The commercialization of the Internet has both disrupted and reinvented the way business is conducted. Propelled by pervasive connectivity, even small endeavors can global reach, maintain uninterrupted, perennial business hours, and leverage automation and connectivity on an unprecedented scale.
But with these new opportunities comes additional risk. Computers connected to the Internet aren’t quarantined or isolated; instead, the Internet Protocol (IP) connects virtually any computer to any other computer, providing an open avenue for malfeasance, such as as denial-of-service attacks, spoofing, and intrusions.
To counter, firewalls police incoming traffic. But firewalls aren’t perfect, so many organizations deploy further safeguards to detect breaches. One of the most popular additional countermeasures is an intrusion detection system (IDS). The idea? If you can’t beat ’em, at least detect ’em.
There are two types of intrusion detection systems: a host-based intrusion detection system and a network-based intrusion detection system. (The nomenclature is somewhat unfortunate: the names reflect each type’s intent, not the kind of hardware required to run the IDS.)
*A host-based IDS (HIDS) monitors activity and changes on an individual system to determine if that system has been breached. A HIDS scans the system, comparing the system to a “trusted” snapshot. The snapshot is rarely a complete image of the system; alternately, the HIDS is tailored to detect certain attacks by watching specific files. Checksums are used to compare what exists to what’s trusted. On Linux and Unix systems, typical files to monitor include password files, setuid files, new network interfaces,…
Please log in to view this content.
Not Yet a Member?
Register with LinuxMagazine.com and get free access to the entire archive, including:
