Introduction

Protecting a corporate network is a game of sorts administrators pitted against hackers. Unfortunately, security administrators must always play defense. You don t know when or from where the opponent will attack. It could be a stampede or a precision strike. Your job is to prevent the attack from happening or, as a worst-case scenario, clean up afterward.

One thing that you do know is what will be attacked every resource that is accessible from the Internet and everything to which those resources connect, internal and external. Ideally, you would want to prevent these attacks from even happening. That is where firewalls (see Chapter 3, Selecting the Correct Firewall ) and proper network segmentation (see Chapter 11, Internal Network Design ) come into play. However, inevitably, some packets will creep past your defenses. What then?

Let s imagine that your house has been or is in the process of being burglarized. Your firewall (deadbolt lock) should have prevented this, but you forgot that you left the side window open (unprotected VPN connection). What is next? Well, at the very least you would want to know what happened, what was stolen, or what was damaged. Proper logging (insurance photos) can take care of what is missing, but that gives you little comfort. What if you could have been notified while the burglary was taking place? A home burglar alarm (your Intrusion Detection System, or IDS) will watch for suspicious activity (signature/trigger strings), and when something odd happens, it should notify the authorities (send an e-mail...