Where to deploy?
|
Intruder alert:
Intrusion Detection Systems 1. IDS types 2. Intruders, responses and how well do they work? 3. IDS vs IPS 4. Where to deploy? About RMIT Test Labs |
Depending on your security practices and topology, you'll typically consider four areas for monitoring. These are as follows:
- Network perimeterâ€"This includes any entry/exit point, such as on both sides of the firewall, dial-up servers, and on links to any collaborative networks. These links tend to be low-bandwidth and are usually the entry point of an external attack.
- WAN backboneâ€"This is a frequent area of unauthorised activity.
- Server farmsâ€"Servers are generally placed on their own network segments and connected to switches. The problem with placing a sensor in this location is that IDS systems cannot keep up with high-volume traffic. If traffic is too high to monitor all of your servers, choose the targets of highest value and install sensors to monitor those specific targets.
- LAN backbonesâ€"IDSes are usually impractical for LAN backbones because of their high amount of traffic.
When deciding where to deploy your sensor(s), consider what is most valuable and the attacker's most logical avenue of approach. You also need to make sure that your IDS doesn't degrade the performance of the network segment that you're monitoring.
Software-based IDS
A software-based IDS is a solution that you load on a compatible operating system to monitor and respond to network activity. An example of a software IDS is Internet Security Systems' RealSecure. Its system consists of two major elements:
- The RealSecure Sensor is software that you load and configure on a platform to provide broad-based detection, prevention, and response for attacks and misuse that originate from across a network. It sends automatic responses to improper activity and logs events to a database, and it can block/terminate a connection, send an e-mail, suspend or disable an account, and create a user-defined alert.
- TheRealSecure SiteProtector is the software-based management platform. SiteProtector unifies the management of RealSecure IDS sensors and allows grouping of these sensors to provide real-time internal and external correlation of threats. The RealSecure SiteProtector also enables you to operate and monitor remote sensors and respond to identified intrusions.
IDS appliances
IDS appliances are complete and fully loaded systems that require no additional hardware or software to monitor the network segments. An example of an IDS appliance is Cisco IDS (formerly known as NetRanger). This system consists of two major elements:
- The Secure IDS Sensor is the appliance that you place at a specific connection to be monitored on your network, or you can install several appliances to monitor multiple locations. It detects unauthorised activity navigating the network by analysing traffic against rules-based signature files. When unauthorised activity is detected, the sensor can send alarms to a management console with details of the activity and can control other systems, such as routers, to terminate the unauthorised session(s).
- The Secure IDS Director is a software-based management system that centrally monitors the activity of single or multiple Cisco Secure IDS sensors located on local or remote network segments. The Cisco Secure IDS Director allows network and security technicians to quickly pinpoint the location and type of attack, qualify its severity, and instantly respond.
- Cisco
IDS V4.0
www.cisco.com - Computer Associates
eTrust Intrusion Detection
www.ca.com - Enterasys
Dragon 6
www.enterasys.com - ISS
RealSecure Network Sensor 7.0
www.iss.net - Snort (Free)
Open Source Network Intrusion Detec. www.snort.org
- Symantec
Host Intrusion Detection System
www.symantec.com - Tripwire
Host-based IDS
www.tripwiresecurity.com
Subscribe now to Australian Technology & Business magazine.
10%
8%
You have miss-spelled organisation, authorised, unauthorised, analysing, & analyse which should be organization, authorized, unauthorized, analyzing, & analyze. Just thought you should know, doesn't look very good or very professional.