Nine InfoSec Courses at SANS Chicago 2017. Save $200 thru July 19.

IDFAQ: Should communication between the sensor (or agent) and the monitor be encrypted?

Ideally, the sensor to the monitor communication should be encrypted in order to prevent interception or changes to be made. Knowledgeable intruders will know to look for intrusion detection related traffic and may even have the capability to intercept the traffic. Intrusion detection sensors can send three types of data to the monitor:
  • Alerts are sent to the monitor when a potential intrusion is detected. Alerts are based on the productâs configuration.
  • Status logging is the operation log from the sensor itself. Logging is configurable and generally reports that the sensor is operational and maintains an audit trail of alerts and modifications.
  • Other information can be sent to the monitor based upon the configuration. For example, actual packets or log data that caused and alert can be duplicated and sent to the monitor for review.
Certainly, all of this intrusion information would be useful to an intruder. For example an intruder could intercept and delete data or alerts such that they never make it to the monitor. Therefore, the monitor never receives the alert and the intrusion can go undetected. Even if the data is never altered, the fact that it was potentially vulnerable to alteration might make it unusable as evidence in court. The encryption of sensor communications will not conceal the presence of the sensors, but it will conceal all the contents from those who may capture copies of the data from the network. The monitor will know if counterfeit messages are being generated because they will not be encrypted. Encryption also assures that the alerts and other follow-on activities are not based on false or spurious messages.

Another solution for protecting this communication is to put it all on a separate network dedicated for the intrusion detection sensors and monitors. A separate network may not be assessable to potential intruders and would reduce the risk from not using encryption. The sensor traffic is not on the same network where the detection of attacks is made. Another advantage is that a separate network will be less susceptible to denial of service attacks designed to incapacitate the intrusion detection defenses. The disadvantage to this architecture is the cost of maintaining a separate network for intrusion detection.

Intrusion detection products offer different encryption capabilities. Please check with your vendor for more information on their encryption capabilities.

Phil Bandy, Michael Money & Karen Worstell
SRI Consulting
If someone from a large organization called and asked you for advice on what he or she should do first to get started on Intrusion Detection, what one thing would you recommend?
 
Why is intrusion detection required in today's computing environment?
IDFAQ: Should communication between the sensor (or agent) and the monitor be encrypted?
Rocky Mountain Fall 2017 - Denver
Latest Whitepapers

Securing Industrial Control Systems-2017
By Bengt Gregory-Brown

Using Docker to Create Multi-Container Environments for Research and Sharing Lateral Movement
By Shaun McCullough

Loki-Bot: Information Stealer, Keylogger, & More!
By Rob Pantazopoulos

Last 25 Papers »

Latest Tweets @SANSInstitute

Understand attackers' tactics & strategies in detail wit [...]
July 13, 2017 - 4:50 PM

Newly discovered #cyberattack vectors, vulnerabilities with [...]
July 13, 2017 - 4:45 PM

Limited Time MacBook Air Special Offer | Training on Your Te [...]
July 13, 2017 - 4:02 PM

Contact Us

301-654-SANS(7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training and awareness that SANS has to offer."
- Michael Hall, Drivesavers

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU