19.8 Intrusion Detection Systems

Another proactive approach to defending a Unix host is to monitor it for suspicious activity and take action when any is detected. An intrusion detection system (IDS) is a program (or set of programs) designed to monitor the system and report or respond to untoward activity.

An IDS can monitor activity on a single host, activity on multiple hosts, or activity on a network. An IDS can characterize an activity as suspicious either because it is anomalous (differs from a user's usual activity) or because it matches a set of known characteristics of system misuse (or attack).

Host-based IDS

Host-based intrusion detection systems typically monitor system log files and other audit trails and respond to unusual activity. For example, an IDS may notice when a user logs in from an unusual host or at an unusual time, or when a user's shell history file is truncated (an act typical of an attacker covering his trail). The IDS may respond by alerting the system administrator, or may take more aggressive action such as disabling the user's account.

Some host-based IDS systems can monitor log files collected from multiple hosts (either through syslog's remote-logging capability or through a client/server architecture built into the IDS). Such multihost IDS systems are convenient for administrators who are responsible for large networks of hosts.

Network-based IDS

Network-based intrustion detection systems (NIDSs) monitor network packets rather than (or in addition to) system logs, and look for unusual network activity, such as scans to unused TCP ports or packets that resemble known network-based attacks, such as attempts to access the phf CGI script in a request to the system's HTTP port. A simple NIDS might only attempt to detect network-based attacks or port scans directed at its own host; such a system might not only alert the system administrator, but automatically defend itself by adding the attacker's source IP to a packet-filtering firewall system. More sophisticated NIDS setups monitor packets directed at any host on their local network, and alert the network administrator. (If the NIDS is running on the network's firewall, it could also attempt to defend the entire network by blocking packets from the apparent attack host.) An NIDS might also record suspicious packets as evidence for later investigation.

Arguably, you should run host-based IDS software on every Unix host that you maintain. Network-based IDS software works best when run on network gateways and other hosts that serve as critical network nodes. Running an NIDS outside your firewall will reveal how many attack attempts originate from the Internet. Running an IDS inside your firewall is equally important, as it will reveal anomalous activity that originates from within your network or that manages to cross the firewall.

Choosing an IDS requires careful consideration of your requirements and the systems on which you plan to run the IDS. In keeping with our attempt to avoid recommending particular third-party software, we don't provide a list of intrusion detection systems. The SANS Institute, however, maintains an excellent Intrusion Detection FAQ at http://www.sans.org/resources/idfaq that we highly recommend.

Running an IDS can be an eye-opening experience. You will soon discover just how many attacks are directed at your systems. It then becomes your responsibility to act on the information you receive; an IDS that's ignored is useless.

    Part VI: Appendixes