;
Cyberarms Home

Installation & Configuration

Before installation

Please ensure you download the installer for the right platform. If your Windows system is 32 bit, please download the 32 bit edition (x86) of IDDS, for the 64 bit version of Windows, please choose the 64 bit edition (x64).

Please use the "add/remove programs" wizard of Windows to remove any version of Cyberarms Intrusion Detection. Do not manually delete files on the disk to do a clean uninstall.

Cyberarms Intrusion Detection Editions

Feature matrix FREE edition, PRO edition:               

 

FREE edition

PRO edition

Unlimited monitoring for intrusions, logging

Yes

Yes

Security Agent support

Yes

Yes

- FTP Security Agent

Yes

Yes

- SMTP Security Agent 

Yes

Yes

- SQL Server Security Agent 

Yes

Yes

- TLS/SSL Security Agent (Remote Desktop using high encryption and TLS/SSL for transport) 

Yes

Yes

- Windows Base Security Agent (monitors for invalid login using Windows authentication)

Yes

Yes

Custom Security Agent support

Yes

Yes

Custom lock out policy per Security Agent

Yes

Yes

Notification of administrator (on soft lock, hard lock, unlock) 

Yes

Yes

Reports 

None 

Daily, Weekly, Monthly 

Restrictions 

defends max. five attacks per day

Software expires or has to be updated 

No expiration

No expiration

Price 

FREE 

USD 199,-/EUR 149 excl. tax, licensing per server 


Cyberarms Intrusion Detection runs under the free license by default. After activating your license by entering your unlock key, the full version is enabled without reinstalling the software.

Limitations of the free license

The free license is limited to five locks per day which means the free edition defends your system against five unique attacks per day. This should be sufficient for small installations or basic security. The free license does not contain reporting (like the PRO edition does). However, the administrator gets notification emails in case of locking/unlocking clients.

Supported Systems

Cyberarms Intrusion Detection runs on Windows Servers and Windows client operating systems. It was tested on the following versions:

  • Windows Server 2008
  • Windows Server 2008 R2, all editions
  • Windows Web Server 2008 R2, all editions
  • Microsoft Small Business Server 2011
  • Windows Server 2012, all editions
  • Windows 7, Windows 8

System Requirements

Cyberarms Intrusion Detection uses Windows standard components like the Microsoft .NET Framework, the Windows Firewall and the Windows Event Log.

Requirements

  • Windows Server 2008 R2, Small Business Server 2011, Windows Server 2012, Windows 7 or Windows 8
  • At least 20 MB free disk space
  • 500MHz CPU or higher
  • 16 MB of spare memory

Software Requirements

  • Microsoft .NET Framework 4.0 (is automatically installed by our software if running setup.exe instead of the .msi file)
  • The Windows Firewall must be installed and running

Cyberarms Intrusion Detection has a very small footprint, which also makes this product one of the fastest security products with no impact on the system operations. As resource usage is extremely low, the Intrusion Detection Service can run on every Windows system listed above, including small boxes and vServers.

Reinstalling Cyberarms Intrusion Detection

Uninstalling and reinstalling Cyberarms Intrusion Detection does not affect the software activation status as long as you don't delete the file cyberarms.idds.dbf. The uninstall procedure does not delete this file.

Installation Process

The current setup files of Cyberarms Intrusion Detection can be downloaded here.

Use the installation files according your system. For 32 bit versions of Windows, use the 32 bit edition of Cyberarms Intrusion Detection, for 64 bit versions of Windows, you can use either the 32 bit or the 64 bit edition. We recommend using the 64 bit edition of Cyberarms Intrusion Detection when running a 64 bit version of Windows.

Start the setup process and follow the instructions.

Setup will install and start the Windows service "Cyberarms Intrusion Detection Service". If no previous versions have been installed, also an application Event Log will be created for "Cyberarms".  When starting for the first time, a file "cyberarms.idds.dbf" will be created in the program directory you have chosen during installation (defaults to %programfiles%\Cyberarms\Cyberarms Intrusion Detection). 

Overview & Configuration

On the dashboard, current intrusion detection summaries are displayed, as current hard and soft locks, and detected intrusion attempts. A list of all installed security agents displays failed logins, soft and hard locks per agent for the last 30 days. 

Start

Current locks

The current locks tab displays all currently locked out clients by IP address, lock date and the planned unlock date, when the client will have access to the system again. You can use the "Unlock IP address" button to unlock the selected agents immediately.

Current Locks

The unlock action does immediately configure your Windows Firewall to enable access for the selected client IP address.

Security log

The security log displays all current activity, like intrusion attempts, locks, and unlocks. 

Intrusion Log

For a better overview, the system summarizes the activity by action and IP address, and displays the latest event first. 

Agent Configuration

By default, no agent is enabled after the installation. To make the system work, you have to enable the agents required by your system. Only enable agents which are required. For example, if you don't have any FTP server installed on your box, there is no need to enable the FTP security agent.

How to enable agents

FTP Security Agent

The FTP Security Agent monitors network traffic on the TCP/IP port your FTP server is running. If your FTP server uses a non-default TCP port (default is 21), you will have to adjust the agent.

Agents - Ftp Agent 

If your FTP system is used for administrative purposes or systems automation, best practice configuration is to override the default settings and choose "Hard lock forever". If users are working with your FTP server, you might not want to unlock them forever.

SMTP Security Agent

The SMTP Security Agent also monitors network traffic (default on port 25). Many hacking programs used by spammers try to break in using SMTP authentication to send their emails through your server.

Agents - Smtp Agent

If your users are required to send emails through this server using authentication, you might want to choose a less restrictive lockout policy for this service.

SQL Server Security Agent

This agent secures access to SQL Server. For monitoring for failed logins using SQL Server authentication, this agent uses the Windows Event Log. You have to enable SQL Server logging and the SQL Server agent to start monitoring.

Agents - Sql Server

Applications secured by this agent are, among others, Microsoft Dynamics NAV, AX or GP, and any other application which uses SQL Server authentication, and secures against SQL Server brute force attacks.

TLS/SSL Security Agent

Using TLS/SSL security for Remote Desktop connections, Windows does not log the attacker's IP address within the security log entry. This agent also runs on the network layer (like FTP and SMTP agents). Remote Desktop sessions using the legacy RDP protocol encryption are handled by the Windows Base Security Agent.

Agents - Tsl -ssl Remote Desktop

Windows Base Security Agent

This agent monitors the Windows Event Log for unsuccessful logins. Enable this agent to secure almost all applications which use Windows authentication. These are applications like Microsoft CRM, Microsoft Exchange Server, including Outlook Web Access, filesharing, and many other applications and services.

Agents - Windows Base 

 

Settings

The settings section contains configuration options like default lockout policy, white list, and notification settings. You can also activate your license key here to unlash the full functionality of IDDS.

Lock out configuration (default Policy)

The default policy is valid for all security agents, exept you have chosen to override the configuration using the security agent options.

The locking mechanism is as follows:

Soft lock occurs after a given number of bad login requests within 24 hours. Every subsequent failed login leads to a soft lock. After the bad login count for an IP address exceeds the defined value for hard locks, a hard lock is initiated. In case the hard lock time is less than 24 hours, every subsequent failed login will lead to a hard lock.

Settings - Lock Out Configuration

Safe networks (white list)

The safe networks section is used to configure networks and/or single IP addresses which shall never be locked out. This can be your administration computer, or trusted internal networks. If you have a static internet address for your local network, and you are configuring a cloud based computer with IDDS, you should add your "secure" IP address (or network) to the safe network list. This ensures you will not be locked out.

Settings - Safe Network

The format is simple and relies on the TCP/IP address standards. You can enter the safe network as ip4address/subnet mask, ip4address/subnet bits, ipV6 address, ipV6/subnet mask.

For example you have an internal (secure) network 192.168.1.0 with the subnet mask 255.255.255.0, you can enter 192.168.1.0/255.255.255.0 or 192.168.1.0/24.

To enter a single IP address, just enter the address, and your Cyberarms Intrusion Admin software adds the subnet mask 255.255.255.255 (which means just this single address was added).

Licensing

Settings - Licensing

Use the licensing configuration page to enter your license. Once activated, you will not be asked again for your license, and the field is locked. You are using the PRO edition then, including reporting functionalities and without any restriction in locks.

Notification Settings

Activate notifications in case of lock/unlock, or let the system send daily, weekly and monthly intrusion detection reports to the administrators email address (specified in SMTP Configuration).

Settings - Notification

SMTP Configuration

Configure email settings to allow the application to send reports and notifications to the email address given. Use the Test... button to send a test to ensure that notifications can be sent/received.

Best practice is to configure an email address like "idds.yourserver@yourdomain.com", so you will be able to filter these emails by machine, if using more than one installation of IDDS.

Settings - Smtp Configuration

Free Support

If you have any problem with installation or configuration, please don't hesitate to contact our support, even if you are using the free edition, support is also free. PRO edition users/customers are served before users of the FREE edition, if the workload is high.

Please use support@cyberarms.net for any support requests.