Product Details
Product Rating
IDS (2003)
If a firewall is your first line of defense then an IDS should be your second. It's the burglar alarm of your vulnerability assessment tools. By Geoff Marshall
The first line of defense in protecting a network is the firewall, which is now regarded as a commodity item. However, the configuration of a firewall is still far from easy. It demands a great deal of expertise, and a single mistake in the configuration can leave a big loophole for a hacker to exploit. A badly configured firewall is worse than no firewall at all because its presence gives a false sense of security. It is now regarded as essential to provide a second line of defense, and this has led to the development of vulnerability assessment tools and intrusion detection systems (IDS).
Providing an alert
Just like a burglar alarm, IDS recognize the fact that you can never have 100 percent security. The analogy is that a firewall is like the physical security of a building - the walls, doors and locks of the premises - while an IDS is the burglar alarm, which is necessary because we want to be alerted if someone does get past the locks. And, if an intruder gets in, we want to know what he did - the analogy of a CCTV system. For example, he may not make his presence obvious - he may not remove or damage anything - but he may copy information, make copies of keys (passwords) or set up a back door to facilitate another later visit.
Network IDS (NIDS) monitor traffic on the wire in real time, examining packets to detect known patterns of misuse. This is achieved by matching packets against a database of known attack signatures, or performing protocol decodes to detect anomalies, or both. When suspicious activity is noticed, NIDS can raise an alert and, if desired, terminate the offending connection immediately. Some NIDS can also reconfigure your firewall, automatically defining new rules to stop similar attacks getting through in future.
NIDS usually work by putting a network interface card (NIC) into what is known as promiscuous mode. This means that it examines every packet on the local segment, whether or not those packets are destined for the IDS machine. Most attacks are made up of several packets, sometimes sent over a period of time. It means that the IDS has to store packets and track sessions to see the bigger picture of an attack taking place. This is known as 'maintaining state' and means that a 'stateful' IDS can compare new packets against its signature database in the context of what has happened previously in a particular session. NIDS requires one sensor per segment, since it is unable to see across switches or routers. Alternatively, it can be set up set up to examine all traffic mirrored to a span port on a switch. NIDS cannot examine encrypted traffic, so it can have problems where VPNs are involved.
Overcoming every scenario
Network Node IDS (NNIDS) are a variant that overcome some of the problems of processing the large amounts of data required by NIDS, but have the disadvantage that they have to be deployed on every network node that needs to be monitored. NNIDS are also better suited to VPN implementations where traffic is encrypted on the wire.
Host IDS (HIDS) products install an agent on each host that needs to be monitored. The agent monitors system logs, kernel logs and critical system files, and looks for unauthorized changes or suspicious patterns of activity. HIDS are very good at detecting insider threats, which does not necessarily mean just those from your own employees.
Taking the next step
Intrusion prevention systems (IPS) take IDS one step further and actually intercept suspicious activity and drop offending connections actively to prevent intrusions, rather than just reporting and alerting. Most, but not all, IPS are based on HIDS and may also provide some server lock-down features. The disadvantage is that incorrect configuration could cause a denial-of-service situation.
Both HIDS and NIDS have a place in your network, since they each have their own advantages. NIDS will monitor the wire for suspect packets and are good at identifying denial-of-service attacks. HIDS, on the other hand, are watching the valuable data and services on your file servers, monitoring for suspicious logins or changes to critical files. Even NIDS and NNIDS may be used to complement each other - NNIDS on individual servers in switched server farms, and NIDS on less heavily used segments, where a single IDS can protect a large number of hosts.
In testing the products and researching IDS, we found the following resources useful; you may also. IDS Informer from Blade Software generates and replays attacks across the wire. This is a good tool for testing IDS, and can be used to test IDS deployments. The NSS Group (www.nss.co.uk) has also conducted independent tests, as featured in SC Magazine's January 2003 edition, into the efficacy and performance of IDS at gigabit traffic levels.
