Intrusion Detection & Intrusion Prevention

Intrusion Detection is one of the computer concepts that has moved from the server world to the PC world.

Our first step, though, is prevention — keeping intruders out of our computers.

After years of total exposure of most Windows computers, Microsoft finally included a built-in software firewall in the original versions of Windows XP. By default, dialup connections had the firewall turned on. BUt, for high-speed network connections — the kind we have with cable or DSL, Microsoft set the default for the Windows XP Firewall to "Off."

Service Pack 1 made little difference. There were some firewall improvements, but still it was turned off by default. Finally, with XP Service Pack 2, the firewall is turned ON by default.

This is almost great. There's a major problem with the Windows Firewall — it is a one-way firewall! It only blocks activity originating from outside the computer.

This means that, if you get your computer compromised with a downloader or trojan (you're not using IE with its Active-X are you?), the Windows Firewall will happily accept and allow all the spam that your computer starts to send, all the attacks that your computer makes on other computers, and all the illicit images that your computer serves to requesting browsers.

In other words, a one-way firewall doesn't solve the problem, if you have other means of getting infected or subverted — such as emails and your favorite web browser.

Microsoft Vista, the promised new version of Windows that will arrive some time in 2007, is reputed to have a 2-way firewall. Finally Microsoft is waking up to the need.

But, I have read that Microsoft has decided to have it turned off by default. I hope that's not the case -- or perhaps the case only in the version for businesses.

The Firewall Solution
So, our first step is to protect our computers with software firewalls, such as Sunbelt Personal Firewall or as part of a combination package from TrendMicro, or the many other firewall suppliers.

All of the third-party firewalls that I have found will function to control access from the Internet to the computer and from the computer to the Internet. This is what we need.

The Intrustion Detection Solution
One of the most well-known intrusion detection packages is no longer widely available. Black Ice Defender seems to have died. I haven't heard about it in years.

My choice for a firewall (Sunbelt Personal Firewall) includes host-based intrusion detection in its paid version (Kerio is also available as a reduced-function free version for home use).

Trend Micro Internet Security 2007 also includes intrusion detection as part of its package.

There is also a free program called AirSnare that can work with your wireless or wired router. It looks for unexpected MAC addresses on your network — and warns you if someone unexpected has connected to your network.