9.3. NIDS on BSD

If you finally decide to deploy NIDS, the next natural set of questions involve choosing the right IDS software or hardware capable of handing the traffic, and the core operating system to run. If you are reading this book, you may be considering an OpenBSD or FreeBSD-based IDS. Some commercial NIDS are based on a BSD operating system but are not available directly for FreeBSD or OpenBSD. For instance, Real Secure's Network Sensor runs under Windows, RedHat, Solaris, or Nokia's IPSO operating system. Nokia's IPSO is really a BSD-based operating system that looks a great deal like FreeBSD under the hood. However, Network Sensor is not available directly for FreeBSD.

A NIDS sensor is a security device. As such, it needs to be configured with security in mind and to withstand potential attacks. If an attacker discovers an IDS sensor on a network she is attempting to exploit, she will likely attempt to either subvert or disable the sensor. Therefore, the overall security of the sensor itself is crucial. A natural choice when security is a key motivator is OpenBSD. OpenBSD is commonly deployed as an IDS sensor and there is a large amount of community support.

FreeBSD is also a good choice for a NIDS sensor. While FreeBSD does not have the serious security overtones that OpenBSD does, FreeBSD's focus on performance and stability make it attractive for NIDS use. A NIDS may become a mission critical part of your security infrastructure. As such, the network performance, advanced hardware support, and maintainability make FreeBSD a solid choice for more advanced enterprises with more diverse NIDS needs.