Intrusion Detection Strategies

Intrusion Detection Strategies ----------------------------------- Until now, we’ve primarily discussed monitoring in how it relates to intrusion detection, but there’s more to an overall intrusion detection installation than monitoring alone. Monitoring can help you spot problems in your network, as well as identify performance problems, but watching every second of traffic that passes through your network, manually searching for attacks, would be impossible.This is why we need specialized network intrusion detection software.This software inspects all network traffic, looking for potential attacks and intrusions by comparing it to a predefined list of attack strings, known as signatures. In this section, we will look at different intrusion detection strategies and the role monitoring plays.We’ll learn about different strategies designed for wireless networks, which must take into account the nature of the attacks unique to the medium.These include a lack of centralized control, lack of a defined perimeter, the susceptibility to hijacking and spoofing, the use of rogue APs, and a number of other features that intrusion detection systems were not designed to accommodate. Only a combination of factors we’ve discussed earlier, such as good initial design and monitoring, can be combined with traditional intrusion detection software to provide an overall effective package.
Integrated Security Monitoring ------------------------------------ As discussed earlier, having monitoring built in to your network will help the security process evolve seamlessly.Take advantage of built-in logging-on network devices such as firewalls, DHCP servers, routers, and even certain wireless APs. Information gathered from these sources can help make sense of alerts generated from other intrusion detection sources, and will help augment data collected for incidents. Additionally, these logs should help you to manually spot unauthorized traffic and MAC addresses on your network.
Beware of the Auto-responding Tools! ------------------------------------------- When designing your intrusion detection system, you will likely come across a breed of tools, sometimes known as Intrusion Prevention Systems. These systems are designed to automatically respond to incidents. One popular package is called PortSentry. It will, upon detection of a port scan, launch a script to react. Common reactions include dropping the route to the host that has scanned you, or adding firewall rules to block it. While this does provide instant protection from the host that’s scanning you, and might seem like a great idea at first, it creates a very dangerous denial of service potential. Using a technique known as IP spoofing, an attacker who realizes PortSentry is being used can send bogus packets that appear to be valid port scans to your host. Your host will, of course, see the scan and react, thinking the address that its coming from is something important to you, such as your DNS server, or your upstream router. Now, network connectivity to your host is seriously limited. If you do decide to use autoresponsive tools, make sure you are careful to set them up in ways that can’t be used against you.
Regard Mitchel

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
Add image file
Upload is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.