IDS: Security At Its Finest

Intrusion-detection systems (IDSs) are the solution for systems administrators looking to protect their servers from hackers' attempts to gain access.

While an administrator with good security knowledge has typically configured firewalls and ensured that unnecessary services aren't running, that only protects against hacks you've anticipated. To approach server security in a proactive, rather than passive, manner, IDSs are the better way to go.

An IDS uses a combination of technologies to prevent unauthorized access to a company's systems. This is typically done via complex algorithms, which detect anomalies and patterns. For example, an IDS can detect port scans, bots that are blasted through a company's Web site and many other complex attacks.

In the open-source world, Snort is a popular IDS. Originally a lightweight IDS, Snort is now capable of real-time traffic and protocol analysis. It can be used to automatically detect attacks as diverse as buffer-overflow attempts, CGI attacks and port scans. Snort uses a rules-based language to accomplish this and to determine what traffic should be allowed into your environment. Additionally, Snort has a notification mechanism that can alert systems administrators to intrusion attempts.

One of the best things about Snort is that it has a modular architecture that not only allows for new intrusion-detection technologies to be plugged in, but also allows some flexibility for the user interface. There are a few user interfaces available to the Snort user, most notably ACID and BASE.

BASE, the Basic Analysis and Security Engine, is the user interface that I prefer to use. It's actually based on code from ACID, the Analysis Console for Intrusion Databases. BASE is a Web-based user interface that allows a server administrator to have a clear picture of all of the attempts to access the server.

Operationally, BASE allows the user to monitor all alerts for the current day, or the prior 24- or 72-hour period. It also contains full-search functionality, should you want to investigate a particular intrusion attempt.

For more details on intrusion events, administrators can simply click on a hyperlink and be presented with a list of every attempt to gain access to the server. The user interface also allows administrators to take action on a single entry on that list or multiple entries.

A bigger picture of hack attempts can be built up by archiving individual events or adding them into an alert group, which is a mechanism that allows alerts to be categorized and recalled or acted on as a group at a later time. Savvy administrators will use the feature for alerts that need to be communicated among systems administrators.

For more information on BASE, see secureideas.sourceforge.net, or e-mail base@secureideas.net.

Kevin Carlson (kevinc@watchfire.com) is with Watchfire, a business-management software and services provider based in Waltham, Mass.