Monitoring suspicious activities on your network helps you lay the groundwork for taking the preventive measures needed to keep intruders out. Most intrusion-detection systems (IDSs) spot such activities by detecting anomalies in network traffic patterns and identifying attack signatures based on known patterns.

One IDS worth your consideration is Demarc Security’s PureSecure, which is available in a free personal edition or a professional edition for corporate networks. Both editions are available for Windows or UNIX platforms.

PureSecure offers these key features:

  • Network traffic monitoring
  • Intrusion detection
  • System integrity verification
  • Integration of Snort engine

PureSecure’s options and ease of use make it a valuable tool that can effectively complement your existing security measures.

Installation and configuration
The toughest part of using PureSecure is getting it set up and configured to listen for intrusions. Running the installation program opens a DOS session that walks you through the initial configuration. Part of the installation involves setting up a database connection and downloading Snort. PureSecure uses the Snort IDS engine with a Web interface front end for managing the rules that govern attack definition and alert status. Other options during the setup include indicating whether this installation is the main sensor or an auxiliary sensor and setting the hostname and the PureSecure username and password.

You have to set up the main sensor before you can install auxiliary sensors, so the first one will always be a main. After you’ve installed and configured the initial sensor, you can set up sensors on other hosts on the network. The PureSecure console comes with one sensor; additional sensors are $95 each.

After exiting the PureSecure installation program, you must run the IIS manager to set up a new virtual directory for Demarc. You can then run the PureSecure console in your Web browser to configure IDS rules and begin monitoring traffic on the network.

PureSecure can watch for a wide variety of attacks, from port scans to modified files, and it gives you a lot of control over how you do this. Via the Web interface, you can add, change, and delete rule sets for all of the sensors you’ve configured. For example, you can change scripts in what PureSecure calls Bad Traffic Rules, which identify traffic you should not see on the network.

PureSecure comes with a preconfigured set of rules to cover common situations, such as exploits, NetBIOS, and Telnet. Although the rules are extensive, you may want to add rules or to tweak the existing ones depending on your needs.

You manage configuration and monitoring via the Web console, which is intuitive and simple to use. Any IT staff member will be able to use the console to check network activity and view reports. Modifying the rule set scripts requires more in-depth knowledge of normal network traffic and packet structures. You can view screen captures of the console at the PureSecure Web site. The console includes pages for viewing logs of events with detailed information about each incident, summary pages of all network activity, and search and configuration options.

Demarc also offers downloadable plug-in monitors for Cisco switches, MySQL servers, and Snort status.

To see how PureSecure handled some basic intrusions, I ran a couple of tests. First, I ran Superscan on the host. PureSecure reported it as an attempted recon. The details of the record showed the source IP address of the scan and offered a hyperlink to a Whois query with additional identification information. PureSecure also offered options for performing a trace, pinging the source, and resolving the domain name.

Next, I TFTP’ed the host and attempted to copy a file to source machine. Again PureSecure identified the event and offered details about the source of the intrusion. In addition, PureSecure displayed the event payload in hex and decoded, clearly showing the target of the intrusion. The events list also showed a large ICMP packet that PureSecure identified as potentially bad traffic and offered the same details about the source and destination.

These tests were basic, but they demonstrate how PureSecure handles typical intrusions.

Pros and cons
PureSecure has good potential as a solid IDS. Demarc seems to have all the bases well covered in terms of what PureSecure can detect and report—especially considering that you can add your own rules in the console—and the interface is easy to manage.

PureSecure is free to home users, making it particularly useful for people with always-on broadband Internet connections. Demarc offers different licensing options for corporate users.

For enterprise users, the one disadvantage to PureSecure may be the price. At $1,450 for the console and one sensor, it’s not necessarily cheap. But if you’re managing a large network, the network segment license may offer a cost-effective solution. You can find additional pricing information here.

Although advanced Snort users can likely accomplish much of the same monitoring by writing the necessary scripts, PureSecure’s advantage is its console, which gives admins an easier way to manage the rules needed to monitor traffic, view reports on network activity, and detect intrusions. PureSecure is definitely worth a look, and you can download a 30-day trial to put it through its paces before making a purchasing decision.