Preventing network intrusion

Any business with an internet connection is potentially susceptible to network intruders. The best way to stop them is to block services you do not need, either at your network’s entry point (by a network firewall) or at your computer (by a personal firewall). Find out more from our securing your networks page.

However, an intruder can try to break in by using services you do need, such as web browsing or email. In this case you need an intrusion prevention system (IPS) to block unauthorised access.

Intrusion prevention systems (IPS)

Most PC security packages have an IPS capability. If you don’t have one, buy a security package that does. However, you should not rely completely on personal IPS systems. A skilled attacker can create network messages that look so genuine that they are passed by the computer’s IPS system.

If you have a network with more than a few computers, you should also install a dedicated IPS system linked directly to your internet network firewall. It is wise to buy it from a different manufacturer to that on your computers, because all IPS systems work slightly differently and one IPS may pick out attacks that another misses.

There can be a problem with IPS false alarms, for example, a person might mistype the address of a computer and accidentally attempt to connect to a different system without having authorization. If an IPS generates too many warning messages, there is a temptation to ignore all of them. You need to make sure somebody or everybody checks such warnings conscientiously – preferably before you have a security incident.

Security information and event management (SIEM)

Some IPS systems are purely passive, in other words they do not block traffic, they just report suspicious items. These are called intrusion detection systems (IDS). IDS systems that purely monitor network traffic are becoming less common, now they are usually used in conjunction with a security information and event management (SIEM) system that correlates IDS data with other information, such as knowledge of the network architecture, to detect suspicious activities.

SIEM systems can identify and report suspicious activity (eg the same person logged on simultaneously at different locations) more effectively than a simple IDS or IPS. A SIEM can also look for patterns in warning messages that a human might ignore.