Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

vulnerability Scan and Intrusion Detection project... would like some

Status
Not open for further replies.

mlchris2

Technical User
Mar 18, 2005
512
US
One of the divisions of the company I work for received feedback from an audit and I not have a project that needs to be implemented by the end of year 2010. I come searching for feedback on what others might be using, which products to shy away from, etc. I appreciate any input you can offer.

I have been instructed to;

1. obtain a detailed Vulnerability scan or penetration test every year that shows the vulnerability points in our external network.

2. Implement a Intrusion detection system to protect several servers and databases.

what can you recommend I look at? I've looked at Juniper IDP and SSX products, Qualys and NitroSecurity thus far.

thanks

Mark C.
 
You might want to look at Nessus for vulnerability scanning. It was the tool of choice at multiple places where I have worked.

As far as intrusion detection, start by researching the difference between host based and network based intrusion detection. They are separate functions that ultimately work together to provide a unified solution.

Most of my experience with intrusion detection is on Linux based servers. You didn't specify what OS you are running. On Linux, I use a combination of Ossec and Snort. A program called Samhain seems to be quite popular.

Network intrusion detection works on the principle of placing an adapter in promiscuous mode where it looks at ALL of the traffic on a network. It then uses packet inspection to watch for and match certain suspicious patterns. The patterns are frequently updated in response to emerging threats. By way of comparison, host based intrusion detection watches for changes on a server that indicate compromise.

As part of a holistic approach you will need to implement procedures and practices to routinely upgrade your detection signatures. You should also get a habit of monitoring the system logs. In Linux, a program called logwatch is good for this, but you should also manually scan things on a period basis.

It also goes without saying that these measures are all secondary to a good practice of hardening the servers themselves. Use of good passwords and other proper authentication, control of access lists, user privilege, correctly setting up firewalls, etc. Without these intrusion detection is almost futile.



 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top