[svlug] Looking for a NIDS...
dmasten at piratelabs.org
Tue Sep 4 20:42:01 PDT 2001
theotiwii at earthlink.net wrote:
> Thank you for your help. Perhaps someone could address a point you raised:
>>Then NIDS may not be for you. NIDS is a wildly complex beast that will take a lot of time to "get it right".
> How does one protect a network without a NIDS?
> - security hardening (i.e., Bastille, etc.)
> - shutdown unneeded services
And remove (or just don't install) those unnecessary services.
> - tighten firewall rules
Remember to deny all and then permit limited inbound AND limited
outbound. Also do copius logging of firewall activity.
> - run tripwire or similar clone
Tripwire (I have only used the ASR version) or other file integrity
system has proven to be far superior for finding a "compromise".
> For a small network, how else can one be appraised when the above procedures fail to prevent intrusion? Does a
> conscientious sysadm have to bite the bullet with a NIDS or have I missed a simpler solution?
System logs. The ideal setup is to send all logging data to the syslog
service on each machine, with the syslogd sending everything to both a
loghost and the appropriate files. The log host will put log data into
it's files and to a serial port, with an old system not attached to the
network attached to the log host serial port. The old system should have
a tape unit or other large portable storage device. Of course, this may
not always be possible or even desirable, but it should give you some
ideas about things to do for your system.
Check all logs regularly. Compare logs from different machines. diff the
logs from the serial capture machine and the log host.
The problem with NIDS is they are notorious for false positives and
false negatives. The false positives will annoy you so much that you
start ignoring alerts (unless you are not human), and you will never
know about the false negatives. The more you cut down on false positives
(by altering rules), the more likely to have false negatives. Seems to
be some sort of inverse rule.
David Masten |Information Security, Network & System Administration
KG6FNL |Rocket Engineer, Anarcho-Capitalist
Giving money and power to government is like giving whiskey and car keys
to teenage boys. -P.J. O'Rourke
More information about the svlug