What is a Intrusion Detection System (IDS) ?
Hey everybody, now that we discussed online security its time to identify how your network could be threatened. In order to do so i'm going to start with the Intrusion Detection System or IDS. After this article you should be able to understand what an IDS is, how it works and which types are available.
What is a Intrusion Detection System (IDS)::
A system that tries to identify attempts to hack or break into a computer system or to misuse it. IDSs may monitor packets passing over the network, monitor system files, monitor log files, or set up deception systems that attempt to trap hackers.
Computer systems have become more vulnerable to intrusions than ever. Intrusion Detection is a security technology that allows not only the detection of attacks, but also attempts to provide notification of new attacks unforeseen by other components. Intrusion detection is an important component of a security system, and it complements other security technologies.
How does an IDS work::
While there are several types of IDSs, the most common types work the same. They analyze network traffic and log files for certain patterns. While a firewall will continually block a hacker from connecting to a network, most firewalls never alert an admin.
The admin may notice if s/he checks the access log of the firewall, but that could be weeks or even months after the attack. This is where an IDS comes into play. The attempts to pass through the firewall are logged, and IDS will analyze its log. At some point in the log there will be a large number of request-reject entries. An IDS will flag the events and alert an administrator. The admin can then see what is happening right after or even while the attacks are still taking place. This gives an admin the advantage of being able to analyze the techniques being used, source of attacks, and methods used by the attacker.
Types of intrusion detection systems::
* Host-Based Intrusion Detection System (HIDS): Host-based intrusion detection systems or HIDS are installed as agents on a host. These intrusion detection systems can look into system and application log files to detect any intruder activity.
* Network-Based Intrusion Detection System (NIDS): These IDSs detect attacks by capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting multiple hosts that are connected to the network segment, thereby protecting those hosts. Network-based IDSs often consist of a set of single-purpose sensors or hosts placed at various points in a network. These units monitor network traffic, performing local analysis of that traffic and reporting attacks to a central management console.
Things to consider (important!!)
* Signatures: Signature is the pattern that you look for inside a data packet. A signature is used to detect one or multiple types of attacks. For example, the presence of “scripts/iisadmin” in a packet going to your web server may indicate an intruder activity. Signatures may be present in different parts of a data packet depending upon the nature of the attack.
* Alerts: Alerts are any sort of user notification of an intruder activity. When an IDS detects an intruder, it has to inform security administrator about this using alerts. Alerts may be in the form of pop-up windows, logging to a console, sending e-mail and so on. Alerts are also stored in log files or databases where they can be viewed later on by security experts.
* Logs: The log messages are usually saved in file.Log messages can be saved either in text or binary format.
* False Alarms: False alarms are alerts generated due to an indication that is not an intruder activity. E.g. misconfigured internal hosts may sometimes broadcast messages that trigger a rule resulting in generation of a false alert.
Some routers, like Linksys home routers, generate lots of UPnP related alerts. To avoid false alarms, you have to modify and tune different default rules. In some cases you may need to disable some of the rules to avoid false alarms.
* Sensor: The machine on which an intrusion detection system is running is also called the sensor in the literature because it is used to “sense” the network.
What is a Intrusion Detection System (IDS)::
A system that tries to identify attempts to hack or break into a computer system or to misuse it. IDSs may monitor packets passing over the network, monitor system files, monitor log files, or set up deception systems that attempt to trap hackers.
Computer systems have become more vulnerable to intrusions than ever. Intrusion Detection is a security technology that allows not only the detection of attacks, but also attempts to provide notification of new attacks unforeseen by other components. Intrusion detection is an important component of a security system, and it complements other security technologies.
How does an IDS work::
While there are several types of IDSs, the most common types work the same. They analyze network traffic and log files for certain patterns. While a firewall will continually block a hacker from connecting to a network, most firewalls never alert an admin.
The admin may notice if s/he checks the access log of the firewall, but that could be weeks or even months after the attack. This is where an IDS comes into play. The attempts to pass through the firewall are logged, and IDS will analyze its log. At some point in the log there will be a large number of request-reject entries. An IDS will flag the events and alert an administrator. The admin can then see what is happening right after or even while the attacks are still taking place. This gives an admin the advantage of being able to analyze the techniques being used, source of attacks, and methods used by the attacker.
Types of intrusion detection systems::
* Host-Based Intrusion Detection System (HIDS): Host-based intrusion detection systems or HIDS are installed as agents on a host. These intrusion detection systems can look into system and application log files to detect any intruder activity.
* Network-Based Intrusion Detection System (NIDS): These IDSs detect attacks by capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting multiple hosts that are connected to the network segment, thereby protecting those hosts. Network-based IDSs often consist of a set of single-purpose sensors or hosts placed at various points in a network. These units monitor network traffic, performing local analysis of that traffic and reporting attacks to a central management console.
Things to consider (important!!)
* Signatures: Signature is the pattern that you look for inside a data packet. A signature is used to detect one or multiple types of attacks. For example, the presence of “scripts/iisadmin” in a packet going to your web server may indicate an intruder activity. Signatures may be present in different parts of a data packet depending upon the nature of the attack.
* Alerts: Alerts are any sort of user notification of an intruder activity. When an IDS detects an intruder, it has to inform security administrator about this using alerts. Alerts may be in the form of pop-up windows, logging to a console, sending e-mail and so on. Alerts are also stored in log files or databases where they can be viewed later on by security experts.
* Logs: The log messages are usually saved in file.Log messages can be saved either in text or binary format.
* False Alarms: False alarms are alerts generated due to an indication that is not an intruder activity. E.g. misconfigured internal hosts may sometimes broadcast messages that trigger a rule resulting in generation of a false alert.
Some routers, like Linksys home routers, generate lots of UPnP related alerts. To avoid false alarms, you have to modify and tune different default rules. In some cases you may need to disable some of the rules to avoid false alarms.
* Sensor: The machine on which an intrusion detection system is running is also called the sensor in the literature because it is used to “sense” the network.