In part two of this article, Simon Johnson, explains the techniques used for selecting an Intrusion Detection System. |
Do You Need an Intrusion Detection System? |
|
Whether or not you require an IDS, depends on your current level of security, the risk of being attacked and the importance you place on your information. |
|
"Implementing intrusion detection before reducing vulnerability is like installing a surveillance camera before you've got locks on your door." Carden, P, 1998. |
|
There are a number of things that should do before you even consider purchasing an IDS. |
|
1. Perform a Risk Analysis Document the following:
|
|
- What you are trying to protect?
- What your fears are (worst case scenario)?
- List every possible threat to the asset you are trying to protect.
- What is the level of risk associated with each threat?
|
2. Know your Vulnerabilities. Subscribe to a Vulnerabilities Database and fix the holes in your systems before hackers exploit them. Harden the underlying Operating System in preparation for a firewall installation. |
|
3. Install a Firewall Have a professional set up and install your firewall. Use the knowledge in the Vulnerabilities Database to help you configure the firewall in a secure manner. |
|
4. Test the Firewall Have a professional perform a Penetration Test on the firewall. Analyze the results and if necessary get a second opinion. |
|
You have a Firewall - But you may still need an Intrusion Detection System! |
|
Many people assume that because they have a firewall, they don't need anything else. The problem is that firewalls allow or deny traffic according to a set of rules. These rules do not look at the information contained in the packet; rather they look at the type of traffic, where it is from and where it is going to. |
|
You may not need an IDS, but you do need the ability to monitor what is happening on your network. Why? |
|
Your firewall might be configured incorrectly.
Have you had a Penetration Test performed on your firewall? Who installed your firewall? Was it a security company, "reformed hacker", network Integration Company or a management consulting company? How do you know that they know what they are doing? Do they specialize in IT security or do they just sell security products?
|
|
A hacker could exploit vulnerabilities in your firewall.
There are many vulnerabilities in popular brands of firewall software. Does the person or company that installed your firewall subscribe to a Vulnerabilities Database which documents these vulnerabilities. If not, it's highly likely that you are vulnerable right now.
|
|
A hacker could be attacking from the inside out. |
|
Most attacks occur from inside the company. Therefore, your Internet firewall cannot see them happening. Do you have any protection for your internal servers? Firewalling a large network can be quite expensive. In this instance, an IDS could be a better, more cost effective burglar alarm. |
|
Selecting an Intrusion Detection System |
|
There are many companies marketing IDS solutions. Similar to the firewall market, there are many outrageous claims and untruths. Buyers beware. |
|
|
Here are a few things to ask your vendor when selecting an IDS: |
|
General Information |
|
How many attack signatures does this IDS have compared to its competitors? Don't take the vendor's word for it. Obtain the figures from each IDS vendor and compare the results yourself. |
|
Separate out the classic "denial of service attacks" such as: |
|
- Ping of Death
- Bonk
- Boink
- Jolt
- Land
- Teardrop
- Syndrop
- Nestea
- Fraggle
- Octopus
- Winnuke
|
Separate out port scanners from the rest of the signatures. How many signatures remain? Can the IDS support multiple network segments at varying speeds and interface types? |
|
- Ethernet 10/100 Meg
- Token Ring
- FDDI
|
Is the IDS available on your chosen platform? |
|
- Don't forget that you have to secure the underlying platform that the IDS will run on.
|
If this platform is not secure, a hacker could succeed in disabling the IDS. Does the IDS have any fault tolerance built in? |
|
- What happens if a hacker causes the IDS to crash?
- Can two IDS servers run in parallel with each other?
|
Features |
|
Can the IDS update its database with the latest signatures? |
|
- Automatic Update
- Manual Update
- Remote Update
|
Can the IDS reconfigure your firewall automatically? |
|
- Block traffic by IP address, network segment or traffic type.
|
Can the IDS reconfigure your router automatically? |
|
- Change ACL's on the router.
|
Management |
|
Can you control the IDS from remote? |
|
|
Can the Remote Console use strong encryption? |
|
- SSL (greater than 56 bit)
- Blowfish - 128bit
- PGP
|
Reporting |
|
Can the IDS: |
|
- Send an SNMP Trap
- Send an e-mail message
- Send a pager message
- Trigger an audio alarm
- Launch an application
- Log the attack
- Terminate the connection
|
Are all the reporting mechanisms encrypted? |
|
For example, when your IDS detects an intruder, can it send an encrypted e-mail message to the administrator? |
|
Conclusion |
|
Intrusion Detection Systems are an excellent line of defense in stopping hackers from breaking into your computer systems. However, as discussed, there are a number of safeguards that you should implement before you even think about installing an IDS. |
|
After you have installed a firewall and subscribed to a Vulnerabilities Database, you should weigh up the costs and the benefits of an IDS to your organization. However, if your organization depends on information and cannot survive if your systems are hacked then an IDS is essential. |
|
|
