A couple of years ago I made the decision to purchase an alarm system for my house. My reasoning was pretty simple: I thought that I had reached a point where I had acquired some decent stuff that I didn t want to lose. Now, I knew that the alarm system wouldn t necessarily keep someone from breaking into my house and taking everything, but I hoped that it would at least serve as some kind of early warning system that might help alert the police and thus allow them to arrive sooner, perhaps even enabling them to show up fast enough to actually stop anyone who might be in the act of breaking in. I went hunting last year, and my wife set the alarm off one morning while I was gone. The police showed up within two minutes of the initial phone call when unfortunately my wife could not recall the passphrase to use. Although she was quick to point out upon my return that this was my fault <grin>, I liked the knowledge that my investment in a home security alarm was not in vain.
Intrusion Detection Systems (IDS) are different from many of the other topics discussed in this book because, by and large, they serve not as something we can do to prevent a security occurrence, but rather, much like a home alarm, they serve to alert the relevant authorities that something is occurring that requires attention. Intrusion Prevention Systems (IPS) build upon this foundation and attempt to take the detection a step further and prevent a security occurrence from happening, preferably without user intervention.
Because IDS/IPS serves more of a role as an alarm system on a network than anything else, I approach this chapter a little differently than the rest. Whereas routers and firewalls, for example, have a number of tasks that can be performed to harden and secure them, IDS/IPS serves more to passively monitor the network environment. Consequently, this chapter focuses more on how IDS/IPS functions, how to design an IDS/IPS infrastructure, and how you can use IDS/IPS throughout your network environment to increase your security posture . For this chapter, I will focus on the following IDS products:
Demarc Security PureSecure version 1.6 (www.demarc.com), a network IDS (NIDS) based on Snort (www.snort.com) running on Microsoft Windows (runs on Linux as well)
Cisco IDS 4210 Sensor version 4.1(3)S78 and Cisco VPN/Security Management Solution version 2.2 (www.cisco.com)