IDS: Still head of the class in security education

By Eric B. Parizo, News Editor 15 Nov 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

WASHINGTON, D.C. -- Despite claims that intrusion detection tools are "old school" and often tedious to use, one technologist says an IDS, such as Snort, can be quite educational when grading an organization's network security.

During a session at the CSI 32nd annual Computer Security Conference this week, Matthew Hicks, senior information security analyst with the Children's National Medical Center in Washington D.C., said those who scoff at IDS typically don't understand how to use it.

"Even the people who have it… sometimes turn it off," Hicks said, because it is set to trigger too many alarms. That, he noted, means the problem is with configuration, not the tool itself.

An IDS can be handy for determining the types of packets traversing the network, he added, though some may falsely believe that it to be an all-encompassing tool for spotting dangerous data.

"Don't believe in any one tool to protect your network," Hicks said. "An IDS is not going to capture e-mail threats."

What it can do is help tune other security systems. For instance, Hicks said many organizations were affected when the notorious SQL Slammer worm struck two years ago because it attacked Port 1434, which many firewalls ignored.

Related coverage Other CSI Conference items: The CISO's newest duty: bailiff More news, tips and expert advice on IDS: Network Intrusion Detection at our Windows IT Architecture Info Center

"There shouldn't be any data coming to 1434 from an external source," Hicks said. An IDS, he added, can quickly detect such configuration problems, enabling security pros to get out ahead of an attack.

In a nutshell, an IDS is a basic tool that collects, analyses and reports on network packets. Using sensors, it monitors traffic either on a single device or throughout the network, searching for subtle trends in large volumes of data that might otherwise go unnoticed.

With Slammer, Hicks said, an IDS would have examined its packet header and detected that the IP address in the "from" field would have targeted Port 1434, immediately raising a red flag.

The most widely used IDS is Snort, an open source tool created by developer Martin Roesch. Hicks said it owes its popularity to being lightweight, platform agnostic, and, most importantly, free.

"It's open source, so you'll find lots of code for it and ways to use it," Hicks said. "You can even write your own plug-ins for it."

However, Snort is a command-line application, which may render it less user-friendly than as other security tools, though GUIs are available. It's also a huge log generator, producing a steady stream of information on busier networks in the form of text files or as data delivered directly to a MySQL database.

My job is like a chess game. The spammers and attackers make a move, and I have to make a counter-move. I think I've been pretty successful against them using IDS. Matthew Hicks sr. information security analyst, Children's National Medical Center

Check Point Software Technologies Inc. last month acquired Sourcefire, the company providing commercial support for Snort. The move caused some to question Snort's long-term future and whether it will remain open source, free or even available.

Attendee Offr Rotberg, who works in Israel's Ministry of Defense, said he expects Check Point to integrate Snort's functions into its commercial products, making it likely that IDS products will soon fade away in favor of fully functional security suites.

Hicks agreed that such scenarios are a real possibility, but he warned against underestimating the clout of the Snort users. "The Snort community is so big that they may not let that happen," he said. "Either way, there's enough support for it that there will be Snort freeware for a long time."

Rotberg said an IDS like Snort can be helpful when configured properly, but tweaking that configuration can be a lot of work.

Yet Hicks said that in his ongoing effort to thwart attackers and mitigate threats, IDS technology has proven its worth.

"My job is like a chess game," Hicks said. "The spammers and attackers make a move, and I have to make a counter-move. I think I've been pretty successful against them using IDS."

Tags: Network Intrusion Detection (IDS),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Intrusion Detection (IDS) Preventing SQL injection attacks: A network admin's perspective Lifecycle of a network security vulnerability Best Intrusion Prevention and Detection Products Rogue AP containment methods SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation Network Intrusion Detection (IDS) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary