Selecting the Correct Host for an IDS
Assuming that an intrusion detection system has been chosen according to the recommendations in Chapter 9, and that the network location for installing the system has also been chosen, you now need to purchase the selected IDS, select the correct hardware and software platforms for it (only for a network-level intrusion detection system), and install and configure the hardware, software, etc. Therefore, you must perform all the steps described in Chapter 8.
Choosing the Platform
Network-level intrusion detection systems - with the exception of systems such as Cisco's Catalyst 6500 IDS Module, which is integrated into the network equipment - can run on two types of hardware platforms:
-
A standard, general-purpose computer
-
A specialized computer, known as a security appliance
Currently, the first solution is the most common and the most attractive, due to the commonly held opinion that, in this case, all you need do is purchase the IDS software and install it on any suitable computer within the organization. In practice, however, it is quite difficult to find a free computer that satisfies these demanding system requirements. For this reason, the computer on which the IDS software is to be installed must be purchased along with the IDS itself. Installing and configuring the operating system must follow this - which also costs time and money. Only after these steps can IDS installation proceed. In other words, using a standard PC for installing an IDS is not as simple as it may seem at first.
For this reason, specialized solutions, known as security appliances, have recently become more popular. These solutions are a combination of software and hardware, stripped of unnecessary functionality and optimized to perform a specific set of tasks. They are run either by a general-purpose or specialized operating system. (As a rule, such specialized operating systems are based on FreeBSD or Linux.) Specialized solutions provide several advantages, including:
-
Simplicity and ease of implementation. Since practically all devices of this type are supplied with a pre-installed operating system and preconfigured security mechanisms, it is usually sufficient to connect them to the network (a process that usually takes no longer than a few minutes). Although most devices will still require fine-tuning, the time taken will be significantly shorter than installing and configuring the system from scratch would.
-
Performance. Because all unnecessary services and subsystems are eliminated, the device operates more efficiently and more reliably in terms of overall performance.
-
Fault tolerance and high availability. IDSs on specialized machines allow the implementation of fault tolerance and high availability on the level of both software and hardware. Moreover, such devices can be joined into clusters fairly easily.
-
Security focus. Solving network-security problems does not necessarily involve the extensive use of resources needed to perform other functions, such as routing. Trying to create a universal device to solve several tasks with the same, fairly high level of efficiency does not usually produce a good result.
Currently, many vendors supply devices that are more or less universal. For example:
-
Cisco Systems - IDS 4210 Sensor, IDS 4235 Sensor, IDS 4250 Sensor (Fig. 11.1)
Fig. 11.1. Cisco IDS 4200 -
Internet Security Systems - RealSecure for Nokia (Fig. 11.2)
Fig. 11.2. RealSecure for Nokia (based on IP740, IP710, IP530, IP330, IP120, IP71, IP51, and IP30) -
Intrusion.com - SecureNet 7000 (Fig. 11.3), SecureNet 5000, SecureNet 2000
Fig. 11.3. SecureNet 7000 -
NFR - NID-320, NID-315, NID-310 (Fig. 11.4)
Fig. 11.4. The NID 300 family -
Enterasys Networks - Dragon Appliance (based on Intel NetStructure Appliance)
Some manufacturers, such as ISS and NFR, also supply combinations of hardware and software solutions, while others, such as Cisco, concentrate exclusively on hardware solutions.
According to a report published by the Gartner Group in June 1997, by the end of 2002, about 80 percent of companies with a yearly revenue of between $20,000 and $200 million will chose custom solutions over universal ones. The main advantage of these solutions lies in the fact that custom solutions provide the same level of security as universal solutions, but are less expensive. The simplicity and ease of use of custom solutions are other advantages that simplify their integration into a pre-existing corporate network. Finally, such devices can easily be mounted in a 19-inch rack, which makes it easy to mount them in communication racks alongside other network equipment. Therefore, the Total Cost of Ownership is significantly lower than for non-custom solutions. At present, most manufacturers are promoting custom solutions.
However, it must be pointed out that, for most small business, custom, hardware-based solutions are still rather expensive, even taking into account the above-listed advantages. (Table 11.1 provides a comparison of the advantages and drawbacks of such systems.) This is largely because most companies still do not purchase a separate computer in order to install an IDS, but instead use existing equipment. Furthermore, the software installed on such a computer is often not licensed. It is hoped that this situation will improve over time.
 |
| General-purpose computer | Specialized computer | |
|---|---|---|
| | ||
| Advantages | Unlimited extensibility | High performance Simplicity of deployment and implementation Ease of use Fault tolerance |
| Drawbacks | Average performance Operating system vulnerability Low level of fault tolerance | Minimal extensibility |
|
It is very important to note here that a specialized computer is not the same thing as a router that performs some IDS functions (such as Cisco's IOS Firewall Feature Set). For router manufacturers, improving traffic speed and traffic optimization always have priority - only after these are accomplished is it possible to try to implement security functions. Because of this, when choosing between routing and security, a developer always chooses in favor of routing. Practical experience has shown that implementing built-in security mechanisms on routers actually significantly decreases performance. Security functions will be limited if a manufacturer can not afford to include them. (Cisco's IOS Firewall Feature Set is based upon this principle. In contrast, its "elder brother," IDS 4200, it identifies only the 59 most common types of attacks. A similar situation is found when implementing security functions in switches.)
Using a Dedicated Host
The best practice is to install the IDS' network sensor and network-level security scanner on dedicated hosts. This improves sensor performance and protects both the system and its data from unauthorized access. The network sensor and the management console must be run on different computers, since both are intensive users of processing and RAM resources. A host specially designated for the IDS also allows it to be used in stealth mode, which significantly strengthens its security.
It is also good to assign dedicated hosts as system consoles, since otherwise the chances of a successful attack on them increase significantly. However, it is possible to combine the management consoles of several security systems - including IDSs, security scanners, firewalls, etc. - on one computer. For example, I took part in a project in which one host was used for the management consoles of the following security systems: Internet Scanner security scanner, RealSecure IDS (this was before the arrival of the RealSecure SiteProtector centralized management system), the Check Point Firewall-1 firewall, and the Cisco Secure Policy Manager system, which controlled the Cisco IDS 4200 IDS and Cisco PIX Firewall.
EAN: 2147483647
Pages: 152