Enteredge Technology - Intrusion Protection

EnterEdge Technology takes a holistic approach to ensuring the Confidentiality, Integrity and Availability of data. By combining best-of-breed technology with security expertise, education and managed security services, EnterEdge helps organizations lower costs and improve efficiencies.

Intrusion Protection Solutions

Intrusion Detection and Protection technologies can be implemented at different points in the network. In many cases, a combination of technologies will provide better visibility along with more accuracy.

Network Intrusion Detection (NIDS)
Network Intrusion Detection systems monitor traffic passively on the network and attempts to discover attacks against the network it is protecting. Some NIDS systems can take some active response, such as killing sessions or initiating firewall blocks. In most cases though, NIDS systems are used to discover and report activity, and help determine the impact of a potential attack. Placement of Network Intrusion Detection sensors can vary based on the amount of visibility desired.

External to Firewall
NIDS Sensors outside of the Firewall are considered the least accurate source of information, but to provide value. Scanning and attacks from the Internet are constant, so observing traffic outside of a firewall creates a great deal of noise. External IDS systems can create so much noise that identification of real threats can be extremely difficult due to the amount. A Firewall is normally the first line of defense, and will handle a large percentage of these attacks, so most of the activity observed by the external NIDS sensor would be considered false. The value in an external IDS sensor is more visibility to help corroborate information, identify scans and trends, and see attempts that may lead to a more serious compromise.

DMZ Segment
Placing a sensor on the DMZ segment provides visibility to attacks that passed through the firewall, and are considered more accurate since the attack made it past the first level of defense.

Internal Segments
Placing a sensor directly inside of the Firewall on the internal segment or at critical points within the network provides can significant visibility to internal traffic. This can be an important tool to identify internal threats or suspicious user activity. This can be an effective tool to enforce security policies and user practices.

Network Intrusion Protection
Network Intrusion Protection is very similar to Intrusion Detection, but is designed to stop attacks to provide active protection. Most solutions are in-line, where network traffic passes through the device and allows blocking capabilities like a firewall. These solutions may be used at different points in the network, but are most often focused near the firewall on the External, DMZ, or Internal segment.

Host-base Intrusion Protection for Servers
Host based Intrusion Protection is typically the most accurate view of an attack with the least noise. Several technologies exist today, and some systems take advantage of multiple techniques to provide a more accurate view of the activity. Some common methods include network bases, OS Events, and application control. Each method has its advantages, and selection of the proper technology is crucial to provide the desired level of protection. One weakness of Host Based protection is limited visibility, since it only sees activity destined for the host it resides on, so it is typically used in conjunction with Network based solutions.

Endpoint Protection for Workstations
End-Point Protection refers to protecting workstations from attack, which may lead to further compromise. Many workstations have the potential to be use outside of the protected corporate environment, and may be exposed to the Internet without any protection by broadband or dialup access. Furthermore, if these devices have remote access to the corporate network by VPN or Dial-up, they are basically an extension of the corporate network. Without End-Point protection, a workstation may be easily attacked from the Internet, jeopardizing any confidential information on that machine. Once a workstation is compromised, there is a significant threat of the workstation being used for unauthorized access to the corporate network.

End-Point protection provides a means of controlling access, enforcing personal firewall policies, and identifying and preventing suspicious activity. This also provides a mechanism to control internal threats, such as the outbreak of a virus or worm. End-Point protection has become as necessary as Anti-Virus software in the protection of workstations.