Company Info.



Intrusion Detection Program

How secure is your network from the possibility of unwanted intrusions? Are you confident that your systems are protected against the possibility of losing valuable information to unauthorized hackers or even from internal attempts at policy violations?

GUS Network' Intrusion Detection Program is designed to help you answer those questions as well as provide an early response program to notify you of attempted break-ins and/or other security compromises that may occur.

The advanced Intrusion Detection and response program that GUS uses will assist you when an attempt at a break-in or a compromise occurs. It allows you to monitor all your network connections (i.e. traffic) in real-time and observes the composition of any suspicious activity that takes place. Although it is not an automatic intrusion detection system, it does have an alarm system that will activate when certain transactions take place as an added benefit.

This program puts the means to determine exactly what happened at your disposal. As part of the investigation, you will also have help in restoring your network and preventing further compromise. You can also collect evidence needed for prosecution. This program offers a comprehensive set of reporting and graphing features that will assist you with post-mortem compromise analysis, fraud, waste and abuse audits and network administration.

It is assumed that the users have a basic idea of what constitutes suspicious activity on their networks, yet the program gives you the option of viewing connections by "Interest Level." It is specifically designed to give you advanced tools to investigate that activity and then take action to stop the attack (take over or terminate the connection).

Network administrators benefit from incorporating this program into their security program because it is a logical and affordable compliment to some of the other tools that they may already have in place. For example:

  • It supplements the authentication program, which can be circumvented through session hijacking or a backdoor left by a hacker. It can reveal both of these activities.
  • Firewalls do not stop attacks originating internally or identify internal fraud, waste and abuse, but this program does. Indications of a firewall compromise will be evident in its data display.
  • An automatic intrusion detection system (IDS) may tell you when something is amiss, but this program gives you the means to do something about it.
  • New vulnerabilities crop up everyday, but this can give you an indication of a compromised situation resulting from a vulnerability your network scanner may have missed.

Real-time Monitoring

It can interpret connections for telnet, rlogin, ftp, smtp, smb, rsh and http. Initially, the program presents you with a completely customizable interface listing the connections established on the network. The Main Window will display a Major List of protocols, source or destination IP addresses, and a Minor List containing all active connections. You can also specify the types of connection data displayed in the Minor List - source and destination IP address/port/host, start and end times, and last transaction, which can all be sorted, eliminated or moved as part of the interface.

Reporting and Graphing

It has the capability to assist with post-mortem investigation with its extensive logging and reporting features. You can investigate every connection from the initial connection information (IP addresses, ports, timing) down to the packet headers.

Although the Real Time monitoring program will collect logs of the data going over the network (which can generate "meter-like" real time graphs of transactions and protocols over the network,) these logs can then be saved and reread through its logging and reporting features. Graphs and charts can be generated over specific time slices of the packet data, and can be used to merge and filter the logs for future use. You will be able to select the types of data you would like to view, which will help to eliminate unnecessary information.

The charts you will be able to produce include alarms triggered, protocols used by machine, services used by host and hosts listed by transaction.

Available graphs

  • Protocol Usage
  • Transaction Type
  • Number of Alarms and type
  • Source and Destination hosts
  • Protocol specific graphs of
  • URL's referenced / viewed
  • FTP sites and files referenced

Mail usage and traffic You have a choice of bar charts, line graphs, or pie charts. See the following examples:

A Sample Bar Chart

A Sample Pie Chart

Active countermeasures

If you choose to view the data in real time, you will have the option of engaging the manual intrusion response techniques- taking over a connection, sending a message to the user or terminating a connection. The viewing option for raw data will show the packets as parsed by TCPDUMP

Alarms

Using the Alarm Window, you can set alarms to be triggered by an action that occurs in relation to the following data: protocol, IP address(s), port or transactions defined by a Handler. Typical transactions that may warrant an alarm are ftp (command, user name, getfile) mail (from, to, subject, DNS or host name) or http (put or URL request).

The Set Alarms Window

Alerting methods

The configurable alarm system can alert you via the following methods of your choice:

  • Send email
    You can be notified by an email containing the connection information.
  • Kill connection
    This option can be used to restrict certain activities, such as access to certain sites.
  • Beep the interface
    The alarm system can alert your terminal using audio.
  • Run specified program This option can be used to set off your beeper when an alarm is triggered.
  • Log connection If you have chosen not to log all your connections, you can use this function to automatically log certain critical connections.

Filtering

Real-time

You can specify the type and amount of data to be monitored using the user-friendly, "out-of-the-box" interface that allows you to adapt many functions to your needs, from the transactions the program recognizes to the transactions it deems suspicious. Its Main Window allows you to sort connections by protocol, IP source and destination address, start and end time, and source and destination port. Since you understand your network better than anyone else, it makes sense to allow you to be able adjust the functionality of a tool that will be used on your network.

See the following example:

Output Filters Window

Logging/Reporting

In order to create useful and comprehensive reports, it allows you to merge and filter logs collected by the real time monitoring segment of the program.

Five viewing options

You can choose between five viewing options: real-time/VCR playback (see below,) server view, client view, or raw data packets for a particular transaction, creating a Data View Window. Data View Windows can be generated for more than one connection at a time, allowing you to view multiple connections simultaneously.

  • Real-Time Playback
    The Real Time Playback presents a real-time view of the connection data as it would appear over a VT100 window. It offers the user the option to take over a connection, terminate a connection, or send a message to a client.
  • "VCR" Playback
    The VCR-type Playback presents a similar view, except you can rewind, fast forward, or pause the connection playback.
  • Server View
    The Server View presents the data from the server's point of view in a scrolling window.
  • Client View
    The Client View presents the data from the client's point of view in a scrolling window.
  • Packet Dump View
    The Packet Dump View displays the packet headers and flags as well as the hex dump of the packet data.

Viewing by risk level

Upon selecting a connection to be monitored, a Transaction List Window detailing all the transactions for the chosen connection will be generated. This window will include a "risk factor threshold" which allows you to display only the transactions of the Interest Levels that are of importance to you. The Interest Level is rated 1 (least suspicious) to 10 (most suspicious).

Initially, the program comes complete with default settings that define "risk levels" for each type of transaction that occurs over your network. These settings are the results of years of experience with intrusion detection.

GUS' Intrusion Detection Programs can be designed to be installed on a Server at your location, for fulltime, in-house monitoring or GUS can design a program where GUS' Engineers provide a monthly management service for a maximized coverage approach.

Intrusion Detection Programs pricing varies depending on the number of C-Class' and on the scope of the particular program. Call today for an assessment and a no obligation proposal.

626.330.2003 ask for Sales
www.gus.net


Products/Services | Facility | Network | Support | Shareware | News | Opening | Contact Us
 
Copyright 2000. GUS Networks, Inc. All Right Reserved.