| Used in
computer security, intrusion detection refers to the process
of monitoring computer and network activities and analyzing
those events to look for signs of intrusion in your
system. The point of looking for unauthorized intrusions is to alert
IT professionals and system administrators within your organization
to potential system or network security threats and weaknesses.
IDS — A Passive Security Solution
An
intrusion detection system (IDS) is
designed to monitor all inbound and outbound
network activity and identify any suspicious patterns that may
indicate a network or
system attack from someone attempting to break
into or compromise a system. IDS is considered to be a passive-monitoring
system, since the main function of an IDS product is to warn
you of suspicious activity taking place
−
not prevent them. An IDS essentially reviews your network
traffic
and data and
will identify probes, attacks, exploits and other vulnerabilities.
IDSs can respond to the suspicious event in
one of several ways, which includes displaying an alert,
logging
the event or even paging an administrator. In some cases the IDS may
be prompted to reconfigure the network to reduce the effects of the
suspicious intrusion.
An IDS specifically looks for
suspicious activity and events that might be the result of a
virus,
worm or
hacker. This is done by looking for known
intrusion signatures or attack signatures that characterize different worms or viruses and
by tracking general
variances which differ from regular system activity. The IDS is able
to provide notification of only known attacks.
The term IDS actually covers a large variety
of products, for which all produce the end result of detecting intrusions. An
IDS solution can come in the form of cheaper
shareware or freely
distributed
open source programs, to a much more expensive
and secure vendor
software solution. Additionally, some IDSs
consist of both software applications and
hardware
appliances and
sensor devices which are installed at different points along your
network.
There are several ways to categorize an IDS
system:
|
Key Terms To
Understanding Intrusion Detection & Prevention
IDS
Short for intrusion detection system...
IPS
Short for intrusion prevention system...
intrusion signatures
When a malicious attack is launched against a
system, the attack typically leaves evidence of the intrusion in the
system.s logs. Each intrusion leaves a kind of footprint behind
false positive
The condition in which spam-filtering software will incorrectly
identify a legitimate, solicited or expected e-mail as a spam
transmission.
Additional Terms To
Understanding Intrusion Detection & Prevention
hacker
Virus
Worm
Trojan Horse
firewall |
Misuse Detection vs. Anomaly Detection
In misuse detection, the IDS
analyzes the information it gathers and compares it to large
databases of
attack signatures. Essentially, the IDS looks for a
specific attack that has already been documented. Like a virus
detection system, detection software is only as good as the
database of intrusion signatures that it uses to compare
packets
against. In anomaly detection, the system administrator defines the
baseline, or normal, state of the network's traffic load, breakdown,
protocol, and typical packet size. The anomaly detector monitors
network segments to compare their state to the normal baseline and
look for anomalies.
Passive Vs. Reactive Systems
In a passive system, the IDS
detects a potential security breach, logs the information and
signals an alert. In a reactive system, the IDS responds to the
suspicious activity by logging off a user or by reprogramming the
firewall to block network traffic from the suspected malicious
source.
Network-based vs. Host-based IDS
Intrusion detection systems are network or host based
solutions. Network-based IDS systems (NIDS) are often standalone
hardware appliances that include network intrusion detection
capabilities. It will usually consist of hardware sensors located at
various points along the network or software that is installed to
system computers connected to your network, which analyzes data
packets entering and leaving the network. Host-based IDS systems (HIDS) do not
offer true real-time detection, but if configured correctly are
close to true real-time.
Host-based IDS systems consist of software
agents installed on individual computers within the system. HIDS analyze the
traffic to and from the specific computer on which the intrusion detection
software is installed on. HIDS systems often
provide features you can't get with a network-based IDS. For example, HIDS
are able to monitor activities that only an
administrator should be able to
implement. It is also able to monitor changes to key system
files and any
attempt to overwrite these files. Attempts to install
Trojans or
backdoors
can also be monitored by a HIDS and stopped. These specific intrusion events
are not always seen by a NIDS.
While it depends on the size of your network
and the number of individual computers which require intrusion detection
system, NIDS are usually a cheaper solution to implement and it requires
less administration and training
− but it is not as versatile as a HID.
Both systems will require Internet access (bandwidth) to ensure they system
is kept up-to-date with the latest virus and worm signatures.
Is IDS the Same as Firewall?
The quick answer is no. Unfortunately, IDS is commonly
mistaken for a firewall or as
a substitute for a firewall. While they both relate to network security, an IDS differs from a
firewall in that a firewall looks out for intrusions in order to
stop them from happening. The firewall limits the access between
networks in order to prevent intrusion and does not signal an attack
from inside the network. An IDS evaluates a suspected intrusion once
it has taken place and signals an alarm. An IDS also watches for
attacks that originate from within a system. The network-based
intrusion protection system can also detect malicious packets that are
designed to be overlooked by a firewall.s simplistic
filtering rules.
An IDS is not a replacement for either a
firewall or a good
antivirus
program. An IDS should be considered a tool to
use in conjunction with your standard security products (like anti-virus and
a firewall) to increase your system specific or network-wide security.
False Positive and Negatives
The term
false
positive itself refers to security systems incorrectly seeing
legitimate requests as spam or security breaches. Basically, the IDS
will detect something it is not supposed to. Alternatively, IDS is
prone to false negatives where the system fails to detect something
it should. Both of these problematic problems are associated with
IDS, but are issues vendors spend a lot of time working on, and as a
result, it is not believed that IDS detects a high percentage of
false positive or false negatives. Still, it is a topic worth
consideration when looking at different IDS solutions.
IPS — An Active Security Solution
IPS or
intrusion prevention system,
is definitely the next level of security technology with its capability to
provide security at all system levels from the operating system
kernel to
network data packets. It provides policies and rules for network
traffic along with an IDS for alerting system or
network administrators to suspicious traffic, but allows the administrator
to provide the action upon being alerted. Where IDS informs of a potential
attack, an IPS makes attempts to stop it. Another huge leap over IDS, is
that IPS has the capability of being able to prevent known intrusion signatures, but also some unknown attacks due to its database of generic
attack behaviors. Thought of as a
combination of IDS and an application layer firewall for protection,
IPS is generally considered to be the "next generation" of IDS.
Currently, there are two types of IPSs that
are similar in nature to IDS. They consist of host-based intrusion prevention
systems (HIPS)
products and network-based intrusion prevention systems (NIPS).
Network-based vs. Host-based IPS
Host-based intrusion prevention systems are used to protect both
servers and
workstations
through software that runs between your system's applications and OS kernel.
The software is preconfigured to determine the protection rules based on
intrusion and attack signatures. The HIPS will catch suspicious activity on
the system and then, depending on the predefined rules, it will either block
or allow the event to happen. HIPS monitors activities such as application
or data requests, network connection attempts, and read or write attempts to
name a few.
Network-based intrusion prevention systems
(often called inline prevention systems) is a solution for
network-based security. NIPS will intercept all network traffic and monitor
it for suspicious activity and events, either blocking the requests or
passing it along should it be deemed legitimate traffic. Network-based
IPSs works in several ways. Usually
package- or software-specific features determine how a specific NIPS solution
works, but generally you can expect it to scan for intrusion signatures,
search for protocol anomalies, detect commands not normally executed on the
network and more.
One interesting aspect of NIPS is that if the
system finds an offending packet of information it can rewrite the packet so
the hack attempt will fail, but it means the organization can mark this
event to gather evidence against the would be intruder, without the
intruder's knowledge. As with all technology, NIPS is not perfect. In
some instances you may end up blocking a legitimate network request.
While host-based IPSs
are considered to be more secure than network-based intrusion prevention
systems, the cost to install the software to each and every server and
workstation within your organization may be quite costly. Additionally, the
HIPS on each system must be frequently updated to ensure the attack
signatures are up-to-date.
IDS vs. IPS
Problems associated with implementing NIPS exist
as well. We already mentioned the possibility of blocking legitimate
traffic, and you also have to take network performance into consideration.
Since all data moving through the network will pass through the IPS it could cause your network performance to drop. To combat
this problem, network-based IPSs that consist of
appliance or hardware and software packages are available today (at a larger
cost), but it will take most of the load from running a software-based NIPS
off your network.
IDS vs. IPS
While many in the security industry believe IPS is the way of the future and
that IPS will take over IDS, it is somewhat of an apples and oranges
comparison. The two solutions are different in that one is a passive
detection monitoring system and the other is an active prevention system.
The age-old debate of why you want to would be passive when you could be active
comes into play. You can also evaluate the implementation of a more mature
IDS technology, versus the younger, less established IPS solutions. The
drawbacks mentioned regarding IDS can largely be overcome with proper
training, management, and implementation. Plus, overall an IDS solution will be
cheaper to implement. Many, however, look at the added benefits of the
intuitive IPS systems and believing that IPS is the next generation of IDS
choose to use the newer IPSs as opposed to the
IDSs. Adding to the muddle, of course, will be your
initial decision of choosing host-based or network-based systems for either
IDS or IPS security solutions.
Much like choosing between standard security
devices like routers and firewalls, it is important to remember that no
single security device will stop all attacks all the time. IPS and IDS work best when integrated with
additional and existing security solutions.
|
Did You Know...
In 2003 Research firm Gartner Inc. declared IDS will be obsolete
by 2005. Research company Infonetics, however, estimates the
combined intrusion detection and intrusion prevention market
will grow to $1.6 billion by 2006, with IPS accounting for the
majority (but not all) of the growth. |
