Intrusion detection technologies allow one to solve a whole range of problems in order to improve the security level of the hosts within corporate networks:
Monitoring and analysis of user, network, and system activity
System-configuration audit and intrusion detection
Integrity control of the files and other resources of the corporate network
Detection of patterns reflecting well-known attacks
Statistical analysis of suspicious activity
Automatic installation of vendor-supplied software updates
Installation and support of the trap servers to register information on the intruders
However, do not consider intrusion detection systems to be a universal panacea. Such systems have their own area of use, which happens to be quite broad (but still limited). For example, such systems can be used for controlling specific vulnerabilities that might exist within specific network hosts. Another example is controlling the efficiency of firewalls. However, do not expect wonders from intrusion detection systems.
At the current level of development of information technologies, intrusion detection systems can not do the following:
Compensate for the inefficiency of the identification and authentication mechanisms
Perform a completely automatic analysis of attacks
Eliminate problems of the information system with reliability and integrity
Efficiently analyze traffic in broadband networks
Regardless of the method used for detecting intrusion — manual or automatic — all these methods are based on the following three factors:
Indications describing security policy violations. Types of violations are described in Chapter 2.
Sources of information in which to search for indications of security policy violations.
Methods of analysis of the information obtained from appropriate sources in order to find indications of attacks.
A knowledge of these three components enables us efficiently to detect attacks both manually and automatically. These three components will be covered in detail in the next chapter. Universal tools, both manual and automated, will be covered in the next chapters. The remaining part of this book is dedicated to specialized systems of intrusion detection.