However, the free software has a 5MB cap on traffic, and this does have security implications, since excess traffic is either dropped or passed without inspection, depending on the operating mode. While this should not be an issue for a small business, larger ones will need the commercial versions to get around that limitation.
Support, in the shape of updates, discussion forums and FAQs, is available on StillSecure's website, but telephone and email support is not included with the free version.
The software can be downloaded as an ISO image file or as a virtual appliance file that runs under VMWare's player software. We chose to create a dedicated system and installed the software from the ISO file, which includes StillSecure's hardened version of Linux as well as the StrataGuard software.
System requirements are modest: a 1.4Ghz Intel Pentium 4 with 512 MB RAM, 10 GB harddrive space and two 10/100 Base-T Network Interface Cards (NICs) will do. We installed it on a server with a 2Ghz Intel Pentium 4, 1MB main memory, a 40GB hard drive and three 10/100 Base-T ethernet ports available.
Installation and configuration were uncomplicated, and the documentation was clear. The standard options configure the system to monitor traffic on all networks except the local host, and networks, sub-networks and individual hosts can be included Advanced options allow for network filters to be applied for specified systems and sub-nets.
Configuring these options correctly can reduce the number of false positives reported, and ensures that attacks that cannot affect the target, such as a web exploit against a database server, do not generate alerts.
The system supports both email alerting and SNMP notifications when attacks are detected. A report-generating sub-system provides detailed activity reports that can also be written to disk for later analysis.
StrataGuard can operate in either Standard or Gateway configurations for greater flexibility. The Standard option requires two NICs and functions in "out-of-band" mode, while the Gateway configuration requires three NICs and operates in "in-line" mode.
In Standard mode, the system works as an IDS, in Gateway mode it functions as an IPS. StrataGuard can operate with a number of external firewalls. If you do not have a compatible firewall, you can configure the system to use its internal Linux iptables firewall instead. In either case the software will generate and install firewall rules automatically as needed.
The intrusion detection chores are handled by the ubiquitous Snort system. This provides a number of rules arranged in categories that apply to various possible attacks. The default mode is to have the system prompt for a decision, but there are a number of actions available that can be configured in advance.
When the system prompts for advice you can defer the decision, accept one of the default actions or configure a specific response using the "research rule" option. This provides the chance to examine the alert in detail and tailor actions to suit. Rules can be responsive or pre-emptive. Responsive rules can be set to expire after a set interval and are designed to deal with transient annoyances such as port-scanning attempts.
Pre-emptive rules check traffic content to determine the action and never expire. A banned website would fall under the pre-emptive rule.
We configured the software in Gateway mode and installed it behind our firewall. We then disabled the firewall's IDS and let the StrataGuard product take over.
The system had only been running for a few hours when it blocked and reported an attempt to download a virus from an external website. Using the browser-based interface, we could easily see which machine was affected. All the systems on the network were protected by commercial virus scanners from various suppliers, and careful examination of the PC concerned showed no trace of any virus, proving that the attempt had been successfully blocked.
Various other undesirables such as web bugs were also reported, so we decided to use the StrataGuard software to block all further access to that particular site.
Several more incidents occurred over the following week, but the number of alerts, including false positives, diminished as we answered the system's requests, and it would be several days before the system generated an alert of any kind afterwards.
For: The software has modest hardware requirements and uses the proven and effective Snort system.
Against: The 5MB cap might raise security issues in abnormal conditions.
Verdict: An effective IDS, which is easy to use and requires little attention once it is set up.