Chapter 8 - System Monitoring; Intrusion Detection - Honeywell dolphin 70e black Network And Security Manual

8
System Monitoring
The security recommendations outlined in this guide help reduce security risks but do not guarantee that an attacker may not be
able to circumvent the safeguards put into place to protect network systems and devices including the Dolphin 70e Black. Early
detection of an attack and/or system breach is essential to preventing further damage. The earlier a system intrusion is detected
and the more evidence that is captured, the less damage is likely to occur and the greater the chances of identifying the intruder.
Providing a means to detect and document system exploits is vital. For example, the anti-virus package used should provide a
method to collect logs created by the package. The logs should be available for retrieval via the package and a related console
application on a server or via remote device management software, (e.g., Remote Mastermind software). Periodical collection of
additional logs (e.g., VPN connection information or login access failures) should also be implemented.

Intrusion Detection

Network Intrusion Detection Systems (NIDS) can take many forms. NIDS can be a dedicated server on the same network
branch, freeware software available under GNU or similar licenses (often UNIX® based), or commercial products aimed
specifically at Windows systems.
The purpose of NIDS is to scan incoming network packets and look for unusual traffic or for specific malformed packets known
to be associated with attacks. If anomalies are found, NIDS take action such as raising alerts or even disconnecting the
computer from the network. The latter is a dangerous option that causes denial of service while preventing damage from
occurring to the system (e.g., by closing network ports).
Most firewalls, switches, and routers have reporting facilities whereby they can report various levels of events, varying from
debugging to emergency failure. These reports can be viewed via secure shell (SSH), collected by a central logging server, or
sent via email to an administrator. For example, the Cisco® PIX firewall and Catalyst® 4500 switches can be configured to send
selected levels of events to a central syslog server where further analysis can occur and significant events can be detected.
8 - 1