Intrusion Detection
What is Memset Intrusion Detection?
Intrusion Detection is considered the final layer of defence against an attacker and works to detect when a server has been accessed without permission or 'hacked into'. This is the last line of defence because the other countermeasures (generally, a firewall and vulnerability scanning) attempt to stop an attacker gaining access to the server.
However, should that occur it is vital that the server administrator be aware that their server has been compromised and immediate steps are taken to lockout the intruder and return the server to normal operations as rapidly as possible.
In addition to monitoring for the presence of attackers Intrusion detection will also flag any unusual occurrences that could be the result of a trusted party either making a mistake or deliberately modifying the server in an unauthorised manner or a more illegitimate source looking for areas to attack.
Intrusion detection is possible because of the amount of information that can be collected, logged and analysed on a server. These days a compromised server is a valuable asset that can be used for illegal activities such as relaying spam, attacking other systems, or to steal the Data from it to use for illicit purposes. However, this is only possible so long as their activities remain undetected. The intrusion detection agent is installed on your server to watch for these tell-tale changes or events logged and raise an alert when they are detected.
How Does It Work?
The intrusion detection system that Memset deploys is comprised of two parts; an agent and management server. The agent is the program that runs on the server and monitors for events, gathers information from logs file makes internal measurements. It continuously sends this information back to the management server. The management server is a physically different server administrated by Memset with no client access that receives and processes the data from the agent and analyses it to detect any anomalous activity.
This agent/server model has many advantages. The agent can remain very small requiring minimal Memory and CPU Resources as all the computation and storage is carried out on the central management server. In addition, this separation of agent and management server ensures that the analysis and alerting cannot be modified or disabled as it takes place on a different server. Furthermore, should an attacker disable or modify the agent then this change will be recorded by the management server and an alert generated. This also ensures that an attack cannot be carried out undetected from within the company by an unauthorised employee or disgruntled ex-employee. Even if they have valid credentials to access the server any attempt to modify, damage, subvert or otherwise interfere with the Agent will be detected and flagged.
What is Monitored on the Server?
Memset Intrusion detection monitors the following:
System Binaries and Configuration Files Integrity Checking
The installed system binaries are all inspected to detect modification. Changes are spotted because the first thing that the intrusion detection agent (the program that runs on the server) does is to take a unique fingerprint (MD5/SHA1 checksums) of all system binaries and configuration files. Any changes no matter how small, even a single character, are easily detectable and will be spotted by the intrusion detection agent.
Log Files
Servers produce system and application logs which document normal activity as well problems and errors. The intrusion detection agent will read and monitor those log files and any anomalous activity will be spotted and reported.
Suspicious Network Connections
Some malicious programs will attempt to install themselves and usually open a network connection in order to communicate with command and control servers, relay spam or scan other servers to infect. The intrusion detection agent will monitor and flag any out of the ordinary network connections.
Rootkits and Malware
A root kit is a software package designed to take over a server and hide its presence. The intrusion detection system comes with database of root kits and will periodically check for any that may be installed.
Is Intrusion Detection available for my Server?
If your Server is on our Premium Support Level, all Intrusion Detection options are available to you. If you have opted for our Standard Support Level, then only our self-monitored service is available and the Intrusion Detection may only be available as an additional extra.
Who Is Alerted?
Any Alert emails will be sent to the email address you provide in the "Intrusion Detection Alert Settings" page in your Control Panel.
Alerts can also be configured to go to the Memset Technical Support Team for investigation during standard Office Hours. However, this is dependant on your chosen Support Level and Intrusion Detection Level the following options are available:
- Self-Monitored: Memset will not be alerted or investigate any incidents reported.
- Memset-Protected support: Memset will be alerted to and investigate level 11 events and above.
- Memset-Monitored support: Memset will be alerted to and investigate level 13 events and above.
Please contact your Account Manager or our Sales Team, if you would like to add Intrusion Detection to your Server or to change your current Intrusion Detection package.