Previous | Table of Contents | Next |
Its not hard to see how a scanner can inspect its own configuration files or even the files of other IDSs for errors. But, how do you know if the scanner itself has not been compromised? The scanner is made of one or more binaries. What are the consequences when one of these binaries is patched or hacked? If youve used the Tripwire-like function that provides cryptographic signatures for these files, the scanner could notify you when one of these changesassuming the file-integrity checker program in the scanner has not been compromised. Defenses against tampering are available, such as running binaries off media that is read-only. (Mounting file systems read-only is not guaranteed to work because low-level device driver hacks might bypass file system checking.) One might ask the same kinds of questions about the integrity of firewalls or system-level monitors, too.
With different tool offerings by vendors, you can envision how a system-level monitor can watch for real-time changes to files that make up other IDSs, such as scanners or network sniffers. Provided that the datastream, which the system-level IDS requires, is not compromised (though it can be), this would be a useful way to know whether one of the binaries in the scanner had been hacked. In the future, youll probably buy an IDS that has all three typesscanner, network, and systemcombined into a single tool. At this point, the tool will be watching itself, which poses the same questions for automated responses and countermeasures.
So many other issues are worth discussing, but its time to move on to other things. Hopefully, youve enjoyed learning about intrusion detection tools. Following the old psychological adage about memory, five plus or minus two, and favoring the low end of the scale, it would be good if you could at least take away three thoughts:
Previous | Table of Contents | Next |