ECID-1

ECID-1 Host Based IDS

Overview

Host-based intrusion detection systems are deployed for major applications and for network management assets, such as routers, switches, and domain name servers (DNS).

MAC / CONF	Impact	Subject Area
MACI MACII	Medium	Enclave Computing Environment

Details

Threat
Without proper installation of IDS, intrusions to and hacker attacks against system’s major applications or network assets could not be detected in a timely manner. This implementation guide is aimed to help network administrators implement host- and network-based IDSs for the system to monitor and detect security violations and intrusions.

Guidance
1. The network administrator shall identify a list of DOD approved host-based and network-based IDSs (e.g., ISS Real Secure, ISS Proventia, Symantec Intruder Alert). 2. The network administrator shall perform an analysis to determine advantages and disadvantages of individual IDSs identified. 3. The network administrator shall select host-based and network-based IDSs that satisfy the IA requirement and that are suitable to the system and network environment. 4. The network administrator shall install the IDSs in a lab environment, configure the IDSs in accordance with vendor’s security administration guide, and test the installed IDSs for their functionality. 5. The network administrator shall install the IDSs in the operational environment. 6. The project management shall determine who will operate and review the IDSs and the method of managing the IDS (e.g., remote management via VPN in band/out of band, local management)

Guidance

1. The network administrator shall identify a list of DOD approved host-based and network-based IDSs (e.g., ISS Real Secure, ISS Proventia, Symantec Intruder Alert).
2. The network administrator shall perform an analysis to determine advantages and disadvantages of individual IDSs identified.
3. The network administrator shall select host-based and network-based IDSs that satisfy the IA requirement and that are suitable to the system and network environment.
4. The network administrator shall install the IDSs in a lab environment, configure the IDSs in accordance with vendor’s security administration guide, and test the installed IDSs for their functionality.
5. The network administrator shall install the IDSs in the operational environment.
6. The project management shall determine who will operate and review the IDSs and the method of managing the IDS (e.g., remote management via VPN in band/out of band, local management)

References

DISA Network Infrastructure STIG, Section 3.8, Network Intrusion Detection, 29 September 2003
NIST - Guide to Intrusion Detection and Prevention Systems (IDPS)
NIST SP 800-36, Guide to Selecting Information Security Products, October 2003
Vendor Security Administration Guide, (Refer to if no DSSA/NSA/NIST/USG guidance is available)