In control with intrusion-detection systems

An intrusion-detection system (IDS) doesn't just detect attacks. It also is useful for forensics, detecting network misuse and misconfiguration, and even network performance profiling.

To meet such varied needs, the IDS requires a way to collect and store events from sensors deployed throughout a network, as well as to search, collate and analyze events as they come in, archive and retrieve IDS events, generate instant alerts from some sets of events, manage all these components, and report on long-term trends. In more advanced deployments, IDS data uses a correlation engine to look for trends across events.

The Snort team (most of whom work for Sourcefire, selling a commercial IDS and intrusion-prevention system [IPS] based on the open source Snort engine) has taken care of the first half of this picture with its powerful IDS detection engine. As with SpamAssassin, Snort alone is almost completely useless. Yet it is easily layered on top of operating systems such as Linux or BSD (Berkeley Software Distribution or Berkeley Unix) to build an IDS sensor that detects traffic and generates events. Still, without an infrastructure to manage Snort and the events, companies might as well not bother.

Data center managers who want to build a 100 percent open source IDS they fully control might consider starting with Snort-based IDS sensors that typically run on Linux and then using a dozen or more other open source components to manage the sensors.

Managing the sensors can require home-grown scripts or applications, although there are specific tools, such as Oinkmaster and IDS Policy Manager, for keeping Snort rule sets updated properly. To log events, the common approach is to use Barnyard, a Snort add-on, along with the MySQL database. Once events are logged, tools such as Analysis Console for Intrusion Databases or the newer Basic Analysis and Security Engine - combined with a Web server and various scripting and graphics tools - can be used for trending and forensics.

But because the most difficult part of creating an enterprise IDS is turning the sensor's data into useful information, rather than building from scratch, a better solution may be to use open-source IDS sensors and a commercial IDS "super console" to handle events, alerts, archiving and forensics. This approach still minimizes the risk of being stuck with a network of IDS sensors from a commercial vendor that goes out of business, a significant concern considering that 40 percent of the IDS and IPS vendors in Network World's 2003 test (and 50 percent in our 2002 test) have gone under or left the IDS/IPS market.

Most of the security information management products from such vendors as ArcSight, NetIQ, Network Intelligence and Tenable Network Security, for example, will work perfectly well with Snort-based sensors. For an additional license fee, Sourcefire's 3D Defense Centre will accept events from open source Snort as easily as from Sourcefire's packaged offerings.