plans available range from approximately 27.41 Euros (per month) to almost 366 Euros per year. A curiosity is that Snort is under the management of the giant Cisco and several of the functionalities respond considering the rules of its proprietary NGIPS system. These acronyms correspond to the Next-Generation Intrusion Prevention System.
To start using this system, you can use this link as a guide, which will guide you through these steps:
- Installation on Windows, FreeBSD, Fedora and CentOS. You also have the option to directly download the source code to fully adopt the system according to your needs.
- Downloading the set of rules to configure and launch Snort as soon as possible.
- Steps to keep your system up to date with the latest updates.
It is a Linux distribution that works as a robust security solution. It includes its IDS / IPS system and works through base solutions such as OSSEC and Snort. Besides, it also works based on the Suricata system about the network-based IDS / IPS functionalities. A super interesting point that can make a difference when choosing the solution you need is that it comes integrated with various tools. Some of them are the following:
- Elasticsearch (distributed search engine)
- Logstash (log management tool)
- Kibana (open source data display panel)
- Bro (network security monitor)
- Sguil (network security monitor)
- Squirt (display of stored event data)
- NetworkMiner (network analysis tool) and other more security-oriented tools
They can access their official repository on GitHub where you will get the image file (in ISO format), in addition to all the instructions necessary to use it as soon as possible.
Most likely, this is the lightest IDS / IPS functional solution we can find. Not even 2MB occupied, so the installation does not require more than 4.5 MB. Once installed, you can run it very quickly. You will get a view like this:
Doing a quick review, we can say that WinPatrol is more than anything, a program that helps you to better manage the processes, programs and other aspects of your operating system. However, it has features aimed at the prevention and detection of intrusions that can be of great help to individual users.
It has features that allow monitoring for changes in file type associations and the creation of various scheduled tasks. Besides, you will have visibility of important changes such as Windows registry files, hidden files and more.
Is it possible to replace the use of the firewall with IDS / IPS?
We are sure you have asked yourself this question. What does an IDS / IPS have that does not have a firewall? Or vice versa? The first thing to keep in mind is that the benefits could be similar in terms of the central purpose, but they do not operate in the same way.
A firewall uses rules that prevent the entry or exit of certain network traffic considering aspects such as protocol, source and destination address, port numbers and other aspects. It is a shield against insecure protocols and any other suspicious activity that may impact the network.
However, unfortunately, some attacks affect networks that still comply with the rules established by the firewall. An example we could cite is a brute force attack via SSH. The latter is one of the most widely used security protocols for remote administration via CLI that we currently have, however, it is possible to execute attacks this way.
In situations like this, IDS / IPS systems are very useful to detect that a brute force attack is being carried out. We must not forget that they are capable of detecting any type of malicious activity, even if they “comply” with the rules configured in the firewall. What happens is that the firewalls and the IDS / IPS work together, the IDS detects the failure, and “tells” the firewall to block the connections.
Firewalls and IDS / IPS systems are becoming increasingly essential as part of the security suite of any network. Take advantage of this opportunity to have accessible tools and a high level of post-implementation support.