Changes

Intrusion Detection Systems

3,881 bytes added, 20:47, 26 February 2008
Network-based Intrusion Detection Systems (NIDS)
== Network-based Intrusion Detection Systems (NIDS) ==
 
Network-based intrusion detection systems (NIDS) monitor traffic passing through a network and compare that traffic with a database of so called ''signatures'' known to be associated with malicious activity. A number of different signature types are used by the typical NIDS:
 
* ''Header Signatures'' - Scans the header portion of network packets to identify suspicious or inappropriate information.
 
* ''Port Signatures'' - Monitors the destination port of network packets to identify packets destined for ports not serviced by the servers on the network, or targeting ports known to be used by common attacks.
 
* ''String signatures'' - Identifies strings contained in the payload of network packets to identify strings known to be present in malicious code.
 
A network based IDS will typically only pick up packets traveling in the network segment to which it is attached. In general NIDS are generally placed between an internal network and the firewall, ensuring that all inbound and outbound traffic is monitored. In addition, is the network-based IDS software is installed on a computer it is vital that the computer be equipped with a network interface card (NIC) which supports promiscuous mode so that it is able to capture all network packets, not just those destined for its own IP address.
 
As with host-based intrusion detection systems, network-based system have inherent strengths and weaknesses.
 
== Network-based Intrusion Detection Systems - Strengths ==
 
* '''Pre-host Detection''' - There is a view in the IT security community that if an attack has reached the point that it has been detected by a host-based defense layer then the outer layers of security have failed to do their job. The advantage of the network-based IDS is that it is designed specifically to prevent an attack ''before'' it reaches any systems on the internal network.
 
* '''Reduced Cost of Ownership''' - Unlike host-based intrusion detection systems which have to be installed on every host to be protected, a single network based IDS can protect and entire network resulting in reduced deployment and maintenance overheads.
 
* '''Real-time Detection''' - Network-based systems track and analyze traffic in real-time enabling attacks to be stopped while they are still in progress.
 
* '''Cross-platform Protection''' - Because network-based intrusion detection systems focus solely on network traffic they are are complete operating system agnostic. The typical NIDS neither knows, nor cares what operating systems the computers on a network are running. All it cares about the the network traffic passing between them.
 
* '''Big Picture View''' - The typical NIDS (assuming it has been carefully placed in a network) has a "big picture" view of what is happening on a network and as such can see patterns to see, for example, how widespread an attack is on a network.
 
== Network-based Intrusion Detection Systems - Weaknesses ==
 
* '''Unable to Monitor Encrypted Traffic == Unfortunately much traffic these days in encrypted and, as such, is impervious to analysis by a network-based IDS.
 
* '''Potential Blind Spots''' - An IDS can only detect attacks that pass through the segment of network to which it is attached. If the suspicious traffic is traveling on a different section of the network it will not be detected by the NIDS.
 
* '''Unaware if Host Based Activity''' - Because network based detection focuses solely on network traffic such systems have no knowledge of malicious activities that may be taking place on a host on the network (unless that host generates suspicious network traffic that is visible to the IDS).
 
* '''Matching the Bandwidth Curve''' - With the increasing deployments of fiber and Gigabit Ethernet it is becoming increasingly challenging for network-based intrusion detection systems to keep up with the speed of data traveling across networks.