How to Protect IDS Itself

19

  FreeBSD

  NetBSD

  Solaris (both Sparc and i386)

  HP UX

  AIX

  IRIX

  MacOS

  Windows

For a current list of supported platforms, refer to the Snort home page at http://

www.snort.org.

1.7 How to Protect IDS Itself

One major issue is how to protect the system on which your intrusion detection soft 

ware is running. If security of the IDS is compromised, you may start getting false

alarms or no alarms at all. The intruder may disable IDS before actually performing any

attack. There are different ways to protect your system, starting from very general rec 

ommendations to some sophisticated methods. Some of these are mentioned below.

  The first thing that you can do is not to run any service on your IDS sensor

itself. Network servers are the most common method of exploiting a system.

  New threats are discovered and patches are released by vendors. This is almost

a continuous and non stop process. The platform on which you are running IDS

should be patched with the latest releases from your vendor. For example, if

Snort is running on a Microsoft Windows machine, you should have all the

latest security patches from Microsoft installed.

  Configure the IDS machine so that it does not respond to ping (ICMP Echo 

type) packets.

  If you are running Snort on a Linux machine, use netfilter/iptable to block any

unwanted data. Snort will still be able to see all of the data.

  You should use IDS only for the purpose of intrusion detection. It should not be

used for other activities and user accounts should not be created except those

that are absolutely necessary.

In addition to these common measures, Snort can be used in special cases as well.

Following are two special techniques that can be used with Snort to protect it from

being attacked.