22.2. Network Intrusion Detection Systems
The first type of network monitoring in this chapter's parade of acronyms is the network intrusion detection system, or NIDS. Intrusion refers to any sort of unauthorized access — but, in particular, a NIDS may look for evidence of things such as network mapping, port scanning (even of the stealth variety that specifically seeks to evade detection), fingerprinting, repeated unsuccessful login attempts, floods of data intended as a denial-of-service (DoS) attack, services commonly associated with malware of various sorts, and other behaviors that might rightly worry a network administrator.
NOTE
I discuss network mapping, port scanning, and fingerprinting in Chapter 20. They're useful techniques for you to try on your own network, but your goal should be to use techniques such as a NIDS to improve your network's defenses to the point where even you can't successfully execute a network map or port scan on your Macs from another computer on your network! A perfect port scanner could defeat any NIDS, and a perfect NIDS could detect any port scanner — but perfect tools of either sort don't exist.
At first glance, a NIDS may seem to accomplish the same thing as a firewall. Both aim to help you keep out unwanted traffic, so to that extent, they're in the same general category. However, firewalls are generally static and dumb. They do what you tell them to do, such as blocking all incoming access from a certain IP address or to a certain port, ...
Get Mac® Security Bible now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
