Intrusion Detection FAQ: Should communication between the sensor (or agent) and the monitor be encrypted?

Ideally, the sensor to the monitor communication should be encrypted in order to prevent interception or changes to be made. Knowledgeable intruders will know to look for intrusion detection related traffic and may even have the capability to intercept the traffic. Intrusion detection sensors can send three types of data to the monitor:
  • Alerts are sent to the monitor when a potential intrusion is detected. Alerts are based on the product’s configuration.
  • Status logging is the operation log from the sensor itself. Logging is configurable and generally reports that the sensor is operational and maintains an audit trail of alerts and modifications.
  • Other information can be sent to the monitor based upon the configuration. For example, actual packets or log data that caused and alert can be duplicated and sent to the monitor for review.
Certainly, all of this intrusion information would be useful to an intruder. For example an intruder could intercept and delete data or alerts such that they never make it to the monitor. Therefore, the monitor never receives the alert and the intrusion can go undetected. Even if the data is never altered, the fact that it was potentially vulnerable to alteration might make it unusable as evidence in court. The encryption of sensor communications will not conceal the presence of the sensors, but it will conceal all the contents from those who may capture copies of the data from the network. The monitor will know if counterfeit messages are being generated because they will not be encrypted. Encryption also assures that the alerts and other follow-on activities are not based on false or spurious messages.

Another solution for protecting this communication is to put it all on a separate network dedicated for the intrusion detection sensors and monitors. A separate network may not be assessable to potential intruders and would reduce the risk from not using encryption. The sensor traffic is not on the same network where the detection of attacks is made. Another advantage is that a separate network will be less susceptible to denial of service attacks designed to incapacitate the intrusion detection defenses. The disadvantage to this architecture is the cost of maintaining a separate network for intrusion detection.

Intrusion detection products offer different encryption capabilities. Please check with your vendor for more information on their encryption capabilities.

Phil Bandy, Michael Money & Karen Worstell
SRI Consulting

GIAC certs are concerned with real applications and principles, rather than vendor products and implementations.
-Rob VandenBrink

SANSFIRE 2013 - Washington

Latest Whitepapers

Event Monitoring and Incident Response
By Ryan Boyle

Dead Linux Machines Do Tell Tales
By James Fung

Setting Up a Database Security Logging and Monitoring Program
By Jim Horwath

Latest Tweets

DFIR Webcast starts in 75 minutes - 50 Shades of Hidden - Di [...]
May 17, 2013 - 3:46 PM

New blog post by @yorikv on pen test tips for file analysis. [...]
May 16, 2013 - 5:07 PM

New Blog Post: SANS EU #DFIR Summit in Prague - Call for Spe [...]
May 16, 2013 - 12:33 AM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage