Linux Advisor
hed: Budget-minded security
dek: open-source tools abound that can help you secure your Linux network.
by Maggie Biggs
Given all the worms and viruses that have traversed the Internet in the last few months (as well as the strong likelihood of unauthorized internal access attempts), small- and medium-sized businesses need to focus tightly on implementing a security process.
The most effective security processes include seven layers:
A regularly updated security policy
Server and client-based security tools
Scheduled security auditing
Router-based security measures
Firewalls
Intrusion detection
Incident response strategy
You may have already installed one or more firewalls and antivirus software packages. Hopefully, as part of your security process, you keep these solutions up to date with the latest security information (e.g., known viruses). But defining how you will handle security by creating and regularly updating a security policy document is just as important. So are other planning measures, such as scheduling security audits and planning how you will respond in the event of an attack.
One of the newest additions to the security picture is intrusion detection. Many companies feel that if they install one of these solutions, security issues will no longer be a problem. But intrusion-detection systems, like the rest of your security process, require regular updates. In addition, intrusion detection is still a maturing technology. Today, the majority of intrusion-detection solutions are knowledge-based. That is, they require regularly updated rules or signature files in order to detect all the newest types of intrusions. Newer intrusion detection solutions now support behavior-based detection--they learn the expected behavior of your network or server traffic, and alert you when something is amiss.
Even though intrusion detection is a new and imprecise security function, at the very least it will increase the odds of detecting security breaches. There are two types of intrusion-detection solutions: network-based and host-based. The former monitors network packets, while the latter observes changes to server files and processes.
For small- and medium-sized businesses, commercial intrusion detection solutions can be too costly to implement. Most solutions include some combination of expensive hardware and software. For example, solutions from Cisco and NFR can shrink what's left of your budget, and reduce your ability to add value to your company's infrastructure. What can you do? For starters, take stock of any monitoring capabilities that come with your operating system or with your network routers. Many times, tools are included in what you already own. This can help you begin to monitor activity.
Network monitoring
For my open-source monitoring trial, I went with Snort , which monitors network traffic in real time. Assuming that many small- and medium-sized companies might want to implement intrusion detection on Windows-based systems, I decided to try Snort on a Windows-based test network. Snort can also be implemented on Linux or Unix systems. Silicon Defense supports the Windows-based version of Snort, and you'll find some very detailed documentation on its site .
There are nine files that you'll need to download from the Silicon Defense site. These include the Snort program, the Snort rules file, Apache, MySQL, and the files needed to support the Analysis Console for Intrusion Detection (ACID), which Snort uses to enable you to view any intrusion alerts in your Web browser.
Setting up Snort will take you one to two hours depending on how familiar you are with running software installation programs and editing files. For example, after installing the Snort program, you'll want to install the latest Snort rules files. The rules files provide Snort with information about known vulnerabilities and they are updated, on average, every 30 minutes. You should plan to update these rules files regularly as part of your security process.
You also need to configure the MySQL database so that Snort has a place to store its intrusion detection data. But don't worry; you needn't be a database pro to set up MySQL. Silicon Defense supplies the files needed to create all the necessary database entries so that Snort is able to use MySQL. If you want to view alert information in your browser, you'll need to set up Apache and the files for the Analysis Console for Intrusion Detection. This is also very straightforward and well-documented. Things to consider when setting up Snort include whether you want Snort to start up automatically when your systems start up, and whether you need to monitor your network on one or more subnets. These decisions impact how you configure Snort, so it's a good idea to know the answers before you start configuring.
Once installed, Snort does a good job of acting as an early-warning system on your network. For example, I have set Snort up to automatically update its rules files on a regular basis. During several recent worm and virus attacks, Snort detected that there was unusual activity. It identified the worm and virus activity accurately and gave me time to block Internet traffic while obtaining updated security software (such as virus updates) on all my systems. Most interesting, Snort knew about the attacks well before the media and security-software vendors did. This early warning let me avoid these attacks and continue working safely while I waited for software updates from my security-product providers.
The bottom line
Silicon Defense recently started offering support contracts for Snort. So if you'd like a bit of extra help with Snort, you might consider purchasing a support contract. Exercising Snort--whether on Windows, Unix, or Linux--will show you how easy it is to enhance your security process without spending huge sums of money. Give it a whirl and let me know what you think.
