|
|
Modern intrusion detection covers a wide range of systems, functions, and tools. Some of these tools simply detect, log, or report intrusion attempts. Others respond to such attempts proactively. It's easiest to understand security as a multilayered issue. Firewalls and network intrusion detection systems (NIDS) make up the outer shells of a comprehensive security solution. In this chapter, we take a host-centric view of security, and thus view these external forms of intrusion detection as the outer layer of defense.
Once past these outer layers, you'll find other security tools for the inner layers. These host-level ID tools, or HIDS, monitor local user, file, and log activity. Some HIDS are host-network-based, but many are not network-based at all. These programs watch for signs of user escalation violations, deviations of regular activity from baseline comparisons, and log or file monitoring, among other functions.
| Note |
Network-based intrusion detection tools watch for attack precursors (scans), attempts, and related network signatures. Generally, these tools are referred to as intrusion detection systems, or IDS. There are many subcategories of IDS, such as network-node-based IDS (NNIDS) and network-based IDS (NIDS), as well as host-based IDS (HIDS). In addition to these, you'll also find passive and reactive xlDS systems. Reactive systems can be tied into firewalls and are called intrusion prevention systems, or IPS. Learn more about these security tools at www.securityfocus.com/infocus/1733. |
Even though it's common to think that the greatest threat to a system is external, remember that valid local user accounts should also be considered untrusted or potentially hostile. System attacks that succeed usually install a rootkit of some sort, software that compromises your system and leaves a back door daemon installed and running. Thus, to add to your layers of security, you should also consider local file-system-level forms of intrusion detection in the form of file alteration and system baseline scan comparisons, as well as system to watch for signs of trojans, worms, and new, related cracking tools. These defense tools can include both native and third-party tools or suites. Examples of these would include cracking and rootkit detection tools, automated systems that keep an eye on local user access, accounts, user and system files, and common security auditing tools (which can be maliciously used to serve the cracker's needs).
| Note |
This chapter is, by necessity, a mere introduction to the basics of host-based intrusion detection for Linux systems. We show you the basics of file alteration monitoring, a useful aspect of host-based intrusion detection, as well as offer pointers to other tools that may be useful in your installation. However, if you are responsible for security, take advantage of the many other books and resources on these topics. Don't take our word for it-do your own homework. You'll find a list of references and resources at the end of this chapter. |
|
|