Chapter 9. Intrusion Detection

This is the greatest case of false advertising I’ve seen since I sued the movie The Never Ending Story.

—Lionel Hutz The Simpsons

Your network is firewalled, your servers are locked down, and you feel good about the defensive posture of your environment. However, you do not yet have any idea about the actual attacks being launched against your systems. Are evil hackers using automated tools to scan your network and inventory all your services? Are malicious internal users attempting to break into your severs using known vulnerabilities to commit insider fraud? If they are, are they succeeding?

In order to find out the answers to these questions, you may turn to an Intrusion Detection System (IDS). An IDS is, at its most basic level, a program or host that looks for signs that a resource is being attacked.

No Magic Bullets

While deploying an IDS may seem like a good idea, there are some pitfalls that you should be aware of. It’s common to set up an IDS within an environment only to find out that its not as useful or efficient as you imagined it would be.

Monitoring an IDS

An IDS is no good in a vacuum. It’s a passive system that monitors traffic and can alert a user when an attack is detected. Unlike a firewall that actively drops or rejects traffic, an IDS only analyzes the traffic it receives. At some point, a human needs to be involved in the monitoring activities of an IDS to make it useful. It’s a bit like the old adage “if a tree falls in the woods ...

Get Mastering FreeBSD and OpenBSD Security now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.