Information Technology Reference
In-Depth Information
9.8.3
Practice
Specific parameter settings and operational guidelines are too detailed (too “in the
weeds”) for architectural consideration. However, consideration of IDS engineering
and operations principles and constraints is entirely appropriate; these include:
n
n
n
n
−
−
−
IDS monitors data in transit (network) and at rest (host).
Deploy IDS in every public facing, perimeter network.
Deploy IDS in every key server farm.
Define a rule set that governs IDS actions for:
One-time anomalies
Sustained anomalous activity (e.g., >2 minutes)
Speciic ile types (e.g., CADCAM iles containing engineering
drawings)
Notification thresholds
Reactive measure thresholds (e.g., shutdown network access or traffic
flow)
Operate without impacting essential network bandwidth.
Integrate within existing network architecture.
Be able to receive automated updates.
Pass alerts to security operations center (monitoring).
Log raw data and detected incidents.
Detect fraud, waste, and abuse.
−
−
n
n
n
n
n
n
In general, security mechanism procedures and guidelines are critical for effec-
tive and consistent operations. Although the particulars of procedures and guide-
lines are beyond architectural consideration, the IA
2
architect should consider
providing format, outline, and content recommendations.
9.8.4
Best Practices
ISO/IEC 18403:
Guidelines for Implementation, Operation, and Management of
IDS
provides one example of IDS best practices and addresses both network IDS
(NIDS) and host-based IDS (HIDS).
9.8.5
IA
2
Perspective
In the context of the IA
2
F LoS, an IDS is an IA mechanism under security moni-
toring services. In the context of the IA operations framework, IDS is a key defense
Computer-aided design/computer-aided manufacturing.
