[svlug] Looking for a NIDS...

David Masten dmasten at piratelabs.org
Tue Sep 4 20:42:01 PDT 2001

Previous message: [svlug] Looking for a NIDS...
Next message: [svlug] NYT: HP to buy Compaq for US$25b
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

theotiwii at earthlink.net wrote:

> David:
> 
> Thank you for your help. Perhaps someone could address a point you raised:
> 
> 
>>Then NIDS may not be for you. NIDS is a wildly complex beast that will take a lot of time to "get it right".
>>
> 
> How does one protect a network without a NIDS?
> 
>     - security hardening (i.e., Bastille, etc.)
>     - shutdown unneeded services

And remove (or just don't install) those unnecessary services.

>     - tighten firewall rules

Remember to deny all and then permit limited inbound AND limited 
outbound. Also do copius logging of firewall activity.

>     - run tripwire or similar clone
> 

Tripwire (I have only used the ASR version) or other file integrity 
system has proven to be far superior for finding a "compromise".

> For a small network, how else can one be appraised when the above procedures fail to prevent intrusion? Does a
> conscientious sysadm have to bite the bullet with a NIDS or have I missed a simpler solution?
> 

System logs. The ideal setup is to send all logging data to the syslog 
service on each machine, with the syslogd sending everything to both a 
loghost and the appropriate files. The log host will put log data into 
it's files and to a serial port, with an old system not attached to the 
network attached to the log host serial port. The old system should have 
a tape unit or other large portable storage device. Of course, this may 
not always be possible or even desirable, but it should give you some 
ideas about things to do for your system.

Check all logs regularly. Compare logs from different machines. diff the 
logs from the serial capture machine and the log host.

The problem with NIDS is they are notorious for false positives and 
false negatives. The false positives will annoy you so much that you 
start ignoring alerts (unless you are not human), and you will never 
know about the false negatives. The more you cut down on false positives 
(by altering rules), the more likely to have false negatives. Seems to 
be some sort of inverse rule.
-- 
David Masten    |Information Security, Network & System Administration
KG6FNL          |Rocket Engineer, Anarcho-Capitalist
Giving money and power to government is like giving whiskey and car keys 
to teenage boys. -P.J. O'Rourke

Previous message: [svlug] Looking for a NIDS...
Next message: [svlug] NYT: HP to buy Compaq for US$25b
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list