intrusion_30
ICSA, Inc.
For more information, call 888-396-8348 30
An Introduction to Intrusion Detection and Assessment
system console is standard, and many systems
allow a variety of visual and auditory signals as
part of the alarm.
Management Functions and Deployment
Issues
Customers need flexibility in adapting intrusion-
detection systems to their own environments. The
following features help to tailor these products to
specific needs.
Configuration
No two organizations are the same. Each has a
different set of security and management concerns
driving security policy, a different set of hardware
and software platforms included in their systems
environment, a different set of users or a different
set of operational policies. Therefore, the first issue
facing a customer who acquires an intrusion detec-
tion system is the installation and setup of the
system.
Many products, especially those designed for
Windows NT environments, are shipped with
clear, concise directions and installation scripts
included. However, configuring these products is
still an involved process. Information that cus-
tomers must enter range from the IP addresses of
the systems protected by the product to the sorts
of security violations or system activities that the
products are to detect and report. This is when a
clear, current set of site security policy, proce-
dures, and practices pays off handsomely.
Audit Subsystem Management
Products that include host-level agents typically
use operating-system audit mechanisms. These
products offer improved user interfaces to the
operating-system audit controls, allowing users to
specify what information is collected and how it
is collected.
Reporting
One of the benefits of intrusion detection systems
is the demonstration of due diligence in system
security management practice. A key to demon-
strating this due diligence (e.g., to upper manage-
ment, internal auditors and regulatory personnel)
is to document the findings of intrusion-detection
products over a particular time interval.
Most intrusion-detection products have the ability
to easily generate reports; many offer the capability
to export report data to databases for subsequent
analysis and archiving. Many offer multiple report
formats (e.g., hard copy, screen, and HTML),
with features allowing the user to report different
layers of detail depending on the intended recipient
of the report.
Control
Once the intrusion detection product is configured
to the system environment, the next issue is actually
running the system. Rudimentary controls include
starting and stopping the system, establishing the
schedule at which certain activities should take
place, and specifying how alarms should be
handled. In the control function, another critical
issue in intrusion detection products is addressed:
the security and reliability of the intrusion detec-
tion system itself. One way of addressing this is
to require authentication before the system responds
to control or configuration commands. This re-
duces the risk of an adversary gaining access to the
system and shutting it down.
Proof of Validity
In some cases, intrusion-detection systems are
used to ensure the operation of other parts of the
security infrastructure (e.g., firewalls). In this
proof of validity, the intrusion-detection system
analyses information from both inside and out-
side the coverage area of the security mechanism
in question, then compares results. The mecha-
nism is proven valid when the intrusion-detection