Chapter 9: Selecting an Intrusion Detection System
Overview
One should recruit one's army, reflecting that "such is the army of my enemy; and this is my army to oppose it."
Kautilya, "Arthashastra".
In previous chapters, we discussed various aspects related to intrusion detection technology. This was pure theory. Now it is time to apply this knowledge choosing the proper technology to allow you to efficiently detect and stop various attacks. In this chapter, I'll describe the criteria for evaluating intrusion detection systems, and consider what questions you need to ask an IDS vendor when purchasing such a system. Then, we will discuss techniques of testing the purchased system [Edwards1-97].
Promotional materials for systems usually specify the attacks that they can register. However, these materials rarely provide information on the resources (time, financial, and human) required to make the system run smoothly and efficiently perform the declared functions. It is important to formulate these questions before you purchase the system. Otherwise, you could end up with a system that is able to perform its function and that does offer all of the capabilities it claims - just not in your network environment.
| Real-World Example | Here is a case from my own experience. One of the top managers of a large organization had heard about a well-known intrusion detection system. He ordered that this system be purchased, only to discover after this was done that his IS specialists found the system useless for their particular organization! The sales representative for the product had stated at a seminar that the system detects TCP/IP attacks, including those ones directed at Novell NetWare networks. However, in the organization's network, the IPX/SPX stack, and not TCP/IP, was used as the primary protocol stack, rendering many of the system's features useless. |
Only testing and qualified assistance from specialized companies will allow you to determine if a particular system actually meets your requirements for an intrusion detection system. Such questions include the time required to put the system into operation, Total Cost of Ownership (TCO), system performance, etc.
The first problem that you need to solve before installing an intrusion detection system is determining where it must be installed and what tasks it will perform. Without clear answers to these questions, even the most advanced and efficient tool is practically useless. Having determined this, you will have a clear understanding of which technology is preferable in your particular case - intrusion detection at the network, OS, DBMS, or application level. You will probably find an area of use for each of these technologies in different segments of your corporate network. However, before purchasing an intrusion detection system, you must get a solid understanding of What you are going to protect, From Whom, and How.
Regardless of the chosen intrusion detection system, you will need to consider the following aspects, most of which should already be described in the network map:
-
Protected resources
-
The most likely attacks
-
Objects (protocols, addresses, ports, files, etc.) accessible from outside
-
Subjects (users, applications, etc.) using the protected resource
-
Availability and performance parameters for the protected resource
-
Who will manage the intrusion detection system and how
-
Scales of potential growth for the protected resource and, consequently, the scalability potential of the chosen intrusion detection system
This will enable you to quickly and correctly install and configure the intrusion detection system you purchase.
EAN: 2147483647
Pages: 152