StillSecure Strata Guard SMB IDS/IPS

StillSecure's Strata Guard is a combination of StillSecure's hardened Linux and the well-known Snort Intrusion Detection software. This is coupled with proprietary components to provide a comprehensive protection system capable of detecting known intrusion attempts and exploits, and defending against DDoS attacks.

The SMB version of the software is suitable for sites needing less than 10Mb/sec throughput. It can operate as either an intrusion detection system (IDS) or as an intrusion prevention system (IPS), using either two or three network interface cards. In IPS (gateway) mode, it can generate and install firewall rules automatically into a compatible system such as Check Point's Firewall-1, but if you don't have a compatible firewall it's possible to configure the software to use its own internal Linux IP tables instead. StillSecure provides customised Snort rules that can be downloaded automatically at hourly intervals, so that the system can continue to detect and prevent intrusion exploits from both sides of the firewall.

The default configuration will monitor traffic on all networks. Subnetworks and individual host machines can be excluded, and individual hosts can have their own specific attack responses. Traffic filters can be applied as well.

The system learns your requirements by flagging up suspect traffic for attention and suggesting possible actions, while providing detailed information about each alert to ensure the correct decision is made. There are a number of preconfigured rules available, and the learning process can be sped up by specifying some or all of them as "pre-emptive". A pre-emptive rule will be applied automatically and will never expire, although it can be deleted manually. Other rules can be "responsive", only being applied when specified conditions occur. A responsive rule is removed after a specified interval. Both types of rule can be applied to a given attack profile, which allows the system to respond to an attack from a host by dropping the packet and then blocking all further traffic from it.

The administration interface, which needs Internet Explorer 6, gives access to the entire system configuration, alerting and reporting options, and offers performance graphs through Java applets. Although this is the primary control interface, the system also offers email alerting and SNMP notifications when attacks are detected. The reporting subsystem can provide detailed attack activity reports under many headings. These can be scheduled, generated automatically and distributed by email. Ad hoc reports can also be created. Support is provided by email and telephone, while updates and FAQs are available from StillSecure's website.

We put the software through its paces and ran a number of well-known exploits, which it detected. When we installed it in a live network, we discovered a number of suspicious activities associated with websites, and although most were simply web bugs there were some more serious exploits that it blocked.

StillSecure Strata Guard's modest hardware requirements and clear documentation make it possible to install and configure an effective system in less than an hour. If you have a machine that needs intrusion prevention, Strata Guard is well worth considering.

Author: Ian Parsons