Last Day to Save $400 on SANS Cyber Defense Initiative 2014, Wash DC

Intrusion Detection FAQ: Should communication between the sensor (or agent) and the monitor be encrypted?

Ideally, the sensor to the monitor communication should be encrypted in order to prevent interception or changes to be made. Knowledgeable intruders will know to look for intrusion detection related traffic and may even have the capability to intercept the traffic. Intrusion detection sensors can send three types of data to the monitor:
  • Alerts are sent to the monitor when a potential intrusion is detected. Alerts are based on the productís configuration.
  • Status logging is the operation log from the sensor itself. Logging is configurable and generally reports that the sensor is operational and maintains an audit trail of alerts and modifications.
  • Other information can be sent to the monitor based upon the configuration. For example, actual packets or log data that caused and alert can be duplicated and sent to the monitor for review.
Certainly, all of this intrusion information would be useful to an intruder. For example an intruder could intercept and delete data or alerts such that they never make it to the monitor. Therefore, the monitor never receives the alert and the intrusion can go undetected. Even if the data is never altered, the fact that it was potentially vulnerable to alteration might make it unusable as evidence in court. The encryption of sensor communications will not conceal the presence of the sensors, but it will conceal all the contents from those who may capture copies of the data from the network. The monitor will know if counterfeit messages are being generated because they will not be encrypted. Encryption also assures that the alerts and other follow-on activities are not based on false or spurious messages.

Another solution for protecting this communication is to put it all on a separate network dedicated for the intrusion detection sensors and monitors. A separate network may not be assessable to potential intruders and would reduce the risk from not using encryption. The sensor traffic is not on the same network where the detection of attacks is made. Another advantage is that a separate network will be less susceptible to denial of service attacks designed to incapacitate the intrusion detection defenses. The disadvantage to this architecture is the cost of maintaining a separate network for intrusion detection.

Intrusion detection products offer different encryption capabilities. Please check with your vendor for more information on their encryption capabilities.

Phil Bandy, Michael Money & Karen Worstell
SRI Consulting