13.8 Intrusion Detection Systems

Intrusion detection systems are real-time tools that monitor for suspicious or unauthorized activity on all major operating systems, Web servers, firewalls, routers, applications, and databases. This tool instantly takes action to alert the security administrator, shuts down systems, terminates offending sessions, executes commands and takes other actions to stop attacks in progress before critical systems can be damaged or sensitive information can be compromised.

Hackers use port scanning tools such as Insecure.org’s Network Mapper (see Figure 13.8) that probe for a target network’s vulnerabilities. Designed to rapidly scan large networks, Network Mapper uses raw IP packets to determine what hosts are available on the network, what services (ports) they are offering, what OS (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Figure 13.8: Network Mapper is an open-source utility developed by Insecure for network exploration or security auditing.

The hacker checks for every possible piece of network software on a server, for example. If the hacker detects the presence of active software, he or she tries to find out more information about the computer. The hacker then tries to exploit that port further until he or she can enter the network at will. An intrusion detection system monitors all ports for this kind of scanning activity and raises alarms if suspicious activity is found. Some intrusion detection systems automatically shut down the vulnerable port when a scan is detected.