Overview of IDS

Intrusion detection systems come in many shapes and sizes. Some are small, one rack unit appliances that tuck neatly into your server rack while others are modules, such as the Cisco IDSM, that insert directly into active network components. Some IDS are simply software applications that run on servers or workstations. Their general purpose is to monitor events on systems and networks and notify security administrators of an event that the sensor determines is worthy of alert. An IDS weighs these situations using a variety of means. Some IDS compare network conversations they "hear" to a list of known attack sequences or signatures. When the network traffic matches a known exploit signature, they trigger an alert. These IDS are known as Signature-based IDS. Other IDS collect a baseline of "normal" network operations over time. They then continue to monitor the network for situations that don't match what they've determined as normal. If this happens, they trigger an alert. These IDS are called anomaly-based IDS.

Some IDS can perform automated actions beyond simply sending alerts, such as resetting malicious connections by using a technique called TCP Reset, blocking offending source addresses, or shunning the IP address. Some of the more advanced IDS sensors can even reconfigure ACLs on routers and firewalls dynamically.

On today's busy networks, a lot of information and data is transferred between clients and servers. While most of this communication is legitimate and beneficial, some of it might not be. But how could you possibly determine which is which? How are you to know if a reconnaissance attack or data retrieval attack is underway, while hidden among the normal, good network traffic? Such knowledge is simply not possible without an IDS. In this section, we'll discuss the various types of IDS and some of the ways in which these devices function.