Homeworks academic service

The importance of intrusion detection systems in solving problems in computer networking

By Vangie Beal Used in computer security, intrusion detection refers to the process of monitoring computer and network activities and analyzing those events to look for signs of intrusion in your system. The point of looking for unauthorized intrusions is to alert IT professionals and system administrators within your organization to potential system or network security threats and weaknesses. IDS — A Passive Security Solution An intrusion detection system IDS is designed to monitor all inbound and outbound network activity and identify any suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system.

An IDS essentially reviews your network traffic and data and will identify probes, attacks, exploits and other vulnerabilities. IDSs can respond to the suspicious event in one of several ways, which includes displaying an alert, logging the event or even paging an administrator. In some cases the IDS may be prompted to reconfigure the network to reduce the effects of the suspicious intrusion.

An IDS specifically looks for suspicious activity and events that might be the result of a virusworm or hacker. This is done by looking for known intrusion signatures or attack signatures that characterize different worms or viruses and by tracking general variances which differ from regular system activity. The IDS is able to provide notification of only known attacks. The term IDS actually covers a large variety of products, for which all produce the end result of detecting intrusions.

Intrusion Detection (IDS) and Prevention (IPS) Systems

An IDS solution can come in the form of cheaper shareware or freely distributed open source programs, to a much more expensive and secure vendor software solution. Additionally, some IDSs consist of both software applications and hardware appliances and sensor devices which are installed at different points along your network. There are several ways to categorize an IDS system: Anomaly Detection In misuse detection, the IDS analyzes the information it gathers and compares it to large databases of attack signatures.

Essentially, the IDS looks for a specific attack that has already been documented. In anomaly detection, the system administrator defines the baseline, or normal, state of the network's traffic load, breakdown, protocoland typical packet size.

Importance of Intrusion Detection System with its Different approaches

The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies.

Reactive Systems In a passive system, the IDS detects a potential security breach, logs the information and signals an alert. In a reactive system, the IDS responds to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source. Host-based IDS Intrusion detection systems are network or host based solutions. Host-based IDS systems consist of software agents installed on individual computers within the system.

HIDS analyze the traffic to and from the specific computer on which the intrusion detection software is installed on. For example, HIDS are able to monitor activities that only an administrator should be able to implement. It is also able to monitor changes to key system files and any attempt to overwrite these files.

These specific intrusion events are not always seen by a NIDS. Both systems will require Internet access bandwidth to ensure they system is kept up-to-date with the latest virus and worm signatures. The quick answer is no. Unfortunately, IDS is commonly mistaken for a firewall or as a substitute for a firewall. While they both relate to network security, an IDS differs from a firewall in that a firewall looks out for intrusions in order to stop them from happening.

The firewall limits the access between networks in order to prevent intrusion and does not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system.

The network-based intrusion protection system can also detect malicious packets that are designed to be overlooked by a firewall's simplistic filtering rules. An IDS is not a replacement for either a firewall or a good antivirus program. An IDS should be considered a tool to use in conjunction with your standard security products like anti-virus and a firewall to increase your system specific or network-wide security.

False Positive and Negatives The term false positive itself refers to security systems incorrectly seeing legitimate requests as spam or security breaches.

  • Host-based IDS systems consist of software agents installed on individual computers within the system;
  • The network-based intrusion protection system can also detect malicious packets that are designed to be overlooked by a firewall's simplistic filtering rules.

Basically, the IDS will detect something it is not supposed to. Alternatively, IDS is prone to false negatives where the system fails to detect something it should. Both of these problematic problems are associated with IDS, but are issues vendors spend a lot of time working on, and as a result, it is not believed that IDS detects a high percentage of false positive or false negatives.

Still, it is a topic worth consideration when looking at different IDS solutions. IPS — An Active Security Solution IPS or intrusion prevention systemis definitely the next level of security technology with its capability to provide security at all system levels from the operating system kernel to network data packets. It provides policies and rules for network traffic along with an IDS for alerting system or network administrators to suspicious traffic, but allows the administrator to provide the action upon being alerted.

Another huge leap over IDS, is that IPS has the capability of being able to prevent known intrusion signatures, but also some unknown attacks due to its database of generic attack behaviors.

Host-based IPS Host-based intrusion prevention systems are used to protect both servers and workstations through software that runs between your system's applications and OS kernel. The software is preconfigured to determine the protection rules based on intrusion and attack signatures.

The HIPS will catch suspicious activity on the system and then, depending on the predefined rules, it will either block or allow the event to happen.

HIPS monitors activities such as application or data requests, network connection attempts, and read or write attempts to name a few. Network-based intrusion prevention systems often called inline prevention systems is a solution for network-based security. NIPS will intercept all network traffic and monitor it for suspicious activity and events, either blocking the requests or passing it along should it be deemed legitimate traffic.

Network-based IPSs works in several ways. Usually package- or software-specific features determine how a specific NIPS solution works, but generally you can expect it to scan for intrusion signatures, search for protocol anomalies, detect commands not normally executed on the network and more. One interesting aspect of NIPS is that if the system finds an offending packet of information it can rewrite the packet so the hack attempt will fail, but it means the organization can mark this event to gather evidence against the would be intruder, without the intruder's knowledge.

As with all technology, NIPS is not perfect. In some instances you may end up blocking a legitimate network request.

Misuse Detection vs. Anomaly Detection

While host-based IPSs are considered to be more secure than network-based intrusion prevention systems, the cost to install the software to each and every server and workstation within your organization may be quite costly. Additionally, the HIPS on each system must be frequently updated to ensure the attack signatures are up-to-date.

Problems associated with implementing NIPS exist as well. We already mentioned the possibility of blocking legitimate traffic, and you also have to take network performance into consideration.

Since all data moving through the network will pass through the IPS it could cause your network performance to drop.

To combat this problem, network-based IPSs that consist of appliance or hardware and software packages are available today at a larger costbut it will take most of the load from running a software-based NIPS off your network. The two solutions are different in that one is a passive detection monitoring system and the other is an active prevention system. The age-old debate of why you want to would be passive when you could be active comes into play. You can also evaluate the implementation of a more mature IDS technology, versus the younger, less established IPS solutions.

The drawbacks mentioned regarding IDS can largely be overcome with proper training, management, and implementation. Plus, overall an IDS solution will be cheaper to implement. Adding to the muddle, of course, will be your initial decision of choosing host-based or network-based systems for either IDS or IPS security solutions. Much like choosing between standard security devices like routers and firewalls, it is important to remember that no single security device will stop all attacks all the time.

In 2003 Research firm Gartner Inc.