Chapter 4. Intrusion Detection and Prevention

OBJECTIVES

This chapter covers the following TruSecure-specified objectives for the TICSA exam:

Describe, recognize, or select good intrusion-detection methodologies, applications and disaster recovery, and forensic practices.

• When you connect yourself to an external network, such as the Internet, you open yourself to attack. Even if you practice the best security, there is always a chance that your network will experience an intrusion. Knowing what you should have in place to help yourself in these situations is paramount. Equipping yourself with such items as disaster recovery plans and the knowledge of what to look for when performing forensic investigations can help you learn from your mistakes and potentially catch the intruder.

Identify, specify, or describe good host- and network-based security fundamentals.

• Intrusion Detection Systems are becoming a mainstay for companies that want to augment their current security by providing a utility that will monitor for intrusions into their network and, in some cases, stop attacks from occurring. Understanding how the two fundamental designs protect your systems and network is essential to selecting the right solution for your needs.

Describe, recognize, or select good Firewall architectures, properties, and administration fundamentals.

• Firewalls are now seen as an essential component to any network security plan. This objective helps provide insight into the basic design and the administration that is required to maintain a firewall on your network. Despite how bulletproof your network may be with Intrusion Detection Systems, firewalls, and other security configurations, intrusions still happen. You learn how to handle this situation when it occurs and what to expect.

OUTLINE

Introduction 114

Necessary Components to Good Security 114

Intrusion Detection Systems Fundamentals 115

When Do Hackers Typically Attack? 116

Keep the IDS Software Updated 117

Important Components Needed in an IDS 118

Network-Based IDS 118

Host-Based IDS 121

Discussion on Firewall Architectures 123

Software Firewalls 125

Hardware Firewalls 125

Packet Filters 126

Stateful Packet Inspections 126

Proxy Servers 127

Administration of Firewalls 128

Understanding Incident Handling 130

Setting Up a Honeypot to Attract the Intruder 131

Using Vulnerability Scanners 132

Network Sniffers 134

STUDY STRATEGIES

• Host- and network-based IDS will likely be addressed by a few questions on the exam; it is important to understand the differences within the context of this chapter. Additional study time would be well spent visiting various vendors' Web sites to look at their respective IDS products, how they function, their features, and so on to learn about some of the new developments since this chapter was written. This provides you with solid, up-to-date knowledge to augment what you read here because IDS is an ever-changing security tool.

• Similar to researching the latest and greatest IDS packages, you should spend some time reading up on the features and inner workings of firewalls and honeypots. These products are also changing and getting better with every release, so some well-spent time here will help immensely. Look for demo or freeware versions of IDS, firewall, honeypot, or vulnerability scanner products to try out at home or in your test lab. eEye (www.eeye.com) provides limited-time demos of a very good vulnerability scanner as well as a network sniffer that you may want to take a look at. By getting your hands dirty with some of these products, you should be able to get a better idea of their capabilities and limitations.