Download Free Network Intrusion Detection Challenges Checklist

Download Free Network Intrusion Detection Challenges Checklist

Prerequisites
A potential intrusion detection administrator needs a good knowledge of the environment into which she is introducing NIDS. What is the network layout? This information helps determine the positioning of the sensors and also may help determine which mode of operation should be used. What kinds of systems are in the environment? Windows? Unix? What services are the systems providing? Email? Web services? How is encryption used in the environment?

False Positives
Very often (and especially before tuning), when Snort sends you a warning that something suspicious is happening, there is nothing really serious going on. Any NIDS is going to generate a lot of false positives, warnings that someone or something is launching some form of attack, when in fact nothing is happening. You may be able to minimize false positives, but you cannot entirely eliminate them. Furthermore, the more false positives you receive, the more likely it is that Snort is missing an actual attack or subversive intrusion attempt. It is up to you to figure out an acceptable level of risk. Do you really want to be notified about every port scan? About every unauthorized attempt to mount a Windows share? Even on a home network this can quickly drive most sane administrators crazy.

Missing Prerequisites
A common phrase I use when talking to clients about deciding to deploy an IDS is, "If you don't do basic system log review on a regular basis, an IDS is just going to generate more logs for you to ignore." As discussed earlier, system logs are the first line of defense in intrusion detection. Reviewing system logs yields great benefits in learning how your systems function and in determining the health and well-being of your systems. An IDS only provides value as a component in a defense-in-depth strategy. Do not lay all security responsibility on your IDS installation.

Unrealistic Expectations
When deciding to embark on a Snort installation (or any other NIDS solution, for that matter), understand that there is some significant work that needs to be done on the frontend. None of it is particularly difficult, just time-consuming and detail-oriented. A common misconception is that once the NIDS sensors are deployed and initially configured, and the central management console is built and reporting, the administrator can throw a dust cloth on it and walk away. Snort is a signature-based NIDS. Signatures need to be updated periodically to keep up with the latest exploits and attack methods. They also need constant tuning to eliminate false positives and allow for changes in your network environment. These tasks are not overwhelming, but not allowing time for them greatly diminishes the value of the NIDS deployment.