Previous Section  < Day Day Up >  Next Section

1.5 The Challenges of Network Intrusion Detection

The benefits of detecting an intrusion as early as possible are undeniable. But it is important to deploy an IDS with realistic expectations. There are some real challenges in installing, maintaining, and interpreting the output from an intrusion detection system.

1.5.1 Prerequisites

A potential intrusion detection administrator needs a good knowledge of the environment into which she is introducing NIDS. What is the network layout? This information helps determine the positioning of the sensors and also may help determine which mode of operation should be used. What kinds of systems are in the environment? Windows? Unix? What services are the systems providing? Email? Web services? How is encryption used in the environment?

A good understanding of how systems communicate on the network is very important in interpreting the output of the NIDS sensors. Without knowing the makeup of a TCP packet, an alert specifying a problem within a packet will only cause confusion. If you are not familiar with network sniffing tools like tcpdump and ethereal, spend some time watching the traffic on your network. Review the contents of Chapter 2 to help you interpret the results. Only good can come from this time spent watching and learning how things talk and move around your network. Without this background, the job of determining what is really something to worry about—as well as tuning out unneeded rules and features—is very difficult.

1.5.2 False Positives

Very often (and especially before tuning), when Snort sends you a warning that something suspicious is happening, there is nothing really serious going on. Any NIDS is going to generate a lot of false positives, warnings that someone or something is launching some form of attack, when in fact nothing is happening. You may be able to minimize false positives, but you cannot entirely eliminate them. Furthermore, the more false positives you receive, the more likely it is that Snort is missing an actual attack or subversive intrusion attempt. It is up to you to figure out an acceptable level of risk. Do you really want to be notified about every port scan? About every unauthorized attempt to mount a Windows share? Even on a home network this can quickly drive most sane administrators crazy.

There is no perfect solution. There's an easy way to guarantee an attack is never goes unnoticed: flag every incoming packet as suspicious. That is obviously not realistic. You won't have to worry about missing a potential attack, but the flood of false positives will be overwhelming. At the other extreme, you could tune out the majority of alerts and turn off most of the features of Snort. You won't have many false positives, but you'll also miss many of the real dangers. You must find a happy medium and decide just how many alerts you are willing to tolerate for the sake of your network. The process of reaching this compromise can only be accomplished over an extended period of time, by fine-tuning Snort and viable signatures and enabling or disabling features within the Snort sensors themselves.

1.5.3 Missing Prerequisites

A common phrase I use when talking to clients about deciding to deploy an IDS is, "If you don't do basic system log review on a regular basis, an IDS is just going to generate more logs for you to ignore." As discussed earlier, system logs are the first line of defense in intrusion detection. Reviewing system logs yields great benefits in learning how your systems function and in determining the health and well-being of your systems. An IDS only provides value as a component in a defense-in-depth strategy. Do not lay all security responsibility on your IDS installation.

1.5.4 Unrealistic Expectations

When deciding to embark on a Snort installation (or any other NIDS solution, for that matter), understand that there is some significant work that needs to be done on the frontend. None of it is particularly difficult, just time-consuming and detail-oriented. A common misconception is that once the NIDS sensors are deployed and initially configured, and the central management console is built and reporting, the administrator can throw a dust cloth on it and walk away. Snort is a signature-based NIDS. Signatures need to be updated periodically to keep up with the latest exploits and attack methods. They also need constant tuning to eliminate false positives and allow for changes in your network environment. These tasks are not overwhelming, but not allowing time for them greatly diminishes the value of the NIDS deployment.

    Previous Section  < Day Day Up >  Next Section