HostedDB - Dedicated UNIX Servers

intrusion_30 ICSA, Inc. For more information, call 888-396-8348                 30 An Introduction to Intrusion Detection and Assessment system console is standard, and many systems allow a variety of visual and auditory signals as part of the alarm. Management Functions and Deployment Issues Customers need flexibility in adapting intrusion- detection systems to their own environments. The following features help to tailor these products to specific needs. Configuration No two organizations are the same. Each has a different set of security and management concerns driving security policy, a different set of hardware and software platforms included in their systems environment, a different set of users or a different set of operational policies. Therefore, the first issue facing a customer who acquires an intrusion detec- tion system is the installation and setup of the system. Many products, especially those designed for Windows NT environments, are shipped with clear, concise directions and installation scripts included. However, configuring these products is still an involved process. Information that cus- tomers must enter range from the IP addresses of the systems protected by the product to the sorts of security violations or system activities that the products are to detect and report. This is when a clear, current set of site security policy, proce- dures, and practices pays off handsomely. Audit Subsystem Management Products that include host-level agents typically use operating-system audit mechanisms. These products offer improved user interfaces to the operating-system audit controls, allowing users to specify what information is collected and how it is collected. Reporting One of the benefits of intrusion detection systems is the demonstration of due diligence in system security management practice. A key to demon- strating this due diligence (e.g., to upper manage- ment, internal auditors and regulatory personnel) is to document the findings of intrusion-detection products over a particular time interval. Most intrusion-detection products have the ability to easily generate reports; many offer the capability to export report data to databases for subsequent analysis and archiving. Many offer multiple report formats (e.g., hard copy, screen, and HTML), with features allowing the user to report different layers of detail depending on the intended recipient of the report. Control Once the intrusion detection product is configured to the system environment, the next issue is actually running the system. Rudimentary controls include starting and stopping the system, establishing the schedule at which certain activities should take place, and specifying how alarms should be handled. In the control function, another critical issue in intrusion detection products is addressed: the security and reliability of the intrusion detec- tion system itself. One way of addressing this is to require authentication before the system responds to control or configuration commands. This re- duces the risk of an adversary gaining access to the system and shutting it down. Proof of Validity In some cases, intrusion-detection systems are used to ensure the operation of other parts of the security infrastructure (e.g., firewalls). In this proof of validity, the intrusion-detection system analyses information from both inside and out- side the coverage area of the security mechanism in question, then compares results. The mecha- nism is proven valid when the intrusion-detection