Page 408 - StudyBook.pdf
P. 408

392    Chapter 6 • Infrastructure Security: Devices and Media

                 When being installed, a NIDS is typically configured with a base set of rules
             and known attack signatures, which can be expanded on with custom signatures.
             Some NIDSes also support a learning mode where the NIDS examines traffic on the
             network and learns trends and typical usage of the network. Based on what the
             NIDS learns, it can continue monitoring and determine when unusual traffic pat-
             terns are detected so that an administrator can be notified.
                 There are a few best practices to follow when setting up a NIDS:

                  1. Ensure that the NIDS used is designed to support the network size it will
                      be working with. If it cannot support the size of the network, either use a
                      different NIDS or segment the network and use multiple NIDS.

                  2. When working with a NIDS, if accessing and controlling the NIDS
                      remotely it is best to place the controlling system on another subnet.

                  3. It is best to set up the NIDS so that all logs are stored on a remote system
                      on a different subnet.These practices help increase the security of the
                      NIDS.

                 For further information on a device-based NIDS, look at the Cisco Secure
             Intrusion Detection System at www.cisco.com/en/US/products/
             hw/vpndevc/ps4077/index.html.Also, an excellent and highly regarded software
             solution can be found at www.snort.org.There are many different NIDSes avail-
             able, each with their own benefits.

             Network Monitoring/Diagnostic


             Many large networks employ some form of ongoing monitoring or diagnostic rou-
             tine to continually keep administrators aware of the status of the network and allow
             for proactive corrective actions to potential problems.This can be done with moni-
             toring software or with dedicated devices located on the network.
                 In large network configurations, some network administrators may leave a
             remotely accessible sniffer attached to a switch.This allows the administrator to
             span the ports on the switch and remotely sniff the network traffic.This is a great
             tool for network administrators, but if an intruder were to access this system, they
             could potentially gather data from anywhere in the network. If a device like this is
             left accessible on the network, it is best to use a strong password to access the
             device. In addition, using an encrypted session to communicate with the device
             will prevent eavesdropping on the sniffing session.
                 Another common device generally left attached to networks is some form of
             diagnostic equipment.This can range from a simple meter for checking cable



          www.syngress.com
   403   404   405   406   407   408   409   410   411   412   413