 |
|
|
|
|
 |
CertiGuide to Security+ 9 Chapter 3: Infrastructure Security (Domain 3.0; 20%) 9 3.1 Devices 9 3.1.9 IDS (Intrusion Detection System) |
|
Which One Should I Get?
In June 2003 the research group Gartner declared IDS a failure291, notably due to the ‘false positive issue, as seen in a few paragraphs. As the number of TCP network intrusions has increased over the years, more and more IDS’s have been developed, both commercial and non-commercial. As with firewalls, commercial IDS packages can be pricey. Examples of commercial intrusion detection systems you might want to research include:
- RealSecure, by Internet Security Systems 292
- Dragon, by Enterasys 293
- NFR, by Network Flight Recorder 294 (also available in a free research version)
The most popular open source network IDS, and possibly the most popular one period, is Snort295. SANS Intrusion Detection wizard Stephen Northcutt calls it, “the most advanced intrusion detection system money cannot buy.”296 Additionally, a comprehensive list of public domain and shareware IDS software can be found at the COAST Intrusion Detection System Resources site297.
If you don’t require network-wide monitoring for suspicious activity, check out the following host-specific IDS options, which are only some of the packages in the growing category of freeware, sometimes-open source, IDS’s:
- Tripwire, by the Tripwire open source team298 (also available in a commercial version)
- Tcpwrappers, by Wietse Venema299
- PortSentry, by Psionic Technologies300
- AIDE (Advanced Intrusion Detection Environment)301
The different IDSs have subtly different capabilities, strengths and weaknesses, so before committing to one, do your research! Make sure that the one you’ve selected does in fact detect the kinds of intrusions you care about, and that the system is able to respond with the types of actions you need. For example, if you need for the system to dial a pager, make sure that it can do these or at least that you can find a pager dialing program out on the net (they’re there…) and that the system can run it.
Be cautious in reading reviews. This industry is evolving rapidly, what with new “cracking” techniques constantly being developed, and new detection measures being created to identify them, so review comments true about the last version of a package may or may not still apply to the current version. When in doubt, check with the vendor.
__________________
291. http://www.gartner.com/5_about/press_releases/pr11june2003c.jsp
292. http://www.iss.net
293. http://www.enterasys.com/ids/
294. http://www.nfr.com/
295. http://www.snort.org
296. Northcutt, Stephen, Donald McLachlan, Judy Novack, Network Intrusion Detection: An Analyst’s Handbook (2nd Edition), New Riders.
297. http://www.cs.purdue.edu/coast/ids
298. http://www.tripwire.com
299. ftp://ftp.porcupine.org/pub/security/index.html
300. http://www.psionic.com/products/
301. http://www.cs.tut.fi/~rammer/aide.html
|
| |||||||||||||||||||
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.