January 30th, 2002 02:40 PM
Need for Network Intrusion Systems(IDS)?
I've been reading a lot about IDS lately, and the concept is pretty clear. But I don't see if there's any real need for IDS. For instance, what should happen when a possible intrusion is detected? A mail can be sent to sys admin, but what if it's after hours and he doesn't read his mail til next morning. Perhaps the IDS could page him or something? Or the IDS could start logging the attack. But it can't prevent the attack. If it did, it would also break the connection to all the real users, and that is not a good thing.
Another thing, doesn't the firewalls provide enough protection? Say you have an e-commerce site with external users inserting orders into a database and employees fetching orders from the db. The requests to the db is coming from two app/web servers, one server for the external users and one for internal users. The firewall with the db-server behind it can be configured only to accept requests from the app/web servers, am I right? So it will be close to impossible to break into the database. And if the web/app servers is placed behind a firewall that only accepts requests over HTTP and HTTPS (ports 80&443), it's even harder to break in. I'm not saying it's totally impossible, but it's pretty damn difficult.
So the IDS is only gonna give the system admin more hassle and less spare time . And is also gonna create extra overhead for the total network, making it slower. (At least with certain types of IDS).
January 30th, 2002 03:07 PM
I've been reading a lot about IDS also.. the concept is pretty clear.
I can't see why you would think that there's no real need for an IDS though.
If a possible intrusion is detected the IDS will log everything that goes on so
you can go back later and see the source of the attack and more information of
the attacker(s). Some IDS do have an alert function to let the admin know that
the system is under attack. The purpose of an IDS is to stop, prevent, and log intrusions.
It may not be able to stop the attack alone but any admin with enough sense to
use an IDS most likely uses a firewall also. There's ways to stop the attack without
breaking the connection to all the real users.. Firewalls don't provide the necessary
protection of critical information. That's a common security misconception. Many people
assume that because they have a firewall that their system is secure enough and that they
don't require additional security.. well you're wrong. Yes, you're right. The firewall in the db server is configured to allow legitimate connections and request from certain addresses to necessary tasks can be preformed. Even though it is CLOSE to impossible, it's not. The web/app servers most likely use SQL to send request for information and other things from the database. SQL is the universal language for communicating with databases.. and yes, it is pretty damn difficult but still a possibility. The IDS will help the admin and isn't any more hassle, in most cases it's probably less. I doubt and IDS will slow the total network down that much. It may with some types of IDS but if the admin knows anything he/she will know what IDS to use and what procedures to use.
January 30th, 2002 03:41 PM
Actually the IDS should not slow the network down at all. If it is configured correctly, the only interface that is connected to your LAN should be in promiscuous mode, and not not even need to have TCP/IP bound to it. Think of it as a similar concept to a radar gun in traffic. Nobody knows that it is there because it has no effect on driving, but it is there providing useful information to the people using it.
A perfect example on why a firewall is not enough:
Lets say you have an IIS web server running in your environment. Obviously for it to be useful, you would have to allow at least port 80 through the firewall to the web server, correct? Now...someone tell me what port is is for a unicode exploit, not to mention many other exploits. Exactly...goal of the IDS is to monitor traffic that is NOT filtered by your firewall, after all why monitor what is being blocked. IDS systems do log traffic, they can give you valuable information about connection attempts, and can even send a RST to the attacking host to kill the connection.
Now, of you do not have any inbound access to your network, you probably do not need an IDS unless you want to keep track of internal users.
Remote_Access_ did have some very valid points also.
January 30th, 2002 05:30 PM
good posts RA and iNViCTuS. proactive you may not need one but if you are protecting server data of value you may wish to opt for one as it will increase your ability to know what is happening to your network.
January 30th, 2002 05:57 PM
Previously posted by micael
There was all ready a thread on IDS but I think there's about 4 now but here's part of what micael posted in a different thread on IDS. BTW, good post micael.
Why We Need IDS
Of the security incidents that occur on a network, the vast majority (up to 85 percent by many estimates) come from inside the network. These attacks may consist of otherwise authorized users who are disgruntled employees. The remainder come from the outside, in the form of denial of service attacks or attempts to penetrate a network infrastructure. Intrusion detection systems remain the only proactive means of detecting and responding to threats that stem from both inside and outside a corporate network.
Intrusion detection systems are an integral and necessary element of a complete information security infrastructure performing as "the logical complement to network firewalls." [BAC99] Simply put, IDS tools allow for complete supervision of networks, regardless of the action being taken, such that information will always exist to determine the nature of the security incident and its source.
Clearly, corporate America understands this message. Studies show that nearly all large corporations and most medium-sized organizations have installed some form of intrusion detection tool [SANS01]. The February 2000 denial of service attacks against Amazon.com and E-Bay (amongst others) illustrated the need for effective intrusion detection, especially within on-line retail and e-commerce. However, it is clear that given the increasing frequency of security incidents, any entity with a presence on the Internet should have some form of IDS running as a line of defense. Network attacks and intrusions can be motivated by financial, political, military, or personal reasons, so no company should feel immune. Realistically, if you have a network, you are a potential target, and should have some form of IDS installed.
January 30th, 2002 08:18 PM
I agree with you proactive to a certain point and with all other to 100 percent.
Intrusion detection systems are not fully developed yet and its still more to come. They do sometimes make false alarms, its here the valuable technician will do their work and supervise the IDS and make the right decisions.
A well planned IDS is a good life insurance and combined with other tools, for example tripwire and other detection systems of critical system files makes the day much safer.
But to another point. No system is safe enough without good supervising tools, loggwatchers, loggservers, loggrotationg routines etc. I'm sure that all here at AO knows the importance with a well planned system.
A condession: I'm currently working at a bank and everything there is about safety from keys to servers, everything who makes the system a bit more safe is worth to implement cause there are no unbreakable systems. And when something happens the response have to be fast and well performed.
January 31st, 2002 03:46 AM
well said guys. i do agree the need of ids and the rules/filters has to be constantly reviewed. knowledge of attempts and scanning done to penetrate ur network is very valuable. alerts may sometime be false alarm, but its better than no indication at all!! being notified early in an attack allows u to minimise the damage.
February 3rd, 2002 01:20 PM
One good thing about an IDS that I like. The fingerprinting so to speak of the perpertrator. If the firewall just logged the attack well you may have an IP. So what, we all know thats useless sometimes, depending on the size of the attack. The company may not want to persue it. Or it camr from outer Mongolia somewhere. However, the way they are going with the IDS, you can see what they are up to, what protocols and such. Where they traveresed the servers and blah, blah, blah. Point being with more detailed info inside "the frame". You may be able to shut a hole that some "boob" in say, accounting left open when he left his power user account logged in to the SQL server while updating the price list or something. I find this to be the most benificial offering that the IDS is headed for. May save a company many $ before something big hits.
My itty bitty $.02 worth...
The COOKIE TUX lives!!!!
Windows NT crashed,I am the Blue Screen of Death.
No one hears your screams.