Our thoughts on effective network security
Our belief is that the following strategies are likely to offer you the best long-term, sustainable options for effective network security
- Deploy a comprehensive packet capture and analysis fabric across your network from the edge to the core
- Capture 100% of your network traffic once, and reuse it where and when you need in order to provide operational teams with the tools that they need to make effective and efficient decisions
- Use trustworthy detection engines, preferably open source as security is, after all, a community problem
- Deploy a combination of Commercial, Custom and Community developed rules and signatures for maximum protection
- Recognise that accurate and effective responses to threats requires human intervention. Security is about technology, people and process. You cannot rely on technology alone to protect your network
Our vision for security is a distributed system that combines fast IPS devices on the edge of the network with lean rulesets to mitigate serious threats, and high-performance IDS systems monitoring the perimeter and core networks. The IDS system integrates with the IPS to provide rule updates to assist with mitigating the most serious threats in real time.
It goes without saying that even the best IDS and IPS solutions will only work when combined with the right people and processes.
The 4 biggest issues facing IDS and IPS today
Listen to Stuart Wilson, Endace CTO, talk about the big issues associated with IDS and IPS today including:
- The 'Inconvenient Truth' about packet capture
- Effective management of rulesets
- The absolute need for network forensics
- The real impact of IDS device saturation and traffic blocking
Security is a community problem
Technology doesn't solve the security problem - solutions rely on people and processes. Technology is just an enabler. The right tools and the right information empower people to make make the right decisions.
Common sense suggests that security solutions cannot be developed in a vacuum. Robust security solutions must be developed for the real world in the real world with input from the real world. Time has proven that Open Source solutions gain strength and robustness through community engagement and testing.
There is now broad agreement amongst experts that the Community provides access to the largest volume of security signatures and the broadest cover for managing threats - which explains why open-source engines are rapidly becoming the IDS solution of choice for governments and enterprises and why we have elected to use SNORT and Suricata as our security engines of choice.
Open Source Rules
As a general rule, Open Source security solutions let you maintain and customise your own rule sets and review codebases to ensure that they meet your actual security requirements. Our view is that you're only as secure as your rule set - so an open book approach is absolutely essential to maintaining a strong security posture.
Suricata - a new breed of security engine
Suricata is a new Open Source security engine from the Open Information Security Foundation (OISF), a community-backed initiative to develop the next generation of open source security products.
The OISF is sponsored by several leading international network security companies, including Endace, Everis and Bivio. The project has received funding from the US Department of Homeland Security's Science and Technology Directorate as part of the Homeland Open Security Technology (HOST) program, which further illustrates the commitment of the government sector to Open Source security.
Suricata is an alternative to the popular SNORT® security engine, offering a host of performance enhancements such as multi-threading and port awareness. The engine is compatible with leading ruleset providers such as Emerging Threats. Endace is actively testing the code for the first commercial deployment of Suricata later in 2010.
