intrusion detection

I want to that is it necessary to have Intrusion detection service?

 

i would say YES.

 

I would say it is NOT really necessary for personal computers. Well, it also depends on what kind of intrusion detection you are talking about.

Edit: if you are talking about the intrusion detection of Kerio 4.xx or the IDS of Tiny Firewall, I would say NOT for personal computer (not server).

 

BTW, which firewalls( free or paid) lack IDS feature?

 

I was curious because there are no ids rules currently in tiny firewall pro 6.5.126 and that's only feature which tiny lacks. Most firewall such as norton firewall,mcafee, kaspersky have ids rules which made me think about this.

 

IDS rules for TPF were converted from SNORT rules. They are not available in the installation package due to copy right problem. However, you can get them somewhere else. It was available at TPF forum. Unfortunately, CA has shut down TPF sites, and the rules are not available there anymore. If you ask, some TPF users here at WSF may still have them, and perhaps can send you.

I used IDS rules with my TPF for quite some time. But later on, I removed the rules and shut down the IDS module of TPF on my computer. On a server, there is a lot inbound traffic for data access request. IDS is useful to find whether such inbound traffic is of good purpose or evil purpose. On a personal computer, you normally do not allow other computers to access the data on your computer. Instead, you send out data request (when you access the web and etc) and only allow the responses to your request back into your computer with firewall rules. With firewall rules properly set up, intrusion risk on a personal computer is small compared to a server. Thus IDS is not really necessary. During the time that I was using IDS rules with TPF (one or two years), I could only find a couple of false-positive warnings from IDS. On the other hand, TPF consumes around 15MB extra memory (RAM+Virtual) with IDS rules active. So I simply shut it down.

On some other firewalls, IDS is often used as a marketing tool. It constantly tells the user that intrusion attempt from IP xxx.xxx.xxx is blocked and blah blah. The user would fell that IDS is very effective. The truth is that, even without that so called IDS, those 'intrusion' traffic will be blocked by firewall rules anyway.

 

Hi, folks: Hi Yahoo, I noticed that you are using Shadow User pro and firewall, Av, As and no more. I guess you are not a fan of IDS or HIPS. Can tell us your experience with these few defence apps? Without any other multi-layered protection, do you feel safe (in terms of PC of course) at all? In your opinion IDS/HIPS are somewhat a surplus or must have weapon against malwares ? Just few plain questions and no other motives. Your inputs will be greatly appreciated.

 

Thanks yahoo for such a good and detailed reply.

 

ashishtx - you are welcome.

 

yes, that is nice.

 

The protection from these few defence applications is actually extremely strong. ShadowUser returns my system back into its original state at each reboot. This means that, even my computer is infected with a Trojan or virus, the infection would be gone after a reboot. Tiny Firewall is a combination of personal firewall and HIPS. It protects registry, processes, file system, and so on. Its function still far exceeds many HIPS available on the market, although the requirement on in-depth knowledge of Windows OS and network has limited its popularity among general public. KAV provides a good detection rate on Virus and Trojan. IMHO, each of ShadowUser, Tiny Firewall, and KAV can already build up a single layer of protection. I have been using this setup for almost two years, and I have had no infection of any form. This is actually a little bit boring, as some stimulation (infection) would make life more interesting. Of course, the most important layer in defense is the human-being (computer user). I know what I shall do on my computer for security reason. So I myself is another good layer of the defense too. My security setup works more than good enough for me. It can be bad configuration for other people though, as people have different needs and understanding of computer security.

I do not think that HIPS is a must have. Actually, I doubt the effectiveness of HIPS to many users.

 

Hi, folks: hi, yahoo, thank you very much for your very informative inputs. After reading your reply, I have gained more confidence in what i am doing presently. I have adopted a similiar approach as yours; using DeepFreeze, ZASS, as primary layers, and gradually reducing reliance on other security apps. I hope one day I will have a full confidence in this approach as you have. Thanks again.

 

With all due respect yahoo, I am surprised you feel this way, unless, of course, you feel that many users can not properly use and configure HIPS to protect their systems? Doesn't Tiny pfw have built-in HIPS, part of what makes it such an effective firewall? I'm using System Safety Monitor and based on how I have seen it perform on leaktests, I feel it is a terrific addition to one's security arsenal. It can stop malware from launching. Is this not better than trying to stop the malicious intent of malware after it has already started?

I'm not trying to challenge your statement, only asking you to clarify what you mean by it. I have my own stubborn ideas on the effectiveness of a quality HIPS (I'm sold on them) so it is difficult to accept even your take on it But clearly you have a way above average grasp on this stuff, so I feel the need to pick your brain a bit. After all, I learn far more on this forum from experts such as you and others than trying to read and comprehend painfully bland technical articles

 

for knowledgeable users, HIPS can be a great way to secure their computers. OTOH, teh average joe may not be comfortable with or fully unerstand the many prompts brought on by classic HIPS like SSM.

overall, HIPS are not a necessity. its very possible to have a secure computer without them.

 

cprtech and WSFuser, you have said exactly what I want to say.

HIPS is an excellent tool for knowledgeable users to protect their computer. The HIPS feature of TPF is exactly what makes TPF so unique to me. HIPS detects intrusion by finding the abnormal behavoir of a system compared to the normal behavoir recorded (rules made). It can not detect the malware already on the computer at the time when HIPS is installed. After the installation, HIPS software (PG, SSM, and so on) normally requires a period of time for self-learning. During this period of time, it is assumed that the system is clean and will be kept clean. Then, it requires some knowledge from the user to handle those pop-ups. To use HIPS effectively, the rules of HIPS need to be tailored down to the specific computer that it works on. What I often find out is that many people do not have enough knowledge to use HIPS. They often expect HIPS to work like Antivirus software, and they use it just as Antivirus software. They trial all kinds of software all the time and expect HIPS would catch the malware for them just like Antivirus software. I just do not feel that HIPS would be really that effective to these users other than some good feelings.

 

personally i don't think hips is a necessity, i know the idea is great because you have control of everything that is happening on your pc, but if you are knowledgeable enough to understand hips, then you know enough how to prevent from being infected. i have used the proactive the defense of kaspersky, and tried ssm free too. however all it did was bother me during installations and the only thing that was actually useful in it was that i prevented some programs editing the registry to be able to go into start up. I don't visit porn/crack/gambling sites, don't use p2p, and i never click yes without thinking about it first. Using my router firewall and having kav without proactive defense is enough for me.

 

Hi, folks: May I throw in few ? I found that using HIPS is a nuisance to those folks who use sandbox/virturalization tools. In Frozen state, every single reply to HIPS's popup alerts will be automatically wiped clean upon reboot. Next time around in Frozen mode, user has to do these all over again, what a miserable way to waste time. IMO. I think HIPS are privileged apps for experts alike.

 

Hopefully you guys understand the invaluable service a HIPS can provide: they can stop a malicious process from even getting started. Part of what makes Tiny pfw such a great firewall is that it includes a HIPS. A good HIPS can turn a relatively ordinary firewall into a powerhouse. There is quite a learning curve with a HIPS, but the same can be said about a decent firewall. If you are willing to learn how a firewall works, including all the networking concepts involved with using one, then why should it be that much more difficult to learn how a HIPS works? Having expert ability is not required. Only the desire to learn is required. Obviously the most important thing, however, is that you are happy with what you are using.

 

i know it's powerful tool, but since i've been using one i have never stopped any malware, everything was legitimate,one has malware in his pc because he's been careless. in my opinion if someone knows what he's doing and is careful i don't think it is a necessity. Don't get me wrong i'm not saying it's not useful or anything, but if you're careful i don't think you really need one

 

It depends on what virtualization tool you are using. With ShadowUser, I can have any reply to HIPS's popup alerts saved and kept upon each reboot. Also considering that you have to put the system out of frozen state in order to install some software or do some maintenance, HIPS would be helpful at such downtime of virtual shield. In frozen state, one can also freely experiment with HIPS rules without worry about permanent intrusion due to wrong HIPS rule making. So it may not be a bad idea to use HIPS with virtualization tools.

 

Security vendors would like you to believe that HIPS, IDS and IPS mean one and the same.

Network Intrusion Detection System means *passive* detection of attacks only network related (usually by signature pattern matching). For *some* attacks, or rather attempted attacks, some kind of blocking shortly after detection (aka "prevention") may be possible. Hence the term IPS (active IDS).

Unfortunately, security vendors who have come up with sandbox and virtualisation-type technologies have started using the term Host Intrusion Prevention System, even though the software has often nothing to do with network packets.

Currently mangled terms and what they (usually) mean:

H for host
N for network

IDS - most likely network related, most likely an 'active' IDS (or IPS) (your home software firewall term)
IPS - almost never refers to anything not network related, usually an application, layer 7 firewall or proxy (network hardware)
NIDS - passive, network related (not for single desktops)
HIDS - programs that keep track of application checksums (eg. MD5 hashes), not network related. eg. Tripwire

NIPS - application, layer 7 firewall or proxy
HIPS - almost never refers to anything network related, usually sandbox technologies eg. SSM

 

How does "packet sniffer" software like airpcap or wireshark helps to detect intrusion? And What actually are "packets" how can they be decoded to understand what they mean? Please correct me as i am not familiar with such terminology.

 

Hi ashishtx,..
http://en.wikipedia.org/wiki/Packet_sniffer
http://en.wikipedia.org/wiki/Packet