SECURITY
• Relates to: Server+
Many have said that a locked door only keeps an honest man
out, but a firewall might not. Firewalls often have
holes intentionally poked through them by network administrator for web servers,
and email servers.
Intrusion detection systems help reduce the risk or help
you mitigate the threats to your network. The
intrusion detection system’s design includes detecting activity classified as a
threat to your mission critical data and systems.
The three different types of intrusion detection systems
are host-based, network-based, and anomaly-based.
Host-based intrusion detection systems detect changes made
to operating system files and other critical files such as data. The detection
method uses checksum and hashes to determine that a change has occurred.
Host-based intrusion detection systems are available for routers, switches,
firewalls, and servers. Tripwire software by Tripwire, Inc. is a popular choice
for network administrators looking for host-based intrusion detection systems.
Network intrusion systems are not limited to the host on which they reside;
however, they may be limited to their network segment(s).
Network-based intrusion systems examine network traffic
and provide alerts when undesired traffic is present on the network. Network
based intrusion detection systems may look at byte patterns or look at data
within the context of the network stream. It is possible they will try to decode
network traffic in the same way a client-server application might. Another
method of network intrusion detection involves the use of heuristics, which try
to use logic to determine if an alarm condition is present.
Anomaly-based intrusion detection looks for network
traffic that is not expected. “Expected network traffic” is network traffic that
a network administrator would expect to find on his network at any given time.
An example of “expected network traffic” would be during the morning, when an
administrator would see a high volume of network logons.
As network security has become a growing concern for
network administrators, management challenges them with a limited security
budget and the need for a secure network. That is when open source intrusion
detection fits into the picture. Snort combined with the Analysis Console for
Intrusion Databases (ACID) is one of the most popular open source network
intrusion detection systems, and its setup will be explained here.
An effective intrusion detection system must be powerful
enough to monitor network traffic without slowing down the machine. I am using
an older server with a Pentium II processor with a nine-gigabyte drive and the
addition of a second network card. I would suggest using a more powerful machine
for your intrusion detection system. I began my installation of the intrusion
detection system with Red Hat 7.2, but you should be able to use Red Hat 7.3 for
your intrusion detection system. During the installation, you will want to
install ssh, and tcpdump, but it is important to remember when you are
installing the operating system to avoid loading unnecessary components and
services. Once you have completed the installation of Red Hat, the next steps
require installing the software to make your intrusion detection system
work.
The intrusion detection system installation outlined in
this document relies on Snort (<http://www.snort.org>) and ACID
(<http://www.cert.org/kb/acid>). You need to download the current version
of Apache Toolbox (<http://www.apachetoolbox.com>) and copy it to a
working directory. While installing Apache with the Apache Toolbox, select
MySQL, PHP, BCMATH Apache, and GD. There are detailed instructions available on
the Apache Toolbox website.
Once the Apache installation is complete, you need to
download several additional components. You can download the current version of
the PHP Chart Library from <http://www.phplot.com>, PHP database
abstraction library from <http://pp.weblogs.com/adodb>, ACID from
<http://www.cert.org/kb/acid>, and the Snort as well as the Snort rule set
from http://www.snort.org. Each of these components was downloaded to a working
directory of /usr/downloads. You can extract the PHP Chart Library to
/usr/phplot-x.x.x, PHP database abstraction library to /usr/adodb, ACID to
/usr/local/apache/htdocs, and Snort to /usr/snort and Snort rule set to
/usr/rules. Let’s look at the configuration of the MySQL databases.
In order to start the configuration...
You must be logged in to view this entire article.Click Here to Finish Reading this Article
|
Email this Article
Print this Article
