An intrusion detection system (IDS) is a product that automates the inspection of audit logs and real-time system events. Intrusion Detection System is primarily used to detect intrusion attempts, but they can also be employed to detect system failures or rate overall performance. Intrusion Detection System watches for violations of confidentiality, integrity, and availability.
- Availability: To ensure that authorized users have access to information and its supporting processes, systems and networks when required.
- Integrity: To safeguard the accuracy and completeness of information and associated processing methods.
- Confidentiality: To ensure that information is accessible to only those authorized to have access
The IDS market is divided into two primary groups: host-based and network-based systems.
Host-Based IDS
Host-based IDSs add a targeted layer of security to particularly vulnerable or essential systems. An agent sits on an individual system-for example, a database server-and monitors audit trails and system logs for anomalous behavior, such as repeated login attempts or changes to file permissions. The agent may also employ a checksum at regular intervals to look for changes to system files. In some cases, an agent can halt an “attack” on a system, though a host agent’s primary function is to log events and send alerts.
The primary benefit of a host-based system is that it can detect both external and internal misuse, something that network monitors and firewalls can’t do. The appeal of such a tool is obvious, as security breaches are more likely to come from an internal user than from a hacker outside the network. Host agents are powerful tools for addressing the authorization and access issues that make internal security so complex.
Agents install directly on the host to be monitored, so they must be compatible with the host’s OS. Memory requirements and CPU utilization will vary from vendor to vendor, so be sure to learn ahead of time the demands the agent will place on the system.
Network-Based IDS
A network-based IDS sits on the LAN (or a LAN segment) and monitors network traffic packet by packet in real time (or as near to real time as possible), to see if that traffic conforms to predetermined attack signatures. Attack signatures are activities that match known attack patterns. For example, the TearDrop Denial of Service (DoS) attack sends packets that are fragmented in such a way as to crash the target system. The network monitor will recognize packets that conform to the TearDrop signature and take action.
The IDS vendor provides a database of attack signatures, and administrators can also add customized signatures. If the IDS recognizes an attack, it alerts an administrator. In some cases, the IDS can also respond, for example by terminating a connection. In addition to its monitoring and alarm functions, the IDS also records attack sessions for later analysis. Network IDSs can also be linked to other security features, such as firewalls, to make sure those systems haven’t been breached.
A network monitor has two main benefits. The first is the real-time nature of the alarm, which can give administrators an opportunity to halt or contain an attack before it does significant harm. This is especially valuable for DoS attacks, which must be dealt with immediately to mitigate damages.
The second benefit is evidence collection. Not only can administrators analyze the attack to determine what damage might have been done, the attack session itself can point out security flaws that need addressing. (This is also true for host-based systems). Because many hackers first scan a target network for known vulnerabilities, a hacker’s choice of attack may indicate that such vulnerabilities exist on your network. A simple example is an operating system that has yet to be secured with the latest vendor patch.
Network monitors are OS-independent. Basic requirements include a dedicated node that sits on the segment to be monitored and a NIC set to promiscuous mode. You may also want to set up a secure communications link between the monitor and its management console.
Establishing An IDS
The first step in establishing an IDS is to incorporate it into your security policy. In brief, a security policy defines the basic architecture of the network, describes how the network will be secured, and establishes a hierarchy of user access to data resources.
When incorporating an IDS into your security policy, you should define how the IDS will fit into the overall security architecture, outline procedures for maintaining and responding to the IDS, and assign resources (software, hardware, and humans to manage the technology).
You’ll also have to choose a network- or host-based system, or a combination of both. A combination provides the most comprehensive security; however, this decision will be colored by the level of security you require, the budget at your disposal, and the in-house resources on hand to manage the system.
Generally speaking, network monitors cost significantly more than host-based agents. However, depending on the size of your network, a single monitor can offer substantial network coverage. Conversely, host-based agents cost less, but are limited to a single host.
Other factors play in deciding to implement either or both solutions. For example, network monitors may have difficulty with encrypted traffic. A network monitor functions by reading packet headers and data payloads. If this information is encrypted, the IDS can’t detect attacks. Encryption doesn’t hinder host agents because the data is decrypted before a host agent sees it.
Network sensors can also become a bottleneck on high-speed LANs, degrading performance and frustrating users. According to an ICSA paper, a network-based IDS can handle up to 65Mbits/sec and even up to 200 Mbps of traffic before the analysis engine’s performance drops
Attacks recognized by an Intrusion Detection System can come from external connections (such as the Internet threats or partner networks), viruses, malicious code, trusted internal subjects attempting to perform unauthorized activities, and unauthorized access attempts from trusted locations.
Generally, an Intrusion Detection System is used to detect unauthorized or malicious activity. An Intrusion Detection System can help you:
- Actively watch for suspicious activity,
- peruse audit logs,
- send alerts to administrators when specific events are discovered,
- lock down important system files or capabilities,
- track slow and fast intrusion attempts,
- highlight vulnerabilities,
- identify the intrusion’s origination point,
- track down the logical or physical location of the perpetrator,
- terminate or interrupt attacks or intrusion attempts,
- And reconfigure routers and firewalls to prevent repeats of discovered attacks.
The ability of an Intrusion Detection System to stop current attacks or prevent future attacks is limited. Therefore, an Intrusion Detection System should be considered a single component in a well-formed security endeavor to protect a network. Other security controls, such as physical restrictions and logical access controls, are necessary components.
Intrusion prevention requires adequate maintenance of overall system security, such as applying patches and setting security controls. It also involves responding to intrusions discovered via an Intrusion Detection System by erecting barriers to prevent future repeats of the same attack. This could be as simple as updating software or reconfiguring access controls, or it could be as drastic as reconfiguring a firewall, removing or replacing an application or service, or redesigning an entire network.
The Cisco IDS 4200 series appliance sensors are purpose-built, high-performance network security “appliances” that protect against unauthorized, malicious activity traversing the network, such as attacks by hackers. Cisco IDS sensors analyze traffic in real time, enabling users to quickly respond to security breaches. Cisco’s world-renowned Cisco Countermeasures Research Team (C-CRT) uses a combination of highly innovative and sophisticated detection techniques, including stateful pattern recognition, protocol parsing, heuristic detection, and anomaly detection that provide comprehensive protection from a variety of both known and unknown cyber threats.
Furthermore, Cisco’s patent-pending Signature Micro-Engine (SME) technology allows granular customization of sensor signatures, resulting in precisely tuned sensors that minimize the occurrence of “false positives.” When unauthorized activity is detected, the sensor can send alarms to the management console(s) with details of the activity. Additionally, the Cisco IDS Active Response System delivers unparalleled protection by controlling other systems, such as routers, firewalls, and switches, to terminate unauthorized sessions. The installation and management of these turnkey appliances is easy using a wide array of management solutions, including a Web user interface, a command-line interface (CLI), or Cisco’s highly scalable Cisco Works VPN/Security Management solutions (VMS). At 200 Mbps, the Cisco IDS 4235 can be deployed to provide protection in switched environments, on multiple T3 subnets, and with the support of 10/100/1000 interfaces, it can also be deployed on partially utilized gigabit links.
