CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [75]
The concepts of network monitoring and IDS are briefly covered here. They’re discussed in greater detail in Chapter 4, “Monitoring Activity and Intrusion Detection.”
Network Monitors
Network monitors, otherwise called sniffers, were originally introduced to help troubleshoot network problems. Simple network configuration programs like IPCONFIG don’t get down on the wire and tell you what is physically happening on a network. Examining the signaling and traffic that occurs on a network requires a network monitor. Early monitors were bulky and required a great deal of expertise to use. Like most things in the computer age, they have gotten simpler, smaller, and less expensive. Network monitors are now available for most environments, and they’re effective and easy to use.
Today, a network-monitoring system usually consists of a PC with a NIC (running in promiscuous mode) and monitoring software. The monitoring software is menu driven, is easy to use, and has a big help file. The traffic displayed by sniffers can become overly involved and require additional technical materials; you can buy these materials at most bookstores, or you can find them on the Internet for free. With a few hours of work, most people can make network monitors work efficiently and use the data they present.
Windows Server products include a service called Network Monitor that you can use to gain basic information about network traffic. A more robust, detailed version of Network Monitor is included with Systems Management Server (SMS).
Sniffer is a trade name, like Kleenex. It’s the best-known network monitor, so everyone started calling network monitoring hardware sniffers.
Intrusion Detection Systems
An intrusion detection system (IDS) is software that runs on either individual workstations or network devices to monitor and track network activity. By using an IDS, a network administrator can configure the system to respond just like a burglar alarm. IDSs can be configured to evaluate systems logs, look at suspicious network activity, and disconnect sessions that appear to violate security settings.
Many vendors have oversold the simplicity of these tools. They’re quite involved and require a great deal of planning and maintenance to work effectively. Many manufacturers are selling IDSs with firewalls, and this area shows great promise. Firewalls by themselves will prevent many common attacks, but they don’t usually have the intelligence or the reporting capabilities to monitor the entire network. An IDS, in conjunction with a firewall, allows both a reactive posture with the firewall and a preventive posture with the IDS.
Figure 3.11 illustrates an IDS working in conjunction with a firewall to increase security.
FIGURE 3.11 An IDS and a firewall working together to secure a network
In the event the firewall is compromised or penetrated, the IDS can react by disabling systems, ending sessions, and even potentially shutting down your network. This arrangement provides a higher level of security than either device provides by itself.
Securing Workstations and Servers
Workstations are particularly vulnerable in a network. Most modern workstations, regardless of their operating systems, communicate using services such as file sharing, network services, and applications programs. Many of these programs have the ability to connect to other workstations or servers.
Because a network generally consists of a minimal number of servers and a large number of workstations, it’s often easier for a hacker to find an unsecure workstation and enter there first. Once the hacker has gained access to the workstation, it becomes easier to access the network since they’re now inside the firewall.
These connections are potentially vulnerable to interception and exploitation. The process of making