March 12, 2001, 12:14 PM — I configured our intrusion-detection system (IDS) network sensors this week. For the software, I decided to go with Atlanta-based Internet Security Systems Inc.'s RealSecure. I'm familiar with the product, and with the limited resources I have in both my department and within our network operations center (NOC), RealSecure seemed to be the most appropriate choice at this time. The challenge lies in setting up the IDS so a security department with a staff of two can handle it.
A couple of the nice features of RealSecure are its point-and-click Windows-like operation and the X-express auto-update feature, which I'll explain. As new vulnerabilities are discovered, attack signatures need to be incorporated into the IDS infrastructure.
In an ideal world, I would have a team of skilled security engineers writing or obtaining the signatures and reconfiguring each network sensor with the new attack signatures. But this is the real world. RealSecure's update feature automatically downloads and installs signatures to the master console as they're released. Then it's just a matter of pushing policies containing the new signatures from the master console to each of the IDS engines.
Simplicity Is Key
It's a very simple operation, and in my situation, simplicity is key. My plate is full: I am dealing with vulnerability assessments, SecurID token administration, antivirus efforts, a virtual private network, a firewall, Web trust audits, awareness training, abuse issues, policy development, physical security and more. I can't afford a highly managed IDS -- not with only one other person and myself on staff.
Our internal network -- like most networks these days -- is switched Ethernet, which is a problem with the IDS. Back in the old days, before switched Ethernet hubs were popular, you could simply plug your IDS sensor into a spare port on a hub. After configuring the network interface card in promiscuous mode, you could "snoop" or "dump" all the packets destined to or from any other machines connected to the hub.
In a switched environment, however, once the switch learns the media access control (MAC) layer address of the interface card on a port, it forwards traffic for that MAC address directly to that corresponding port. The MAC address is the one that's burned into each interface card at the factory. An IP address can change, but the MAC address will always be the same for that card.
Supposedly, every card in the world has a different MAC address. Since network traffic is directed to a specific port, other ports on the switch don't see the traffic. Switch vendors have realized that there are legitimate reasons why one would need to see all traffic copied to one port.