Thwarting Hacker Techniques: Detecting intrusions while saving money

By now, you've probably been hit up by every security vendor about their latest intrusion detection or intrusion prevention products that can do everything from stopping viruses to reconfiguring your firewalls. Unfortunately, most of the commercial systems will set you back a small fortune. What's a budget-minded security manager to do when some sort of alerting system is needed, especially when the next fiscal year is many months away? There are several free tools out there to get you on your way to being well-informed when hackers knock at your door.

First, you need to have a tool in place to analyze network traffic, most importantly near the Internet border of your network. Snort is, by far, the leading free IDS software available, although commercial versions of Snort are now available as well. Snort can be configured to watch any traffic. Typically, you'll want to replicate your Internet inbound traffic to one or more switch-ports [in Cisco terms, you'll span traffic to a port], where you'll have a Snort-equipped computer running. Your only cost is the computer itself, which can run on Linux or Windows. Often, a spare PC with a decent-sized hard drive will do fine. Snort can dump suspicious looking traffic to log files, after which you can setup any of several free alerting tools, to monitor the log files and e-mail or page you when such traffic occurs.

Second, you must have a way to analyze system security logs. Working your way in from the border of your network, make sure your border router is configured to send syslog messages to a server you can access from inside your network. Some firewalls can send syslog messages as well, which you can direct to the same internal server. Also make sure servers in your demilitarized zone [DMZ] are either accessible from the inside, or configure their event logs to point an internal server. Making these configuration changes to routers, firewalls and servers is not as difficult as you might think and usually takes just a few commands or mouse clicks. Once your log files are accessible, it's time to install free alerting tool or write your own.

If you're interested in writing your own alerting tool, Batch, Perl or other free scripting tools can be used to execute parsing commands, such as the Windows "find" command or the Unix "grep" command. This can help you find suspicious-looking activity in the log files from both Snort and your sever, router and firewall security logs. A free e-mail program, such as Blat, can then be used to send log entries to your pager, cell phone or e-mail.

This is definitely a crash course in developing a budget alerting system, but you'll be surprised at how well you can be alerted to things like port scans and failed login attempts at an extremely low cost.

About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Tech Tips Video: The foundation of an email security strategy Biometric authentication know-how: Devices, systems and implementation The 5 A's of functional SAN security Effective storage security policies Smart options for safeguarding stored data Outfox SOX: How to make regulations work for you Thwarting Hacker Techniques: Signs of a compromised system Thwarting Hacker Techniques: Wireless security basics Thwarting Hacker Techniques: Internet data manipulation Thwarting Hacker Techniques: Securing remote access points Network Intrusion Detection (IDS) Host-based intrusion prevention evolves to address server, desktop security What are the differences between intrusion detection and intrusion prevention? Product review: AirDefense Enterprise 7.3 What are best practices for creating an IDS and maintaining a signature database? Network intrusion prevention systems: Should enterprises deploy now? RSA 2008: Sourcefire founder Roesch previews Snort 3 What is the best possible IDS deployment for an Enterprise Resource Planning (ERP) system? Screencast: Opening up the Network Security Toolkit Can a firewall alone effectively block port-scanning activity? Should an intrusion detection system (IDS) be written using Java? Network Intrusion Detection (IDS) Research Network Intrusion Prevention (IPS) Host-based intrusion prevention evolves to address server, desktop security What are the differences between intrusion detection and intrusion prevention? IBM announcements mark two years of ISS marriage Product review: AirDefense Enterprise 7.3 NitroSecurity covers its bases with RippleTech deal Network intrusion prevention systems: Should enterprises deploy now? If one server in a DMZ network gets attacked from outside, will the other servers be corrupted? What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? What is a 'top-down' IPS sensor search? Network Intrusion Prevention (IPS) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) intrusion detection  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.