HostedDB - Dedicated UNIX Servers
pilot_10 August 28, 1998 Intrusion Detection Pilot Program Guide 7 · Product acquisition – Provided by the vendor on CD-ROM or via web site following purchase · Preparation of host(s) – Based on product technical requirements, select and prepare the intrusion detection hosts, including any security “hardening” activities as recommended by the product vendor · Notification – Affected parties, including network users and management, should be made aware that intrusion detection/misuse protection technology is being deployed. Corporate counsel and/or Human Resources may be consulted if monitoring activities are not already publicized as part of your overall security policy. · Installation and Configuration – Install product components, along with any required license components or keys; configure as needed for your environment · Customization – Develop and test templates and reports, select/activate filters and attack signatures, tune attack thresholds (i.e., SYN Flood packets per second), set database parameters, and customize any other product attributes as appropriate for your environment Operation Once the product has been installed, configured, and customized, ongoing operations begins. This will include: · Managing the “health and well-being” of the product and its host systems; · Fine-tuning the system so that it adapts to the status of the network environment; · Establishing a policy for incident response; · Managing the data generated by the product; · Generating, evaluating, and modifying reports on network security status for key security decision makers; · Assigning personnel to learn and use the system; · Making the IDS Product a new part of your operational structure. As is the case with any mission-critical application, the host systems’ security, availability, data backup, and other day-to-day systems management functions should be carefully monitored. Feedback Intrusion detection products are dynamic, as reflects the dynamic nature of system and network vulnerabilities and threats. Reports should be used to continually monitor and improve your organization’s security posture. On a tactical level, report output (and that of complementary products, such as vulnerability scanning tools), should be used to feed back information for product configuration and customization. For example – if reports indicate that attacks are being targeted at certain critical hosts, the intrusion detection system should be adjusted to more closely monitor those host addresses (as well as increasing the security of the hosts themselves, of course!).