Information Technology Reference
In-Depth Information
and monitor tool for data in transit (network IDS) and data at rest (host IDS). The
IDS monitors for anomalies that include:
n
n
n
n
n
n
Real-time monitoring and analyzing of user, system, and network activities
Analyzing system configurations, files, and audit logs
Assessing system and file integrity
Ability to recognize patterns typical of attacks
Analysis of abnormal activity patterns
Tracking user policy violations
Real-time input from IDS assists in identifying anomalous events; IA opera-
tions engineers are the front line consumer of IDS output. Appropriate training
of IA ops engineers rounds out effective real-time response. IDS logs also provide
insight into anomaly trends, retroanalysis of incident patterns, and potential areas
of performance degradation.
9.8.5.1
Security Service and Mechanism Aggregation
Even the best safeguards have vulnerabilities that provide an adversary with oppor-
tunity to bypass those safeguards. Presenting a single obstacle for an adversary
to overcome is not effective security; there should be many obstacles. Moreover,
these many obstacles should provide coordinated safeguards in well-planned-out
defense-in-depth. The aggregation of many IA services and mechanisms where each
component fulfills a distinct role in complement to the others is defense-in-depth.
Defense-in-depth involves segmenting the LAN with security boundaries,
establishing policy on what technical and business services may reside within those
boundaries, establishing policy on interboundary communications, and imple-
menting a combination of the security services and mechanisms to facilitate and
enforce the policies. Figure 9.5 provides an overview of defense-in-depth with IDS
(and other IA mechanisms) in context.
9.9
Honeypots
A honeypot in the cyber-security sense is an enticement for would-be intruders. The
honeypot may look like an important production server, but in reality is in part a
distraction and in part a glass slide under a cyber-microscope for system admin-
istrators and security personnel to watch intruder activity. The primary honeypot
benefits are keeping intruders off real production servers, an early warning system
of adversary interest, and a learning tool for security personnel.
Figure 9.5 provides a view of a single honeypot in the perimeter network; its
placement is expected to provide an attractive distraction from production Internet-
