Vital intrusion detection
Michael Mullins
Published: 15 May 2002 14:49 BST
Appliances
Appliances are complete and fully loaded systems that require no additional hardware or software to monitor the network segments. An example of an IDS appliance is Cisco IDS (formerly known as NetRanger). This system consists of two major elements:
- The Secure IDS Sensor is the appliance that you place at a specific connection to be monitored on your network, or you can install several appliances to monitor multiple locations. It detects unauthorised activity navigating the network by analysing traffic against rules-based signature files. When unauthorised activity is detected, the sensor can send alarms to a management console with details of the activity and can control other systems, such as routers, to terminate the unauthorised session(s).
- The Secure IDS Director is a software-based management system that centrally monitors the activity of single or multiple Cisco Secure IDS sensors located on local or remote network segments. The Cisco Secure IDS Director allows network and security technicians to quickly pinpoint the location and type of an attack, qualify its severity, and instantly respond.
Software-based IDS
>A software-based IDS is a solution that you load on a compatible operating system to monitor and respond to network activity. An example of a software IDS is Internet Security Systems' RealSecure. Its system also consists of two major elements:
- The RealSecure Sensor is software that you load and configure on a platform to provide broad-based detection, prevention, and response for attacks and misuse that originate from across a network. It sends automatic responses to improper activity and logs events to a database, and it can block/terminate a connection, send an e-mail, suspend or disable an account, and create a user-defined alert.
- The RealSecure SiteProtector is the software-based management platform. SiteProtector unifies the management of RealSecure IDS sensors and allows grouping of these sensors to provide real-time internal and external correlation of threats. The RealSecure SiteProtector also enables you to operate and monitor remote sensors and respond to identified intrusions.
Cisco's IDS and Internet Security Systems' RealSecure are just two of the many examples of the types of intrusion detection systems that can provide an excellent solution for enterprises. The next step is the actual deployment.
Where do I deploy the technology?
>Depending on your security practices and topology, you'll typically consider four areas for monitoring. These are as follows:
- Network perimeter -- This includes any entry/exit point, such as on both sides of the firewall, dial-up servers, and on links to any collaborative networks. These links tend to be low-bandwidth (T1 speeds) and are usually the entry point of an external attack.
- WAN backbone -- This is a frequent area of unauthorised activity.
- Server farms -- Servers are generally placed on their own network segments and connected to switches. The problem with placing a sensor in this location is that IDS systems cannot keep up with high-volume traffic. If traffic is too high to monitor all of your servers, choose the targets of highest value and install sensors to monitor those specific targets.
- LAN backbones -- IDSes are usually impractical for LAN backbones because of their high amount of traffic.
When deciding where to deploy your sensor(s), consider what is most valuable and the attacker's most logical avenue of approach. You also need to make sure that your IDS doesn't degrade the performance of the network segment that you're monitoring.
How do I manage the information an IDS will provide?
First and foremost, remember to protect yourself. Some people tend to view IDS as a form of wiretap. If you're going to deploy any sensors to monitor your internal network (which is your legal right), verify that you have a published policy explicitly stating "use of the network is consent to monitoring."
Develop policies and procedures for events that occur during different hours of your business day. Some of the more robust intrusion detection systems will take actions for you to terminate access and change rules on other security devices to prevent future intrusions. If you have people physically monitoring your network 24 hours a day, you may not want automatic denial of services to potential customers or users based on a false intrusion event. As with any network security device, you will have to evaluate its effectiveness and level of responsibility for your network defense.
Summary
An IDS is an essential part of a good network security architecture. IDS solutions have their strengths and weaknesses, which must be measured and evaluated before you decide to deploy one on your network. When viewed and implemented as part of a network security fallback mechanism, an IDS is usually well worth the investment.
Have your say instantly in the Tech Update forum.
Find out what's where in the new Tech Update with our Guided Tour.
Let the editors know what you think in the Mailroom.
Previous
Did you find this article useful?
110 out of 228 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
