Category list

Maximum Wireless Security - page 121

Summary

VPNs take full advantage of the power of the Internet by creating secure, private networks contained within hostile public networks. If you are considering the deployment of wireless access points on your network, make sure that wireless users authenticate through a VPN.

Chapter 14. Intrusion Detection Systems

IN THIS CHAPTER

IDS Examples
Signature Scanners
IDS Theory
Sensitivity
Receiver Operating Characteristic Curves
Hacking Through IDSs
The Future of IDSs
Strict Anomaly Detection
Host Versus Network-Based IDSs
Geometric Display of Data

Intrusion detection systems (IDSs) provide an additional level of security for your wireless-enabled network. Although not specific to wireless, because of the growing demand for this information we have included a short chapter here for those who take a holistic approach to network security.

By adding wireless access to your network, you are dramatically increasing your risk of compromise. To counter this increased threat, you should also consider adding additional layers of security for a defense in depth. A firewall and VPN (see Chapter 13, "Virtual Private Networks") might no longer be enough. Fortunately, a properly configured IDS can satisfy your demand for extra security by notifying you of suspected attacks.

This chapter will give an overview of IDSs, including their strengths and weaknesses. By understanding both the advantages and limitations of IDSs, you can more intelligently integrate them into your secure network design. To help you, we will provide some novel suggestions for choosing IDS technology and where to implement specific solutions in your network. Finally, we will take a look at the future of IDSs.

Log File Monitors

The simplest of IDSs, log file monitors, attempt to detect intrusions by parsing system event logs. For example, a basic log file monitor might grep (search) an Apache access.log file for characteristic /cgi-bin/ requests . This technology is limited in that it only detects logged events, which attackers can easily alter. In addition, such a system will miss low-level system events, because event logging is a relatively high-level operation.

Log file monitors are a prime example of host-based IDSs, because they primarily lend themselves to monitoring only one machine. In contrast, network-based IDSs typically scan the network at the packet level, directly off the wire like a sniffer. Network IDSs can coordinate data across multiple hosts . As we will see in this chapter, each type can be advantageous in different situations.

One well-known log file monitor is Swatch (http://www.oit.ucsb.edu/~eta/swatch/), short for Simple WATCHer. Whereas most log analysis software only scans the logs periodically, Swatch can also actively scan log entries and report alerts in real time.

To install, first download the latest version of Swatch. Then, run the following:

perl Makefile.PL 

make 

make test 

make install 

make realclean

After Swatch is installed, you might also have to download and install Perl modules that are required for Swatch.

Swatch uses regular expressions to find lines of interest. When Swatch finds a line that matches a pattern, it takes an action, such as printing it to the screen, emailing an alert, or taking a user -defined action.

The following is an excerpt from a sample Swatch configuration script.

watchfor   /[dD]enied/DEN.*ED/ 
echo bold 
bell 3 
mail 
exec "/etc/call_pager 5551234 08"

In this example, Swatch looks for a line that contains the word denied , Denied , or anything that starts with DEN and ends with ED. When it finds a line that contains one of the three search strings, it echoes the line in bold on to the terminal and makes the bell sound (^G) three times. Then Swatch emails the user running Swatch (usually root) with the alert and executes the /etc/call_pager program with the given options.