OBJECTIVES
This chapter covers the following TruSecure-specified objectives for the TICSA exam:
Describe, recognize, or select good intrusion-detection methodologies, applications and disaster recovery, and forensic practices.
When you connect yourself to an external network, such as the Internet, you open yourself to attack. Even if you practice the best security, there is always a chance that your network will experience an intrusion. Knowing what you should have in place to help yourself in these situations is paramount. Equipping yourself with such items as disaster recovery plans and the knowledge of what to look for when performing forensic investigations can help you learn from your mistakes and potentially catch the intruder.
Identify, specify, or describe good host- and network-based security fundamentals.
Intrusion Detection Systems are becoming a mainstay for companies that want to augment their current security by providing a utility that will monitor for intrusions into their network and, in some cases, stop attacks from occurring. Understanding how the two fundamental designs protect your systems and network is essential to selecting the right solution for your needs.
Describe, recognize, or select good Firewall architectures, properties, and administration fundamentals.
Firewalls are now seen as an essential component to any network security plan. This objective helps provide insight into the basic design and the administration that is required to maintain a firewall on your network. Despite how bulletproof your network may be with Intrusion Detection Systems, firewalls, and other security configurations, intrusions still happen. You learn how to handle this situation when it occurs and what to expect.
OUTLINE
Necessary Components to Good Security 114
Intrusion Detection Systems Fundamentals 115
When Do Hackers Typically Attack? 116
Keep the IDS Software Updated 117
Discussion on Firewall Architectures 123
Administration of Firewalls 128
Understanding Incident Handling 130
Setting Up a Honeypot to Attract the Intruder 131
STUDY STRATEGIES
Host- and network-based IDS will likely be addressed by a few questions on the exam; it is important to understand the differences within the context of this chapter. Additional study time would be well spent visiting various vendors' Web sites to look at their respective IDS products, how they function, their features, and so on to learn about some of the new developments since this chapter was written. This provides you with solid, up-to-date knowledge to augment what you read here because IDS is an ever-changing security tool.
Similar to researching the latest and greatest IDS packages, you should spend some time reading up on the features and inner workings of firewalls and honeypots. These products are also changing and getting better with every release, so some well-spent time here will help immensely. Look for demo or freeware versions of IDS, firewall, honeypot, or vulnerability scanner products to try out at home or in your test lab. eEye (www.eeye.com) provides limited-time demos of a very good vulnerability scanner as well as a network sniffer that you may want to take a look at. By getting your hands dirty with some of these products, you should be able to get a better idea of their capabilities and limitations.