6.1 Deploy NIDS with Your Eyes Open

While this book discusses strategies to make the installation, configuration, tuning, and administration of Snort as efficient and effective as possible, it is important to understand that running an NIDS is not as simple as plugging it in and watching. People often underestimate the labor involved with the ongoing maintenance of an NIDS (any NIDS, not just Snort). While you can minimize their occurrence, false positive alerts keep you busy confirming that they are, indeed, false. New signatures come out that detect the latest batch of Internet worms and they need to be reviewed, tuned, integrated, and distributed.

One of the challenges of using an open source application like Snort is that there are new versions fairly regularly. These new versions may have additional functionality that you want to use. The only problem is that sometimes this functionality causes older ways of doing things to change or be replaced (the portscan2 and conversation preprocessors being replaced by flow-portscan, for example). Test new versions and functions before upgrading. Sometimes new functions can introduce new bugs, too. Fortunately, open source testing of beta versions along with the cooperation and development done by Sourcefire (the company that sells the commercial version of Snort) eliminate most bugs before they make it into production code.

None of the previous discussion even touches on the challenges involved when you really find evidence that you are under attack or that you've been hacked. An effective security manual that includes a thorough incident response plane will pay dividends (of course, developing the plan takes time, too). The difficulty of getting those Balkanized departments to work together will certainly figure in to the fun, too.

All of these things can conspire to make you a very busy administrator. Is having a good awareness of what is going on in your network and on your servers worth the effort? In my experience, absolutely. Sticking your head in the sand and being ignorant of the harm being done to your organization is no way to run a network.

We talked in the introduction about the concept of defense-in-depth, where each device on your network plays a role in its own security and multiple strategies are employed to make catching (and stopping) attacks possible. An NIDS deployment will not be the big box of security that some people think they need to "have security" in their organization (almost every organization has a person with an MBM degree—Management By Magazine). There is no such thing as a single device that will secure your network.

NIDS is another layer of defense. It compliments your efforts in other areas, catching things that your other efforts miss. You still need to apply security patches to your software and systems. You still need to segregate Internet-facing systems to an isolated network (usually referred to as a DMZ). You still need to audit your system logs. An NIDS provides early warning that someone is probing you or that an attack is being attempted against your systems—you catch them when they are looking in the window or jiggling the doorknob instead of catching them after they are inside the house (or not noticing them at all).