Good Research Proposal About Executive Proposal: Snort Intrusion Detection System:

Introduction:

In the ever growing computer security domain, various technologies are emerging and among them are the network Intrusion Detection Systems (IDS). These systems are designed to detect and prevent any hostile network intrusions, and there is a variety of proprietary and open source IDS available to match the various user needs and requirements. However, open source IDS have become more popular than their commercial counterparts on account of cost, configuration flexibility, cross-platform implementation, online forum support, access to source code, modification and usage rights, and detailed documentation (Robinson, 2007).
Snort is one of the open source IDS that has gained its place among the top IDS systems in the market. Snort is used to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. The software can also be used for protocol analysis, searching and matching content, and also to detect various probes and attacks such as Server Message Block (SMB) probes, operating system fingerprinting, stealth port scans and buffer overflows. Snort’s detection engine uses a modular plug-in architecture that supports third party add-ons and has a flexible rules language used to define the traffic that is passed or collected. Snort also offers real time alerts and incorporates alert mechanisms for Syslog, a UNIX socket, a user-specified log file, or Win Popup messages for Windows clients that use the Samba smbclient (sectools.org, 2010).

Snort IDS offerings, rules and endorsements:

Snort is available free download in source code and binary formats. The operating systems supported are Microsoft Windows, and Linux distributions such as Centos, FreeBSD, and Fedora. This means that Snort is compatible with the existing computer systems at Advanced Research since there is a mix of *NIX and Microsoft technologies. Snort has also been endorsed by third parties such as networking giant Cisco. Cisco does offer a commercial version of Snort known as Sourcefire. However, Snort is free and open source so Cisco as a firm supporter of open source technologies, just leverages the Snort Subscriber Rule Set and detection engine as the core foundation of Cisco’s Next-Generation Firewall and IPS. Cisco then adds an easy to use interface, hardware optimization, powerful data analysis and reporting, policy administration and management, 24/7 support, and a full suite of product services. In return, all the enhancements made by Cisco to Snort technology for Cisco’s proprietary offerings are released back into the open source community. Advanced Research is therefore set to benefit from the use of Snort since the existing network infrastructure is built using Cisco products such as firewalls and routers. This will enable Advanced Research to access the same cutting edge technology offered by Cisco via Snort without buying the commercial version (Snort.org, 2015a).
As earlier mentioned, Snort uses rules instead of attack signatures to perform detection. Rules have the upper hand over signatures since they detect the actual vulnerability instead of a unique piece of data or an exploit. Developing of rules, therefore, requires one to understand how the vulnerability works. Snort offers the rules free of charge to registered users but has a subscription plan where users can purchase an annual subscription to their rules set. This means that a premium personal subscriber pays a $29.99 annual subscription fee to receive these rules immediately they are released and get coverage from intrusions in advance. Free but registered users usually receive the rule set 30 days later than the premium subscribers. Snort also provides the same rule set for the Next-Generation Intrusion Prevention System (NGIPS) subscribers where Snort is used in business, laboratory, or production environments. The subscription plan for NGIPS subscribers in known as the business subscription and is offered at an annual fee of $399 dollars per Snort sensor. Snort also offers Integrator subscriptions where a company is able to distribute and resell Snort rules. The resellers (Integrators) are allowed to display Snort’s logo and use Snort’s Copyright information in their offerings and websites (Snort.org, 2015b).

Summary of Snort reviews by third parties:

Snort now has 500,000+ registered users and over 4 million downloads making it the most deployed IDS in the world. According to a review by Loras R. Even of the SANS Institute, Snort is able to fulfil many basic requirements of an IDS for such a light weight application. He also notes that Snort may have performance issues when heavy long-term traffic analysis is required (Even, 2001). Lee Clemmer of Bright Hub also praises Snort as being the most comprehensive IDS in the market. Its lightweight nature, low overhead, huge fan base, and the fact that it has been integrated into numerous commercial products makes it a very suitable IDS. However, if integration, customer service and support are desired, the commercial version known as Sourcefire can be acquired. According to Clemmer, Snort is still the better IDS to deploy with considerations of costs, flexibility and performance (Clemmer, 2010).

Snort Test Results:

I have also had the chance to run different test scenarios on Snort which involved simulating attacks using the Metasploit framework and evaluating Snort under different traffic conditions all the while observing the system response regarding know attack signatures such as SQL injection and Cross-Site Scripting (XSS) attacks. The results were quite satisfactory since I was able to determine that Snort has a detection rate of 95% on networks with 400Mbps traffic or less but when traffic was raised to 1 Gbps, the detection rate is lowered to around 30%. From the tests, it is also evident that host hardware such as the computers, network cards and routers play a crucial role in determining the overall system performance. It was observed that Snort performs better in a host environment when compared to a virtual environment which is attributed to virtualization overheads.
Snort’s performance can also be linked to operating system (OS) implementation and generally responded well to attacks generated from a similar OS platform. When attacks were generated from one OS platform and targeted to a different OS, a performance declined was observed. The results obtained from this research will be used to improve system performance once the use of Snort is approved.

Recommendation:

Based on the information presented in the above proposal, it is evident that Snort is an IDS that should be given a try at Advanced Research since it is quite efficient and compatible with our existing systems and network infrastructure. Snort is also free and open source which means the company will enjoy quick bug reports and fixes, almost zero licensing fees, online forum support, updates and in the long run, better security leading to improved productivity. I would also recommend that the company purchases a premium business subscription to Snort’s rule set which goes for $399.00 per sensor. I also feel that the company network should have two sensors, where one will be placed inside the network (behind the network firewall) to detect intrusions from within, and another sensor to be located outside the network firewall to counter external intrusions. The total cost of the software and two sensor rule sets amount to $798.00 which is a good bargain considering it is an annual subscription for an enterprise-wide security product.

References:

Clemmer, L. (2010). Do You Need Snort? A Review of One of the Best Intrusion Detection and Intrusion Prevention Systems on the Market. Bright Hub. Retrieved 10 February 2015, from http://www.brighthub.com/computing/smb-security/reviews/40032.aspx
Even, L. (2001). SANS: Intrusion Detection FAQ: Running Snort under Windows. Sans.org. Retrieved 10 February 2015, from http://www.sans.org/security-resources/idfaq/snort.php
Robinson, B. (2007). The Case for Open Source IDS - IT Security. Itsecurity.com. Retrieved 10 February 2015, from http://www.itsecurity.com/features/the-case-for-open-source-ids-022607/
Sectools.org,. (2010). Snort SecTools Top Network Security Tools. Retrieved 10 February 2015, from http://sectools.org/tool/snort/
Snort.org,. (2015a). Snort.Org | Frequently Asked Questions. Retrieved 10 February 2015, from https://www.snort.org/faq
Snort.org,. (2015a). Snort.Org |Products |Rule Subscriptions. Retrieved 10 February 2015, from https://www.snort.org/products/