What You Need To Know About Intrusion Detection

Fortran House > Blog > tech news > What You Need To Know About Intrusion Detection

What You Need To Know About Intrusion Detection

How do you feel when someone intrudes in your private life? Ever asked
why people apply passwords on their gadgets? Business owners these
days go the extra mile to obtain intrusion detection system tools too
prevent having so much too loose…
Lets share with you what intrusion detection system (IDS) is all about…

An intrusion detection system (IDS) monitors network traffic and
monitors for suspicious activity and alerts the system or network
administrator. In some cases, the IDS may also respond to anomalous or
malicious traffic by taking action such as blocking the user or source
IP adress from accessing the network.

IDS come in a variety of “flavors” and approach the goal of detecting
suspicious traffic in different ways. There are network based (NIDS)
and host-based (HIDS) intrusion detection systems. There are IDS that
detect based on looking for specific signatures of known threats-
similar to the way antivirus software typically detects and protects
against malware- and there are IDS that detect based on comparing
traffic patterns against a baseline and looking for anomalies. There
are IDS that simply monitor and alert and there are IDS that perform
an action or actions in response to a detected threat. We’ll cover
each of these briefly.

NIDS

Network Intrusion Detection Systems are placed at a strategic point or
points within the network to monitor traffic to and from all devices
on the network. Ideally, you would scan all inbound and outbound
traffic, however doing so might create a bottleneck that would impair
the overall speed of the network.

HIDS

Host Intrusion Detection Systems   are run on individual hosts or
devices on the network. A HIDS monitors the inbound and outbound
packets from the device only and will alert the user or administrator
of suspicious activity is detected

Signature-Based

A signature-based IDS will monitor packets on the network and compare
them against a database of signatures or attributes from known
malicious threats. This is similar to the way most      antivirus
software detects malware. The issue is that there will be a lag
between a new threat being discovered in the wild and the signature
for detecting that threat being applied to your IDS. During that lag
time, your IDS would be unable to detect the new threat.

Anomaly-Based

An IDS which is anomaly based will monitor network traffic and compare
it against an established baseline. The baseline will identify what is
“normal” for that network- what sort of bandwidth is generally used,
what protocols are used, what ports and devices generally connect to
each other- and alert the administrator or user when traffic is
detected which is anomalous, or significantly different than the
baseline.

Passive IDS

A passive IDS simply detects and alerts. When suspicious or malicious
traffic is detected an alert is generated and sent to the
administrator or user and it is up to them to take action to block the
activity or respond in some way.

Reactive IDS

A reactive IDS will not only detect suspicious or malicious traffic
and alert the administrator but will take pre-defined proactive
actions to respond to the threat. Typically this means blocking any
further network traffic from the source IP address or user.

One of the most well known and widely used intrusion detection systems
is the open source, freely available  snort. It is available for a
number of platforms and operating systems including both Linux and
Windows. Snort has a large and loyal following and there are many
resources available on the Internet where you can acquire signatures
to implement to detect the latest threats.

There is a fine line between a firewall and an IDS. There is also a
technology called IPS – Intrusion Prevention System. An IPS is
essentially a firewall which combines network-level and
application-level filtering with a reactive IDS to proactively protect
the network. It seems that as time goes on firewalls, IDS and IPS take
on more attributes from each other and blur the line even more.

Essentially, your firewall is your first line of perimeter defense.
Best practices recommend that your firewall be explicitly configured
to DENY all incoming traffic and then you open up holes where
necessary. You may need to open up port 80 to host websites or port 21
to host an FTP file server. Each of these holes may be necessary from
one standpoint, but they also represent possible vectors for malicious
traffic to enter your network rather than being blocked by the
firewall.

That is where your IDS would come in. Whether you implement a NIDS
across the entire network or a HIDS on your specific device, the IDS
will monitor the inbound and outbound traffic and identify suspicious
or malicious traffic which may have somehow bypassed your firewall or
it could possibly be originating from inside your network as well.

An IDS can be a great tool for proactively monitoring and protecting
your network from malicious activity, however, they are also prone to
false alarms. With just about any IDS solution you implement you will
need to “tune it” once it is first installed. You need the IDS to be
properly configured to recognize what is normal traffic on your
network vs. what might be malicious traffic and you, or the
administrators responsible for responding to IDS alerts, need to
understand what the alerts mean and how to effectively respond.

Contact Fortranhouse.com to get the intrusion detection tools for your
company or personal use…