WASHINGTON, D.C. -- Despite claims that intrusion detection tools are "old school" and often tedious to use, one...
technologist says an IDS, such as Snort, can be quite educational when grading an organization's network security.
During a session at the CSI 32nd annual Computer Security Conference this week, Matthew Hicks, senior information security analyst with the Children's National Medical Center in Washington D.C., said those who scoff at IDS typically don't understand how to use it.
"Even the people who have it… sometimes turn it off," Hicks said, because it is set to trigger too many alarms. That, he noted, means the problem is with configuration, not the tool itself.
An IDS can be handy for determining the types of packets traversing the network, he added, though some may falsely believe that it to be an all-encompassing tool for spotting dangerous data.
"Don't believe in any one tool to protect your network," Hicks said. "An IDS is not going to capture e-mail threats."
What it can do is help tune other security systems. For instance, Hicks said many organizations were affected when the notorious SQL Slammer worm struck two years ago because it attacked Port 1434, which many firewalls ignored.
"There shouldn't be any data coming to 1434 from an external source," Hicks said. An IDS, he added, can quickly detect such configuration problems, enabling security pros to get out ahead of an attack.
In a nutshell, an IDS is a basic tool that collects, analyses and reports on network packets. Using sensors, it monitors traffic either on a single device or throughout the network, searching for subtle trends in large volumes of data that might otherwise go unnoticed.
With Slammer, Hicks said, an IDS would have examined its packet header and detected that the IP address in the "from" field would have targeted Port 1434, immediately raising a red flag.
The most widely used IDS is Snort, an open source tool created by developer Martin Roesch. Hicks said it owes its popularity to being lightweight, platform agnostic, and, most importantly, free.
"It's open source, so you'll find lots of code for it and ways to use it," Hicks said. "You can even write your own plug-ins for it."
However, Snort is a command-line application, which may render it less user-friendly than as other security tools, though GUIs are available. It's also a huge log generator, producing a steady stream of information on busier networks in the form of text files or as data delivered directly to a MySQL database.
Check Point Software Technologies Inc. last month acquired Sourcefire, the company providing commercial support for Snort. The move caused some to question Snort's long-term future and whether it will remain open source, free or even available.
Attendee Offr Rotberg, who works in Israel's Ministry of Defense, said he expects Check Point to integrate Snort's functions into its commercial products, making it likely that IDS products will soon fade away in favor of fully functional security suites.
Hicks agreed that such scenarios are a real possibility, but he warned against underestimating the clout of the Snort users. "The Snort community is so big that they may not let that happen," he said. "Either way, there's enough support for it that there will be Snort freeware for a long time."
Rotberg said an IDS like Snort can be helpful when configured properly, but tweaking that configuration can be a lot of work.
Yet Hicks said that in his ongoing effort to thwart attackers and mitigate threats, IDS technology has proven its worth.
"My job is like a chess game," Hicks said. "The spammers and attackers make a move, and I have to make a counter-move. I think I've been pretty successful against them using IDS."