Surveillance or dead lock?
Laura Taylor
Published: 20 Aug 2002 20:19 BST
Intrusion prevention is an outgrowth of intrusion detection, and intrusion prevention products offer different functionality from intrusion detection products. IT decision makers need to understand the differences so that they can determine which type of product will provide the best safeguards for their systems.
Understand the IDS challenge
Intrusion detection systems (IDSs) are surveillance products. Using an IDS is somewhat like putting an x-ray machine on your network so that you can examine your packets to see what's inside. IDSs are really more similar to protocol analysers or smart sniffers than they are to intrusion prevention systems (IPSs). IDSs look at the patterns of the traffic going through your networks and try to make intelligent decisions regarding their findings.
IDSs can be set up to log information continuously or to log information and then effect a response from the information they collect. In most cases, IDSs are installed on network segments in strategic locations (say, between your border router and your internal mission-critical application servers).
There are a few fundamental problems with how some IDSs work today. First, as more and more network traffic becomes encrypted, IDSs become useless because they can't parse encrypted traffic. Second, as networks become more heavily switched, they typically see only a small amount of the traffic on your network. On a switched network, you need to greatly increase the number of intrusion detection sensors to monitor traffic on all the network segments. On large networks, this means that the total cost of ownership of IDSs can be very high. Third, IDSs generate a huge number of false positives, telling you that your network is being attacked when it's not. These three problems are leading many companies to switch to IPSs.
Leading vendors in the intrusion detection market include Cisco, ISS, and NFR. Some IDSs are sold as software packages you install on top of a leading operating system. Others are sold as turnkey appliances, commonly called "sensors" by the companies that make them. Typically, these devices work by monitoring the traffic on the network, noting which devices they are communicating with and categorising the types of traffic interacting with the devices. Traffic patterns are compared against known attack signatures, and alarms are typically set to go off according to certain thresholds and severity levels. For example, a syn-flood attack might be set to a severity level of high, and an ICMP flood might be set to medium.
IDSs typically use known signatures to recognise traffic patterns, similar to the way antivirus products use known signatures to recognise viruses. As with an antivirus system, it's important to keep the signatures up to date. The signatures are often based on malicious TCP/IP packets, since cybercriminals commonly try to manipulate those packets to perform a malicious action. Therefore, the types of information that IDSs usually record are source address, destination address, port numbers, encryption keys, MAC addresses, and whether packets are formatted correctly.
Some IDSs monitor what services are being used, which can be compared against what services are currently not allowed by the organisation's security policy. However, if your firewall rules are properly configured, no services should be passing through to your internal network unless they are expressly allowed (although it would be naive to assume that all firewalls have properly configured rule-sets). It is truly important to tune an IDS to report only the minimum data needed to detect an attack. Storing information on every packet header and payload is not useful, and in the long run, it will just create more work and overhead by taking up valuable disk space, requiring additional backups, and increasing storage requirements.
Previous
Did you find this article useful?
98 out of 209 people found this useful
- Share this article:
