Intrusion Detection Systems (IDS)

Intrusion detection systems (IDSes) are considered to be the first line of defense against attacks or odd behavior on networks and computer systems. They are like a centurion overlooking perimeter walls. When attacks take place, such as a hacker trying to gain unauthorized access to a network or a probe program searching for open network ports, the IDS or 'centurion' typically alerts a network security guard or administrator that an attack has occurred. The most common methods of alert are by pager, SNMP trap messages, or e-mail.

Irregular activity in a network can also be detected by intrusion detection systems. A good IDS will work well for both external and internal threats, or intrusions and misuse of a network. First, we will discuss the two main categories or types of intrusion analysis- signature-based intrusion analysis and statistical-based intrusion analysis. Then, we will take a look at the two main types of intrusion detection systems known as network-based IDS or NIDS and host-based IDS.

Signature Intrusion Analysis

Most malicious attacks on networks and systems look for vulnerable areas to penetrate and eventually do their dirty work. Most attacks tend to develop patterns in the way they search for weak areas of a system or network. Developers of intrusion detection systems and software analyze the patterns and develop software and hardware IDSes that can detect these patterns and report that misuse or an intrusion has occurred.

Developers typically include code known as a signature into the IDS. In short, signature analysis is a method used to compare known attack patterns against a signature database that contains information about known attacks. If you are using a commercial product that implements this method of analysis, it is suggested that you keep the signature database up-to-date regularly with patches and updates from the manufacturer's Web site.

Statistical Intrusion Analysis

Statistical intrusion analysis is the process of establishing a known footprint or baseline of a system's usage of such things as CPU (central processing unit) utilization, disk utilization, use of user rights, user logins, file and folder access over time, and analyzing the system for any deviation from the system's baseline or 'normal' behavior. Most commercial IDSes reference an operating system's log files to establish a baseline. If you have used operating systems such as Windows NT or Windows 2000 before, the Windows Event Viewer should come to mind at this point. If you have never used an operating system before, you probably shouldn't attempt to take this exam.

Network-Based IDS (NIDS)

Network-based intrusion detection systems or NIDS are a combination of agent detection programs placed in certain bottled up areas of a network that gather network traffic that is from a NIC that is placed in promiscuous mode. The NIDS reads all incoming and outgoing packet header information and determines if the information or signatures in the header information match malicious code. If there is a positive match, or if misuse is detected, an alert is typically sent to a network specialist.

Host-Based IDS (HIDS)

Host-based intrusion detection systems, or HIDS for short, are IDS programs that are installed on single-server computers or client machines. HIDS only monitor intrusions on the individual machine they are installed on. There are two types of HIDS-those that monitor all traffic on the individual systems whether it is a dial-up or network connection, and those that use agents to search for threatening activity. Properly configured HIDS are designed to program activity, and detect buffer overflow and worm signature virus activity without wasting precious system resources such as CPU or disk processing power.

False Positives

A false positive is simply a report or an alert from an IDS that details something other than an attack. The IDS thinks the normal routine or program is an attack. Misuse or the overburdening of a system or network resource by an internal employee is an example of a false positive. It is important to plan what type of IDS will be used, and what an IDS will monitor, before implementing IDS solutions in order to reduce the amount of false positives.

False Negatives

A false negative error occurs when an IDS system completely misses legitimate misuse, or an attack on a system or resource, by mistaking it for normal activity. The IDS allows the program to carry on as if nothing has happened. This is very, very dangerous.

In conclusion, you need a well-organized plan to best protect your network, prepare for, identify, and respond to intrusions in general. You should consider the following items in your plan:

• Establish, document, and maintain management policies for intrusion detection and response.

• Secure network perimeters with firewalls, routers, switches, and strong antiviral programs and filters.

• Implement identity and authorization methods such as one-time passwords, Kerberos, RADIUS and TACACS, digital certificates, and smart cards.

• Implement security monitoring tools in order to identify that an intrusion has occurred.

Honey Pots

Honey pots are used to attract hackers and crackers. A honey pot is basically an unprotected system with no applied patches, operating system updates, or firmware updates that is used to attract, trap, and identify possible attackers.

The main goal of a honey pot or mouse trap if you will, is to trap, track, and record the trails of a possible attacker. These logged or tracked movements can then later be used as evidence in possible legal proceedings if you press charges against someone who has damaged your data.

To set up a suitable honey pot or decoy, you should first build an FTP, DNS, or Web server outside of your normal DMZ safe zone (DMZ is described later). In other words, you want to protect your production servers, data, and IP addresses while you provide a suitable decoy or target. The key is to allow inbound traffic to a public IP address while restricting outbound traffic from the server. Setting up a firewall restricting outbound services from your honey pot server can accomplish this.

The following are important notes to remember when setting up a useful honey pot:

• Do not leave access to production data and server opens.

• Do not use strong passwords on the honey pot.

• Do not implement production user IDs and passwords on honey pots.

• Implement a real-time monitoring solution on your honey pot.

• Implement an alerting service on your honey pot so that you know when you are being attacked.

Setting up and maintaining a honey pot takes a lot of work. However, a honey pot is considered a very useful form of intrusion detection if properly instituted.

Incident Response

Incident or security incidence responses are the measures taken in reaction to or as a result of a breach in network security. It is of utmost importance that any company or business providing a product or service has a structure in place in order to react to a security violation or threat to the well being of daily operations.

You should have a security response team and related documentation and procedures established before a critical situation arises. Unfortunately, the information world and its technology are becoming more and more complicated. Most companies seem totally interested in directing most resources toward direct profitability. They are not as interested in directing resources towards security, backups, and response. It takes money to have enough staff to implement, plan, document, and prepare for proper response and recovery. It seems like most companies direct their resources towards implementation and direct bottom line. Fair warning: do whatever it takes to implement a good, solid security response program that fits the needs of your particular network infrastructure.

A good, solid incident response procedure should be made up of the following items:

• Written procedures.

• Steps that will be implemented to correct, repair, or restore whatever has been damaged.

• Determination of who will be notified.

• Decision about how and when will they be notified.

• Sign off (in writing) that the plan was tested.