Intrusion Detection Strategies
-----------------------------------
Until now, we’ve primarily discussed monitoring in how it relates to
intrusion detection, but there’s more to an overall intrusion
detection installation than monitoring alone. Monitoring can help you
spot problems in your network, as well as identify performance
problems, but watching every second of traffic that passes through
your network, manually searching for attacks, would be impossible.This
is why we need specialized network intrusion detection software.This
software inspects all network traffic, looking for potential attacks
and intrusions by comparing it to a predefined list of attack strings,
known as signatures. In this section, we will look at different
intrusion detection strategies and the role monitoring plays.We’ll
learn about different strategies designed for wireless networks, which
must take into account the nature of the attacks unique to the
medium.These include a lack of centralized control, lack of a defined
perimeter, the susceptibility to hijacking and spoofing, the use of
rogue APs, and a number of other features that intrusion detection
systems were not designed to accommodate. Only a combination of
factors we’ve discussed earlier, such as good initial design and
monitoring, can be combined with traditional intrusion detection
software to provide an overall effective package.

Integrated Security Monitoring
------------------------------------
As discussed earlier, having monitoring built in to your network will
help the security process evolve seamlessly.Take advantage of built-in
logging-on network devices such as firewalls, DHCP servers, routers,
and even certain wireless APs. Information gathered from these sources
can help make sense of alerts generated from other intrusion detection
sources, and will help augment data collected for incidents.
Additionally, these logs should help you to manually spot unauthorized
traffic and MAC addresses on your network.

Beware of the Auto-responding Tools!
-------------------------------------------
When designing your intrusion detection system, you will likely come
across a breed of tools, sometimes known as Intrusion Prevention
Systems. These systems are designed to automatically respond to
incidents. One popular package is called PortSentry. It will, upon
detection of a port scan, launch a script to react. Common reactions
include dropping the route to the host that has scanned you, or adding
firewall rules to block it. While this does provide instant protection
from the host that’s scanning you, and might seem like a great idea at
first, it creates a very dangerous denial of service potential. Using
a technique known as IP spoofing, an attacker who realizes PortSentry
is being used can send bogus packets that appear to be valid port
scans to your host. Your host will, of course, see the scan and react,
thinking the address that its coming from is something important to
you, such as your DNS server, or your upstream router. Now, network
connectivity to your host is seriously limited. If you do decide to
use autoresponsive tools, make sure you are careful to set them up in
ways that can’t be used against you.

Regard
Mitchel
http://www.centronet.uni.cc