GCSx CoCo No 9 Intrusion Detection

GCSx CoCo

Intrusion Detection

Local authorities that have not formally undertaken host or network intrusion detection should declare via an LA action plan if any when they intend to implement intrusion detection system (IDS). All IDS must be implemented using approved one way TAPS.

GCSX No 9.1 Intrustion Detection

Intrusion detection mechanisms are RECOMMENDED to be in place to identity potential attacks

GCSX No 9.2 Intrustion Detection

If implemented, It is RECOMMENDED that intrusion detection measures monitor intrusions both within the organisation's domain and between the organisation's domain and connected networks

GCSX No 9.3 Intrustion Detection

If implemented, It is RECOMMENDED that intrusion detection mechanisms include a signature-based network and host Intrusion Detection System (IDS)

GCSX No 9.4 Intrustion Detection

If implemented, network-based intrusion detection services MUST be connected to a one-way (Data-In Nothing-Out) network port so they cannot themselves be used as a compromise point for the network

GCSX No 9.5 Intrustion Detection

If implemented, network-based intrusion prevention services may require connection inline within the network. In this case, organisations MUST ensure that the architecture and configuration of the IPS limits access to the management stations to authorised users only

Network Intrusion Detection (IDS)

Intrusion Detection can be implemented at the host (End Point) or Network (Gateway) and is aimed to be an additional layer of security that further interrogates data passing through in order to find malicious activity.

As GCSx CoCo has identified needing one way TAPS it means that a Gateway IDS will need to be utilised to identify all the traffic passing through Network.

The Intrusion Detection appliances available from Stonesoft are recomeneded by ICSA Labs and the PCI DSS review board. The IDS products available are vastly scalable and come as a hardware or virtual (VMware Certified) appliance.

StoneGate IPS detects and stops hostile traffic and helps you meet regulatory compliance, including PCI-DSS.

Things that make our IDS/IPS unique are: -

Transparent Layer 2 Firewall - apply access rules as well as inspection rules
Fully Centrally Managed, not a Web GUI or CLI, drag-and-drop, failsafe remote updates / upgrades
Inline Serial Clustering to boost IDS/IPS inspection performance

Juniper Networks IDP Series Intrusion Detection and Prevention Appliances offer the latest capabilities in network intrusion prevention to protect the network from a wide range of attacks. Using industry-recognized stateful detection and prevention techniques, the IDP Series provides zero-day protection against worms, trojans, spyware, keyloggers, and other malware.

Network Access Control Partners

ForeScout’s clientless network access control (NAC) solutions enable customers to gain complete control over network security without disrupting end-user productivity. ForeScout’s CounterACT combines NAC and signature-less intrusion prevention in a single network appliance that interrogates and controls access of every device and seamlessly integrates with any existing IT infrastructure. ForeScout’s NAC is completely transparent and enables enterprises to tailor enforcement to match the level of policy violations, eliminating disruptions during device interrogation.

Host or End Point IDS IPS

Bit9 Application Whitelisting with Bit9 Parity Stop malicious and unauthorized software by blocking viruses, Trojans, application exploits, custom attacks, zero-day threats, and more.

For more details on Bit9

Definition of Intrusion Detection

Software or hardware used to identify and alert on network or system intrusion attempts. Composed of sensors that generate security events; a console to monitor events and alerts and control the sensors; and a central engine that records events logged by the sensors in a database. Uses system of rules to generate alerts in response to security events detected.

TAP stands for "Test Access Port". Network taps allow all traffic on a network device (such as a switch) to be passively monitored. They are relatively inexpensive, reliable, and provide permanent access ports to monitor traffic through. Taps are usually separate devices, but can also be built into a switch itself.

Wireless LAN (WLAN) Security

Aruba's integrated policy-enforcement firewall, high-security encryption, standards-based authentication, wireless intrusion detection/prevention, and compliance audit reporting assistance meet or exceed the wireless LAN-specific security requirements in GCSx CoCo. Local Authorities using an Aruba solution can cost-effectively implement the Wireless security controls required for GCSx CoCo compliance without compromising the performance of business applications or upgrading legacy networks.

Wireless Intrusion Prevention (WIP): The ability to detect and prevent rogue APs (Access Points) and over the air attacks is critical to maintaining confidential communications. Rogue APs become instant portals into the rest of the network, bypassing firewalls and other security systems. Aruba Networks APs can simultaneously function as a WIP sensor and an AP, eliminating the need for 3rd party dedicated security sensors.