Cyberarms – Intrusion Detection

Background

Cyberarms Intrusion Detection is the second IDS product that we will be evaluating.  The first product been BF Guard.

Idealistic

As the saying goes everything is idealistic until it get reals.

My real world came almost week ago.  I was home that Saturday morning having cleared my schedule.  A friend had dropped off two laptops.  There were viruses and malwares to rid off, cluttered full hard drive to prune, and personal data to remove.

Never imagined, I had similar problems until I tried connecting to one of the computers in our Lab and was faced with that now familiar error message, “exceeded maximum number of connections”.

Cyberarms

Download

Downloaded Cyberarms version 2.2 from here.

Install Files

Version 2.2 only supports 64 bit systems and so those of us that that still have 32-bit systems are out of luck.

Compressed Package

The installer is packaged as a zip file.

Extracted Files

InstallationFiles_20170615_0421PM

Installation

Screen Shot

We have two sets of Install Steps:

  1. Prerequisite
    • Visual C++ 2010 Runtime Libraries (x64)
  2. Core
    • Cyberarms Intrusion Detection

Prerequisite

Visual C++ 2010 Runtime Libraries (x64)
Outline
  1. Install Components
  2. Extract Files
  3. If  “Visual C++ 2010 Runtime Libraries (x64)” exist on system
    • User is asked whether to remove or repair package
  4. Runtime Installed on system

 

Install Components?

Extracting Files

Repair or Remove

Repair is Complete

Core

Outline

  1. License Agreement
  2. Select Install Folder
  3. Confirm Installation
  4. Installing…
  5. Install Complete

License Agreement

 

Select Installation Folder

 

Confirm Installation

Installing Cyberarms Intrusion Detection

 

Installation Complete

 

Configuration

Screen Shot

Settings

Settings – Lock out configuration

Explanation
  1. Set lock threshold (unsuccessful logins )
    • By default set @ 3 unsuccessful logins
  2. Set lock duration ( minutes )
    • By default set for 20 minutes
  3. Hard lock threshold ( unsuccessful logins )
    • By default set or 10 unsuccessful logins
  4. Hard lock duration ( hours )
    • By default set for 24 hours
  5. Hard lock forever
    • In cases of multiple failed logins where hard lock threshold reached, a choice on whether to lock forever

 

Settings – Safe Networks

Explanation
  1. Define safe network also known as whitelisting

 

Settings – Email Notification

Explanation
  1. We indicated that we want to be notified on everything
    • Events
      • On soft lock events
      • On hard lock events
      • On unlock events
  2. Reports
    • Unfortunately, we are only in the evaluation phase and have yet to allocate money for a paid version.
      Therefore, No Reports yet.

Settings – SMTP Configuration

Explanation
  1. Enter Email Addresses
    • Sender address
    • Recipient address
  2. SMTP server
    • SMTP Server
  3. SMTP/SSL Port
    • 25
  4. Use SSL for communication
  5. This server requires authentication
    • Username & Password

Agents

Agents – TLS/SSL Security Agent

Because Terminal Services is the lone service that we are exposing and securing via Active Directory on this box, it is the only service that we enable.

Original Screen

Revised Screen

Explanation
  1. Override Configuration
    • Check
  2. Enable this Security Agent
    • Check
  3. Extended Configuration
    • RdpPort
      • Keep port 3389 if you have left Terminal Services running on its default port

 

Usage

We tried connecting thru RDP from a few boxes and intentionally entered wrong password.

 

Security Log

 

Explanation

The following information is logged:

  1. Intrusion #1
    • Type :- Intrusion
    • Latest Entry :- Date
    • IP Address :- z.y.x.w
    • Message :- TLS/SSL Security Agent: Possible intrusion attempt.

 

Email Notifications

Outline

  1. We have attached a couple of emails
    • Our Inbox filtered to show messages from Cyberarms IDDS
    • Test Email Notification
    • Soft Lock Notification
    • Hard Lock Notification

 

Inbox

Message – Test Message

Message – Soft Lock

Message – Hard Lock

 

Summary

Cyberarms Intrusion Detection tool is a very, very strong well engineered product.

It capables identifies intrusion attempts based on monitoring Windows Event Viewer.

The newest version requires x64 based system and for those still running 32 bit OS that might be an impedance.

 

References

  1. Configure Intrusion Detection to block based on your requirements
    Link
  2. Secure your systems today with Cyberarms Intrusion Detection and Defense System
    Link