IDSs are hardware or software systems used to detect
intruders on your network. IDS systems differ according to where they’re
installed: on the host or on the network, as well as how they detect intruders,
misuse detection and anomaly detection. While different types of IDS systems
exist, each type of IDS has its own benefits and drawbacks.
A host-based IDS consists of software installed on each host. The
IDS software monitors the host and its log files looking for intrusive activity.
If an attack is performed on the host, alarms are generated and sent to the
management platform. The advantage to host-based IDS is its capability to record
whether an attack was successful. The disadvantage to a host-based IDS is its
inability to detect common reconnaissance attacks against the host or a range of
hosts.
Network-based IDS relies on the use of network sensors
strategically placed throughout the network. These probes monitor and analyze
all network traffic traversing the local network. Network traffic is compared to
a signature database or a defined profile to detect intrusive activity. If the
monitored traffic matches a profile or signature, an alarm is generated.
Additionally, sensors can be configured to take corrective action to stop an
attack once it’s been detected. The advantage to a network-based IDS is its
macro view of the network. A network-based IDS has the advantage of viewing the
entire network and, therefore, isn’t limited to viewing only the traffic to a
single host. The drawback to a network-based IDS is its cost. A network-based
IDS relies on additional hardware in the form of network probes. Additional
drawbacks to network-based IDS are the following:
Although different types of IDS systems exist, each type must
support at least one triggering mechanism. Triggering mechanisms are simply how
an alarm is generated. There are two types of triggering mechanisms:
-
Anomaly based
-
Misuse based
Anomaly-based systems use profiles created by the IDS or the
security administrator. These profiles are then used to detect an attack and
generate an alarm. Traffic patterns or computer activity that doesn’t match a
defined profile generates an alert. The advantage of anomaly detection is it has
the capability to detect previously unknown attacks or new types of attacks. The
drawback to anomaly detection is an alarm is generated any time traffic or
activity deviates from the defined “normal” traffic patterns or activity. This
means it’s up to the security administrator to discover why an alarm was
generated. Anomaly-based systems have a higher rate of false positives because
alarms are generated any time a deviation from normal occurs. Defining normal
traffic and activity can be a difficult and time-consuming task.
Profile- or misuse-based IDSs rely on the use of a signature
database to discover attacks and generate alarms. Signature files contained
within the database are used exactly as virus-detection software uses signatures
to discover computer viruses. These signature files are created by highly
skilled engineers and are based on rules that match exploits and patterns of
known intrusive activity. Once a signature is matched, an alarm is generated
listing the type and severity of the attack, as well as the specific signature
that was matched. Signature-based IDS have a lower occurrence of false positives
that are common with anomaly detection. Unlike anomaly detection systems,
signature-based systems contain a preconfigured signature database and,
therefore, can begin protecting the network immediately. The drawback to
signature-based systems is their inability to detect new or previously unknown
attacks. If no signature exists to match an attack type, the new attack will go
undetected. Therefore, keeping your signature database current is important.
Some vendors attempt to combine both host-based and network-based
intrusion detections systems, while also combining anomaly and misuse triggering
mechanisms into one overall IDS system. While these types of hybrid IDS provide
the most benefits with the least drawbacks, they can be difficult to administer.
Combining alarms and data from many different sources and types of sources into
one manageable interface is a difficult task.
Sections
Comments (0 posted)
Syndication
