Author: Cory Buford
Being connected to the Internet means exposure to what the outside world has to offer — including the undesirable elements. Every time you connect to the Internet, you’re exposed to threats that can compromise your network’s security. Although network security solutions have evolved in recent years, so have network attack techniques. To prevent ever-evolving attacks from compromising your network, you must preemptively block malicious traffic before it enters your network. Free, open source programs, such as Snort, can do the job, but setting up a full intrusion detection system (IDS) sensor, especially in an enterprise network, takes time and isn’t very user-friendly. StillSecure’s Strata Guard Free can be your front line of defense to face outside threats without as much hard work.
Based on Snort technology, Strata Guard can act as an intrusion prevention system (IPS) or an IDS. With its frequently updated attack signature database, Strata Guard protects your network from new emerging threats. Its Web-based GUI management and reporting capability lets you set up your network security in minutes to keep you well informed in real time.
The free edition, which is most appropriate for individuals or small businesses, has some limitations, the main one being that it allows a maximum of 5Mbps of throughput over its outside connection. It offers no support for autodiscovery of devices on the network, high availability bypass switching (allowing Strata Guard to forward packets to a switch when there is a problem), or multinode management (for multiple Strata Guard devices). You have to manually update the signatures and the database content, including traffic logs of all attacks, threats, and benign traffic, since they have a maximum expiration of only seven days — which can be short, especially when you’re analyzing traffic to further optimize the security. This could also limit your security auditing, since you can only retain the attack pattern logs for the past seven days. If any of these features are important to you, you should instead consider a commercial version (SMB, Enterprise, or GigE).
The latest stable version of Strata Guard Free, 4.5, was released in 2005. A beta version 5 is also available. Strata Guard must run on a machine with a Pentium 4 with at least a 1.4GHz processor (2.0GHz recommended), a minimum of 512MB of RAM (1GB recommended), and at least 10GB of disk space (36GB recommended). It can run on a machine with a 10/100 NIC, but a 1Gb NIC is recommended for better performance.
Strata Guard operates in two modes: Standard and Gateway. In Standard mode, Strata Guard performs only IDS functions. It cannot prevent intrusion but merely detects it and forwards the firewall policy necessary to automatically configuring external firewalls like Cisco or Juniper Netscreen, depending on the threats or attacks it detects. It has built-in support for firewalls such as Cisco PIX, Juniper NetScreen, Check Point, and Linux iptables, but it supports only certain operating system and firmware versions of the aforementioned firewalls — refer to the documentation. If your network does not already have a firewall, you should use the Gateway mode. For this mode, you need at least two NICs: one for management and one for traffic.
Strata Guard also includes its own built-in firewall. In Gateway mode, Strata Guard prevents as well as detects intrusion. Gateway mode requires at least three NICs: one for management, one for traffic, and one to bridge the internal network. For details on proper physical deployment, check Strata Guard’s installation guide.
Deployment
To begin, download the latest release from the Strata Guard site; you must register first before downloading. Select either an ISO bootable CD or a VMware image. Once you download, you’ll receive a Strata Guard Free license key, which will enable Strata Guard functionalities. You get a limited functionality license, which doesn’t expire, for the free edition. I downloaded the ISO image and installed it on a VMware machine that met the recommended hardware specifications.
The installation process is straightforward. You’ll have to enter common network parameters, such as the IP address for the management interface, the DNS, hostname, and time zone. Enter a root password and a database password, then wait for the installation to finish, and restart the machine.
You can log in once Strata Guard finishes loading its services. If you need to edit initial settings, such as the IP address of the management interface, you can enter the console using the root account and make your changes. Then, to proceed with the configuration, enter https://address of Strata Guard server
in a browser. On your first time logging in you’ll be asked to enter a new username and password.
The initial configuration takes only a few minutes. Enter your license key, then configure the management interface, its address if necessary, and the outside interface. Next, set the mode of Strata Guard to either Standard or Gateway. If you choose Gateway mode, as I did, you will also have to specify the default firewall policy. The policy can be responsive (block the source), preemptive (block the content), or both. Finally, specify the email address to which Strata Guard sends its notifications. After you apply the settings, the Strata Guard box restarts. Note that if you configure Strata Guard in Gateway mode, the interface that connects to the internal network will appear under the System tab in Configure System. On that screen appears you should enter the network interface to use for traffic analysis — that is, your internal network — since you want to analyze all traffic and prevent threats going to this interface.
In just 10 to 20 minutes, including the installation, I was able to set up an IDS/IPS box. After the configuration, the activity monitor listed some malicious activities and awaited my decision on how to proceed. While some were real JPEG exploits when accessing Web sites, others were ICMP floods that I generated to test the level of detection. Strata Guard detected all minor to critical attacks and exploits that were in its pattern database. For added security, when you are prompted to decide whether to allow or block a certain threat or vulnerability, the default is set to deny access while awaiting your decision.
A quick-tune feature optimizes the firewall policies depending on the OS running, the Web service (such as Internet Information Server or Apache), and false positives you want to prevent (like false positives caused by ICMP and SMTP HELO). While ICMP and SMTP HELO themselves are not false positives, they can both be used in attacks, like flooding, and can be detected as an attack. However, the traffic generated by the two can also be legitimate — such as SMTP HELO caused by legitimate bulk email or lots of ICMP traffic caused by regular communication with your site. Since the detection system will commonly interpret too much ICMP or SMTP HELO traffic as an attack, Strata Guard includes an option for optimizeing its policies to accept this form of traffic with your permission. After initial optimization, watch how Strata Guard detects those intrusions and vulnerabilities. Since Strata Guard works so well, you should manually observe its performance in the beginning to make any necessary adjustments to the rules, to prevent it from being too aggressive.
Management
After you optimize the firewall policies, you’re given the option to take specific action for each intrusion detected. Intrusion events are classified as either direct attacks, recon attacks, suspicious traffic, or connection attempts. Most Web vulnerabilities are classified as suspicious, while distributed denial of service (DDoS) attacks and even peer-to-peer traffic can be considered direct attacks. Strata Guard blocks most serious intrusions (such as DDoS attacks and viruses) automatically, but it prompts for a decision from you regarding vulnerabilities, such as Web JPG vulnerabilities. Once you specify an action for an intrusion event, that action will be added to your list of firewall policies. The policies are specific to the source and destination of that intrusion or vulnerability. This provides flexibility, especially when you want to allow specific trusted sites to access your network with some minor vulnerability. You can apply automatic action to a specific intrusion rule regardless of source or destination by changing its action settings in the Rules Summary on the right side of the management interface. If the rule you want is not available, you can create a custom rule.
After I configured some specific attacks, I tested Strata Guard. First, I tested to see if it would block worm or autoinstaller attacks such as are common on pornographic and warez sites. Upon browsing these sites, Strata Guard detected a malicious installer or worm, which it blocked automatically. To ensure that it really worked, I ran an updated Kaspersky Lab virus check on my station that I use for browsing, and no virus or worm was detected. I also tried to use peer-to-peer software like Limewire, and Strata Guard detected and blocked it also.
Strata Guard can detect other intrusion events, such as Web page vulnerabilities, and it’s up to you to decide whether to block them. Strata Guard can generate a report of intrusion activities as a list or graph optimized for printing. You can choose the time or date of the data that the report is created from, and you can choose whether it reports by attack details, category, destination, protocol, and so on. This reporting capability makes it easy to analyze intrusion events happening on your network. For the report tool to run properly, you must install a Java runtime environment.
Although management of Strata Guard is simple enough, it does take some time to fully optimize the security policies and performance. You must decide which intrusions and vulnerabilities you want to block or exempt and which sites you want to exclude. With the frequently updated rules database, false positives are reduced but not completely eliminated. Security devices and software like Strata Guard tend to do their job so vigorously that they sometimes block legitimate traffic. Remember to not only keep an eye out for intrusions, but keep an eye out for occasional false positives as well.
Conclusion
If you’re planning on using Strata Guard on a small network, then you’re lucky enough to have it for free. If you need to use it with enterprise-sized environments, then the free edition might not be enough. Features like autodiscovery may make buying the commercial version worthwhile anyway. Strata Guard features simple configuration and management, though you still need to optimize any security system to meet your specific requirements.
Category:
- Security