9.1. No Magic Bullets

Previous page
Table of content
Next page
 < Day Day Up > 

While deploying an IDS may seem like a good idea, there are some pitfalls that you should be aware of. It's common to set up an IDS within an environment only to find out that its not as useful or efficient as you imagined it would be.

9.1.1. Monitoring an IDS

An IDS is no good in a vacuum. It's a passive system that monitors traffic and can alert a user when an attack is detected. Unlike a firewall that actively drops or rejects traffic, an IDS only analyzes the traffic it receives. At some point, a human needs to be involved in the monitoring activities of an IDS to make it useful. It's a bit like the old adage "if a tree falls in the woods and no one is around to hear it, does it make a noise?" If an IDS detects an attack and no one is monitoring it, does it do any good?

An IDS can generate an amazing number of alerts. From portscans to odd packets to actual attacks, an IDS requires sufficient horsepower and storage to operate. It is common for administrators to deploy old or second-hand equipment to run an IDS infrastructure. Unfortunately this may cause more harm than good as the admin will have to constantly fight with overloaded IDS sensors and central management hosts short on disk space. Keeping an IDS infrastructure up and running is a full-time job.

9.1.2. Responding to IDS Events

Once an event is detected by the IDS and an administrator is alerted, there should be some sort of reaction. The reaction could vary depending on what was detected by the IDS and the concerns of the IDS administrator. Some administrators ignore portscans, while others try to find the attack source and attempt to get the perpetrator taken off the network. For more serious and sustained attacks, such as a prolonged and invasive assault against a web server farm, the response may need to be more severe. Hosts may need to be taken off the network to be patched or rebuilt. Further, you may need to coordinate with other ISPs and law enforcement officials to pursue the attackers after the attack has stopped.

Ideally successful attacks against your systems will be relatively few and far between. If you have reasonable firewall rules, and you properly patch and configure your COTS and open source software, adhere to secure administration techniques, and your internally developed software is reasonably well built, most attacks from the public Internet will simply bounce off your hull. Whether or not you choose to respond to unsuccessful attacks is entirely up to you. While tracking down attackers may make the Internet as a whole a safer place, it may not make your own network demonstrably more secure. As you read the rest of this chapter and learn how to deploy a BSD-based IDS, you should consider where your threshold for reaction to IDS events will be. Maybe portscans are okay but vulnerability scans are too much. Make this a conscious decision before you go any further.

At the end of the day, your IDS should help make your network a safer place. A general way to think about this is a pyramid of needs similar to Maslow's pyramid of human needs. Maslow's pyramid postulates that humans must have basic needs met before they can perform more advanced social functions. For instance, if you do not have food and shelter, you will not be able to love and be a selfless part of society. With respect to security, maintaining and responding to an IDS event is toward the top of an IT security needs pyramid. At the base of the pyramid is secure configuration and patching practices. A bit further up the IT security pyramid is maintaining a firewall and secure system administration procedures. The next step on the pyramid is IDS and similar technologies. While useful for maintaining a secure environment, an IDS may not be necessary. And if the IDS is taking you away from fulfilling your more basic IT security needs, you may want to reconsider your decision to deploy an IDS. In fact, for many small to mid-size organizations, IDS may not make economic sense. Figure 9-1 shows a notional IT security pyramid. While the exact details of what is at each level of the pyramid may vary from enterprise to enterprise, the concept of having a solid security foundation before pondering IDS deployment is imperative.

Figure 9-1. Notional IT security needs pyramid


     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Mastering FreeBSD and OpenBSD Security
    Practical Guide to Software Quality Management (Artech House Computing Library)
    ISBN: 596006268
    EAN: 2147483647
    Year: 2003
    Pages: 142
    Authors: John W. Horch
    BUY ON AMAZON
    OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
    Strategies for Information Technology Governance
    Information Dashboard Design: The Effective Visual Communication of Data
    Quantitative Methods in Project Management
    Understanding Digital Signal Processing (2nd Edition)
    Digital Character Animation 3 (No. 3)
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy