Firewalls are the modern-day equivalent to dead bolts and
security bars. The purpose of a firewall is to prevent unauthorized access. Just
as locks can be manipulated, firewalls can also be compromised. Enterprises long
ago learned not to rely on locks alone. Someone or something must be present to
protect the company’s assets once someone or something has breached the first
line of defense. IDSs are the modern-day equivalent to the burglar alarm. IDSs
constantly monitor the network to look for suspicious activity and, once
discovered, can be configured to notify security personnel of the suspected
intrusion. Unlike burglar alarms, which can only send an alert that a breach has
been made, an IDS can also be configured to take action to prevent further
access, while sending alarms and recording information about the
intruder(s).
While the basic function of all IDS systems is to detect
intruders, two different types of intrusion-detection systems exist—host-based
IDSs and network-based IDSs—and two different methodologies are used to detect
intruders. Each can use one of two methods to detect intruders. Host-based IDSs
are typically software installed on host computers and are used to analyze all
traffic received by the host computer. Network-based intrusion detection uses
probes to analyze and monitor all traffic on the target network.
IDS systems can use one of two possible methods to detect
intruders. The first method—profile-based IDS—uses profiles created by the
security administrator to define normal traffic and activity. Traffic that
doesn’t match a configured profile is called an anomaly.
Because profile-based detection will alarm once a set threshold of anomalies is
exceeded, profile-based detection is also referred to as anomaly detection. The second method of detection is called
signature-based detection. Signature-based detection systems have a preconfigured set of signatures that
are compared with network traffic to detect an attack or intrusion. Just as
virus scanners use signatures to recognize viruses, IDSs use signatures to
recognize common attacks or exploits used by hackers.
While numerous IDS vendors and methods exist, all IDSs can be
described and evaluated by examining the type of IDS, host, or network, plus the
methods used to trigger an alarm, profile, or signature. IDS systems that use a
combination of host and network, or trigger on both signatures and profiles, are
called hybrid systems. Hybrid systems attempt to combine
the strengths of each type and detection method, while eliminating the
weaknesses.
Sections
Comments (0 posted)
Syndication
