Intrusion-Detection Systems (IDS)

An IDS is designed to function as an access-control monitor. It can monitor network or host activity and record which users attempt to access specific network resources. An IDS can be configured to scan for attacks, track a hacker's movements, alert an administrator to ongoing attacks, and highlight possible vulnerabilities that need to be addressed. IDS systems can be divided into two broad categories: network-based intrusion-detection systems (NIDS) and host-based intrusion-detection systems (HIDS).

IDS systems are like 3-year-olds. They require constant care and nurturing, and don't do well if left alone. I say this because IDS systems take a considerable amount of time to tune and monitor. The two biggest problems with IDS systems are false positives and false negatives. False positives refer to when the IDS has triggered an alarm for normal traffic. For example, if you go to your local mall parking lot, you're likely to hear some car alarms going off that are experiencing false positives. False positives are a big problem because they desensitize the administrator. False negatives are even worse. A false negative occurs when a real attack has occurred and the IDS never picked it up.

Intrusion-prevention systems (IPS) build upon the foundation of IDS and attempt to take the technology a step further. IPS systems can react automatically and actually prevent a security occurrence from happening, preferably without user intervention. IPS is considered the next generation of IDS and can block attacks in real time.

 

Network-Based Intrusion-Detection Systems (NIDS)

Much like a protocol analyzer operating in promiscuous mode, NIDS capture and analyze network traffic. These devices diligently inspect each packet as it passes by. When they detect suspect traffic, the action taken depends on the particular NIDS. Alarms could be triggered, sessions could be reset, or traffic could be blocked. Among their advantages are that they are unobtrusive, they have the capability to monitor the entire network, and they provide an extra layer of defense between the firewall and the host. Their disadvantages include the fact that attackers can send high volumes of traffic to attempt to overload them, they cannot decrypt or analyze encrypted traffic, and they can be vulnerable to attacks. Things to remember about NIDS include the following:

• They monitor network traffic in real time.
• They analyze protocols and other relevant packet information.
• They integrate with a firewall and define new rules as needed.
• They send alerts or terminate offending connection.

Host-Based Intrusion-Detection Systems (HIDS)

HIDS are more closely related to a virus scanner in their function and design because they are application-based programs that reside on the host computer. Running quietly in the background, they monitor traffic and attempt to detect suspect activity. Suspect activity can range from attempted system file modification to unsafe activation of ActiveX commands. Although they are effective in a fully switched environment and can analyze network-encrypted traffic, they can take a lot of maintenance, cannot monitor network traffic, and rely on the underling OS because it does not control core services. Things to remember about HIDS include the following:

• They consume some of the host's resources.
• They analyze encrypted traffic.
• They send alerts when unusual events are discovered.

Signature-Based and Behavior-Based IDS Systems

Signature-based and behavior-based IDS systems are the two primary types of analysis methods used. These two types take different approaches to detecting intrusions.

Signature-based models, also known as rule-based models, rely on a database of known attacks and attack patterns. This system examines data to check for malicious content, which could include fragmented IP packets, streams of SYN packets (DoS), or malformed ICMP packets. Anytime data is found that matches one of these known signatures, it can be flagged to initiate further action. This might include an alarm, an alert, or a change to the firewall configuration. Although signature-based systems work well, their shortcoming is due to the fact that they are only as effective as their most current update. Anytime there is a new or varied attack, the IDS will be unaware of it and will ignore the traffic. The two subcategories of signature-based system include these:

• Model based Looks at specific signatures. Snort is an example of this type of design.
• State based A more advanced design that has the capability of tracking the state of the traffic and data as it moves between host and target.

A behavior-based IDS observes traffic and develops a baseline of normal operations. Intrusions are detected by identifying activity outside the normal range of activities. As an example, if Mike typically tries to log on only between the hours of 8 a.m. to 5 p.m., and now he's trying to log on 5,000 times at 2 a.m., the IDS can trigger an alert that something is wrong. The big disadvantage of a behavior-based IDS system is that an activity taught over time is not seen as an attack, but merely as normal behavior. These systems also tend to have a high number of false positives. Basic IDS components include the following categories:

• Sensors Detect and send data to the system
• Central monitoring system Processes and analyzes data sent from sensors
• Report analysis Offers information about how to counteract a specific event
• Database and storage components Perform trend analysis and store the IP address and information about the attacker
• Response box Inputs information from the previously listed components and forms an appropriate response

Carefully read any questions that discuss IDS. Remember that several variables can change the outcome or potential answer. Take the time to underline such words as network, host, signature, and behavior, to help clarify the question.

 

Sensor Placement

Your organization's security policy should detail the placement of your IDS system and sensors. The placement of IDS sensors requires some consideration. IDS sensors can be placed externally, in the DMZ, or inside the network. Your decision to place a sensor in any one or more of these locations will require specific tuning. Without it, the sensor will generate alerts for all traffic that matches a given criteria, regardless of whether the traffic is indeed something that should generate an alert.

False positive alerts are bad, but false negatives are worse because someone was able to perform or attempt unacceptable activity and was not detected.