It’s not hard to see how a scanner can inspect its own configuration files or even the files of other IDSs for errors. But, how do you know if the scanner itself has not been compromised? The scanner is made of one or more binaries. What are the consequences when one of these binaries is patched or hacked? If you’ve used the Tripwire-like function that provides cryptographic signatures for these files, the scanner could notify you when one of these changes—assuming the file-integrity checker program in the scanner has not been compromised. Defenses against tampering are available, such as running binaries off media that is read-only. (Mounting file systems read-only is not guaranteed to work because low-level device driver hacks might bypass file system checking.) One might ask the same kinds of questions about the integrity of firewalls or system-level monitors, too.

With different tool offerings by vendors, you can envision how a system-level monitor can watch for real-time changes to files that make up other IDSs, such as scanners or network sniffers. Provided that the datastream, which the system-level IDS requires, is not compromised (though it can be), this would be a useful way to know whether one of the binaries in the scanner had been hacked. In the future, you’ll probably buy an IDS that has all three types—scanner, network, and system—combined into a single tool. At this point, the tool will be watching itself, which poses the same questions for automated responses and countermeasures.

Take It Away

So many other issues are worth discussing, but it’s time to move on to other things. Hopefully, you’ve enjoyed learning about intrusion detection tools. Following the old psychological adage about memory, “five plus or minus two,” and favoring the low end of the scale, it would be good if you could at least take away three thoughts:

•  Remember to think critically about security products and applications and to reduce things to simple terms. Identify the subjects and objects and make sure that you are clear about how access requests are processed. These basic ideas are at the heart of most computer security products and problems.

•  Intrusion detection tools play an important role by filling gaps left by traditional security products. The preventative approach is no longer sufficient. You need to add detection and response as well.

•  Intrusion detection is built from software. Therefore, IDSs are subject to the same criticisms made of other security products. Don’t let this distract you too much. IDSs will evolve over time and continue to improve. The net result is better security for you.