Comprehensive network security

There are many intrusion detection solutions available nowadays, some of them paid and some of them free to use. Also, many integrated solutions, already bring an intrusion detection mechanism within its software, however, are limited to the location of its implementation.

Depending on the type of IDS to be implemented, there are also different solutions that can be used. Here, it is possible to highlight the widely known SNORT IDS and Suricata IDS.

Focusing on the first one, SNORT, it is a fee-to-use open-source solution that can be installed not only by singular users, but also by companies and organizations. This IDS is centred on a set of rules to determine which network traffic should be collected and what needs to be done to the detected malicious packets. It works based on well-known vulnerability signatures and attacks to build its IDS rules database and identify possible intrusions in the network.

Among its features, it is possible to highlight the real-time analysis and monitoring, where the network administrator has the possibility to check all IDS monitoring results in real-time, identifying intrusion detections and acting according to the needs. In addition, it also includes protocol analysis for a better identification performance. It analyses protocols by a sniffing process that captures data in protocol layers, enabling administrators to further examine potentially malicious packets. Moreover, SNORT gathers rules by protocol, like IP and TCP, then by ports, and then by those with or without content. Rules that do have content use a multi-pattern matcher that increases performance, especially when it comes to protocols like HTTP (Hypertext Transfer Protocol). The rules that do not have content are always evaluated, and consequently reduces the performance.

SNORT is an IDS able to inspect and monitor not only the packet header, but also its payload, making it possible to reduce the false positive rate of detections. It is also capable of providing alerts and flexible packet and analysis logs, providing all information for network administrators to properly analyse and act. Its installation may be done in Unix, Windows and MacOSx systems, as long as they allow the compilation and installation of the lipcap library, used as base for packet analysis. SNORT has also a flexible architecture, allowing different installation ways and adapting it to the network needs.

Similar to the previous one, also Suricata IDS is an open-source network threat detection engine that is free to use and provides different capabilities, including the intrusion detection and network security monitoring, through a deep packet inspection and pattern matching.

The main distinguishing feature of Suricata, when compared to SNORT, is that Suricata includes a dynamic protocol protection capability that is port agnostic. This allows the IDS to identify some of the most common application layer protocols, including HTTP, DNS (Domain Name System), TLS (Transport Layer Security), between others, when these communication over non-standard ports. Here, the used rule language allows the administrator to build matching conditions in the application layer protocol, increasing the IDS performance and detections.

Suricata monitors network traffic using an extensive rule database, such as SNORT, and bases its rules also on well-known vulnerability and attacks signatures. Although Suricata was built in a different architecture and is much recent than SNORT, both solutions can use the threat signatures. A key difference is that Suricata presents a multi-threaded architecture, allowing the use of multiple CPU cores at once, and, consequently, resulting in a higher performance, when compared to other solutions. Using multiple CPUs, makes it possible for Suricata to process multiple events at the same time, without having to interrupt other requests or compromise other analysis, loading the balance across the CPUs and improving the performance in network traffic analysis.

This IDS solution can be used in three different roles, where the simplest one is to set it up as a host-based IDS, monitoring the traffic of an individual computer. Also, it can be implemented as a passive IDS, monitoring all the traffic that goes through a network and notifying the network administrator when it comes across anything malicious. The third and last role is when Suricata is implemented as an active inline IDS and IPS (Intrusion Protection System), monitoring inbound and outbound traffic, making it possible to block malicious traffic even before it enters the network, while alerting the network administration about this action.

Such as SNORT, Suricata is also available to UNIX, Windows and MacOSx systems.

As it was mentioned before, not all IDS solutions are suitable for every system or network, where the network administrator must select the best solution to fit its network needs and singular characteristics.

The previous examples are mostly suitable to be implemented on a normal computer network, being also the most common solutions used by organizations and companies nowadays. However, when the focus is given to the intrusion detection in critical infrastructures that lay their function on specific network protocols and where a simple communication interruption may cause drastic results, IDSs must be carefully chosen and implemented.

Some scholars state that a dedicated solution is a must, and that State-Based along with machine learning IDSs may be the future for critical infrastructures’ protection. A good example is the solution developed by (Al-Malawi et al., 2016) that focuses on a data-driven clustering technique to extract state-based rules and detect attacks in Modbus/TCP networks, without prior knowledge on systems’ specifications. Though, it is important to highlight that sensitive and critical systems, such as SCADA in WDS (water distribution systems), have always a fully detailed documentation.