Comprehensive Monitoring

Comprehensive monitoring systems, often called host-based intrusion detection systems, monitor a variety of system attributes to determine when a security incident occurs. In addition to the system monitoring, they have the ability to corollate information from any of these systems and infer security breached from this data.

Detection software is key to keeping the system secure. It should monitor the integrity of the system as well as activities that could be considered suspicious. Detection software should be configurable so the level of detail can be adjusted.

You have to capture a reasonable amount of data, enough to be useful, but not so much as to be overwhelmed, and store it for a reasonable amount of time on off-line storage. The off-line storage of security logs needs its own media, separate from backups , and its own reuse cycle. Security logs have different recovery needs from other data.

You must have rapid detection to facilitate rapid notification and response. The sooner you are able to identify that your system has been compromised, the less there will be to clean up and the easier it will be to get the hackers off the system.

HP Intrusion Detection System / 9000 (J5083AA)

HP provides its intrusion detection system free of charge for HP-UX 11i. The HP Intrusion Detection System ( IDS/9000) enhances local host-level security by automatically monitoring each configured host for signs of unwanted and potentially damaging intrusions. IDS/9000 concentrates on detecting and alarming the HP-UX 11 operating environment at the kernel audit data level of the operating system. IDS 9000 can monitor one or more HP-UX systems for users or applications who try to break security.

When the IDS/9000 is installed, it immediately provides intrusion detection. Pre-planned detection templates, surveillance groups, surveillance schedules, and alerts are built into the system, making basic detection and alerting available immediately. IDS/9000 continuously monitors for patterns of suspicious activities which suggest that security breaches or misuses are underway. When it detects a potential intrusion, it alerts immediately and creates audit events. The alert also has the ability to execute any HP-UX command or program. IDS/9000 uses a variety of data sources to determine misuses, including:

• Kernel audit data which are generated by the trusted component of the operating system provide secure and robust data on the use of kernel functions.

• System logs provide information about access to the system, utilization of network services, and the use of system utilities.

• Application logs record activity and utilization, which enables detection of well-known attacks.

It detects a variety of exploits, such as: unauthorized access, modification of user resources, virus infections, privilege violations, Trojan horses, and "root" exploits. System conditions which can indicate misuse are race conditions, buffer overflows, unusual system states, and unusual daemon behavior. All communications within the IDS/9000 are secure are and built upon the Secure Socket Layer (SSL) protocol to protect the client/server messaging.