|
 |
|
^ click above ^ |
06.05.03
 By Trinity
Security Services
Everyone has an opinion as to the longevity of this type of technology, its validity
and its capabilities as a security tool. Most security professionals will agree
that an IDS cannot be used as your only form of defence. If an IDS is deployed
in the correct manner, that is as part of an overall security program, with the
correct processes and procedures in place governing operation maintenance and
incident handling, can an organisation afford to be without one?
When analysing the purchase of any security device especially one that
professes to help in the protection of the network perimeter and provide you with
a Return On Investment (ROI) a requirement analysis should be carried out. Part
of this analysis will lead to some or all of the following questions being asked:
- What is the requirement?
- What are the benefits?
- What is the cost of maintenance?
- What are the measures required to support this system?
- What is the ROI?
What is an IDS?
|
Resources
for Security Professionals |
An IDS is the real-time monitoring of network/system activity and the analysing
of data for potential vulnerabilities and attacks in progress.
There are two primary types of IDS:
- Network based Intrusion Detection systems
- Host based Intrusion Detection Systems
Network based Intrusion Detection systems
A Network Intrusion Detection system (NIDS) transparently monitors network traffic,
looking for patterns indicative of an attack on a computer or network device.
By examining the network traffic, a network based intrusion detection system can
detect suspicious activity such as a port scan or Denial of Service (DOS) attacks.
A NID monitors the network traffic it has access to, by comparing the data in
the TCP/IP packet to a database of attack signatures. In a network environment,
it can see packets to and from the system(s) that it monitors. In a switched environment,
it can see packets coming to and from the system(s) that it monitors, providing
it can see all data traffic on the ports that connect to the systems.
Once a NIDS detects an attack, the following actions may be taken:
- Send email notification
- Send an SNMP trap to a network management system
- Send a page (to a pager)
- Block a TCP connection
- Kill a TCP connection
- Run a user defined script
In general terms a NID will be deployed on a DMZ. This assumes that you have a
firewall in place and that you have a DMZ configured. When deployed behind the
firewalls, the NID will detect attacks from protocols and sources allowed through
the firewall and from internal users. By taking an action, such as sending an
SNMP trap or a page, it can alert network staff that an attack is in progress
and enable them to make decisions based on the nature of the attack.
It is recommended that the IDS is used for detection and alerting only and not
for proactive defence i.e. killing/blocking TCP connections as this can often
cause more problems.
Host based intrusion detection system
In most cases, a Host Intrusion Detection System (HIDS) component is made up of
two parts: a centralised manager and a server agent. The manager is used to administer
and store policies, download policies to agents and store information received
by agents. The agent is installed onto each server and registered with the manager.
Agents use policies to detect and respond to specific events and attacks. An example
of a policy would be an agent that sends an SNMP trap when three concurrent logins
as root have failed on a UNIX server. System logs and processes are also monitored
to see if any actions that violate the policy have occurred. If a policy has been
violated, the agent will take a predefined action such as sending an email or
sending a SNMP trap to a network management system.
The decision on which IDS to purchase, HIDS or NIDS, is dependent on your organisational
requirements, the structure of your network, and teh security policies in place.
The safest implementation would be to implement a HID on systems that are on the
DMZ (i.e. mail servers, Web servers, etc.). The majority of Internet attacks will
be targeting these systems, so it makes sense to install a HIDS on these systems.
In a situation where there is only one NIDS, then it is advisable to implement
the sensor on the DMZ. In a large organisation additional sensors can be added
to monitor internal traffic if required.
It is important to understand an IDS is not a preventive device; it will inform
you of any malicious activity occurring on your ntework or system, but your administrator/analyst
is responsible for the containment and eradication of the incident.
Click
Here to Read the Full Article
About the Author:
Romelo Jimenez Itong, Web Designer/Developer, is a Philippine based web designer/developer
with years of experience designing and developing websites for various applications
and use. http://www.romelo.com
|
|
|
