Implementing IDS in small- to medium-sized businesses
A real-world implementation of IDS in an SMB is beyond a lot of company budgets. Do you have a practical, cost effective tip for the large number of small- and medium-sized enterprises?
For a small- or medium-sized enterprise, you first need to do
an overall infosecurity assessment. What threats are there to your
data and business processes? Are you more concerned about
the threat from your Internet connection or your insiders? Studies have shown that between
60% and 80% of all attacks are done by insiders.
Given that, for small to medium businesses, I would first
make sure I had a firewall at my Internet interface, preferably
one that did stateful inspection, filtering and NAT. If it
could also do proxy-based services, so much the better.
Next would be some form of intrusion detection. A good product
is the Cisco IDS (once known as NetRanger). You can deploy sensors
at a number of places in your network (in front of the firewall,
behind the firewall, in the DMZ, etc.) and manage them from a
central console (called the director). Host-based intrusion detection
is also useful. ZoneAlarm Pro is a good option for the cash-strapped.
Using both is even better.
In regards to checksums of files
and other similar techniques, TripWire is a tool that can be
used to provide those services. While there is a commercial
package for TripWire, there is an older version (still very
useful) available to download for free (for Unix systems).
While you may not be able to afford to do everything suggested
by that tip, there are quite a number of free or low cost
things you can do. Another way to look at the problem is how much
would it cost you if there was a major invasion of your network?
What percentage of that cost are you willing to spend to protect
your network? Think of that cost as an insurance premium.
For more information about this topic, visit these SearchSecurity.com resources:
Network Security Tip: Snort makes IDS worth the time and effort
Network Security Tip: Network-based IDS: How to deal with switches and segments
Network Security Tip: Where should I place my IDS sensors?
This was first published in July 2004