Why do you Need IDS?

[wacky_sung]

I just curious to ask or know why people like to have IDS?I personally find it not very necessary cos your firewall will tell you all those hack attempts in it log files.Even though people may have already break through your firewall,what can you actually do with the IDS?It just only can alert you about the intrusion.What can you do to stop the intrusion is more important rather than alert you of the intrusion.If people hack into your system and what the use of of IDS which cannot stop it either. ^n^

[MrLinus]

You need to know that they've actually broke in. The IDS and the logs from it could be used for evidence against the attacker if he/she is caught. It can be the only evidence of their activities you have to take to the law authority.

I personally just use my IDS to see what activity is common on the network of my ISP and what I should expect. Part of this is in prep to me finally putting together a honeypot.

[slarty]

wacky_sung (not Mittens): Sounds like a lame argument.

Firstly, if your firewall logs packets which violate the policy, then it is a form of IDS in itself

Secondly, IDS generally detect attacks which are much more subtle than firewall policy violations. For example, HTTP-based attacks on legitimate web applications, dodgy mail arriving via SMTP.

Also, IDS will correlate multiple packets to see scanning attempts, which a packet log will not give you (unless you look at it manually for hours)

IDS do not just log *actual* intrusions, also attempted ones. In fact, attempted intrusions are far more common than successful ones.

IDS are also very important for forensics, for example, if one of your users is running programs they shouldn't, and the programs make outgoing attacks, your IDS will catch those so that you can inform the network admins on the receiving end.

[Networker]

for ur info wacky_sung IDS can active (taking real time conter measure)...
but i will not recommand the use of such IDS, espcially for HIDS, because there is a great risk of deny of service by someone sending forged packet.

The IDS is the perfect tool
- to see by ourselves the great danger of not secured system
- to audit ur network by knowing which attack can mess ur net
- to be acknowledge that some people are making repeated effort to scan you & will further on maybe dammage your system.

[wacky_sung]

wacky_sung (not Mittens): Sounds like a lame argument.

I don't think this is a lame question except i need more detail to know about intrusion detection system.Thank you guys and gals for your efforts in answering my question.

[Tiger Shark]

Wacky: There are two phases to an attack on a publicly accessible system:-

1. The Footprinting Phase: This is the act of determining the structure and available access to a network and what the OS, version, patch level of the server are and then what services are running, the software, version and patch level of that software. This phase is the phase that takes the most time and, in practical terms, makes the most "noise".

2. The Exploit Phase: Once properly footprinted the attacker knows about as much about your systems as you do, (ok, I'm exaggerating...<s>), and can select his tool of choice against the service he feels he can exploit. This phase is usually quite quick and is accomplished in relatively few packets. Once compromised, the "noise" it made can be quickly cleaned from the logs and the logging systems can be changed so as to not log events from the attackers machine(s).

Once hacked by a good hacker/cracker his/her activities may simply melt away into the day to day running of your system and you may never know you are owned.

That's where IDS's come in handy. If he's going to make a mistake it will probably be in the early stages of the footprinting phase when he may unleash a scan that is just noisy enough to alert the IDS. Now you can track the activity from that subnet to see what is happening. The benefit here is the pre-warning that something is about to occur. Even if he blasts away in a few seconds, finds an exploitable service, exploits it and cleans the system of evidence when you come in in the morning the warning that something occured should still be on your IDS. Even if you can't find any other evidence you can watch the box to see what happens when they come back next time and then you will have a clue as to what to do to re-protect the box.

FYI, these are the two adages I live by with regard to the security of my networks:-

1. It's not a matter of _if_ I get hacked, it's _when_!
2. It is my job as a security type to be able to recognized a future, current or prior hack and mitigate the damage.

Thus we have IDS's...... Any questions......

[wacky_sung]

That's where IDS's come in handy. If he's going to make a mistake it will probably be in the early stages of the footprinting phase when he may unleash a scan that is just noisy enough to alert the IDS. Now you can track the activity from that subnet to see what is happening. The benefit here is the pre-warning that something is about to occur. Even if he blasts away in a few seconds, finds an exploitable service, exploits it and cleans the system of evidence when you come in in the morning the warning that something occured should still be on your IDS. Even if you can't find any other evidence you can watch the box to see what happens when they come back next time and then you will have a clue as to what to do to re-protect the box.

Since the hackers once break into your system,he can still clean up his log files in the access log and why can't he clean up his access log for the IDS?Since he can able to clean up his access log and i do not see the point that he cannot clean up his log for IDS too.

[spurious_inode]

This topic has been well discussed, so I will just add this if I may....

In addition to a firewall, an IDS (properly configured, as well as capable) can also alert you to some common conditions of attack. One such example is inspecting packets for fields that are not normally used, this typically indicates a forged packet that has been 'injected' with some data, and usually signals an exploit attempt in progress (although other explanations are possible).

In short, if you want to be even marginally secure, you need a packet filtering firewall, an IDS, logging utilities (and actually reading the generated emails/pages helps ), and a policy/tool for keeping your system up to date with all the latest patches for your OS as they become available. All of which you most likely have if you are running Linux, *BSD, or Solaris 9 and it is simply a matter of using and paying attention to them.

About your 'Why bother' question: A skilled hacker will make it incredibly difficult for you to find evidence of their presence on the system, and this does include carefully (but not suspiciously) erasing their presence from logs. IDS's still play a role here though, as they can greatly aid your efforts to recover the system *after the break-in*. I would suggest reading up on some of these and seeing what they can do, if used properly they may even give you a heads up while under attack so that you can prevent the break-in in the first place.

[s0nIc]

well ill make it short. IDS, compared to firewalls, gives you MORE info on the attack. now if you are one of those "Backtrackers" kind of computer security person (which i think everyone should be), an IDS is really handy. because even if a hacker already left the premisis, the IDS can still give you more foot prints and finger prints to follow. so you can repair or even track down your intruder (providing the intruder doesnt use proxies). SOME firewalls do provide sufficient and even more info than an IDS can give. BUT those kind of firewalls are not easy to find. Usually, those functions are found in Corporate firewalls which DOES cost money. so a decent IDS is good from time to time, not a requirement but it is recomended.

[ged]

Originally posted here by wacky_sung


Since the hackers once break into your system,he can still clean up his log files in the access log and why can't he clean up his access log for the IDS?Since he can able to clean up his access log and i do not see the point that he cannot clean up his log for IDS too.

IDS systems are typically set up very differently from network servers. A properly configured IDS doesn't even have a visible IP address on the network it is monitoring. Also, it usually does not run any network services whatsoever, it is just an "IDS box". Really paranoid admins also make the syslog server work in a similar manner, i.e. the log server just sniffs syslog packets off the [separate] administration network.

Thus an attacker would have to specifically target the IDS to be able to erase its logs. This is not quite as hard as it may sound, many IDSes have had remote code exploits against them. For instance, Snort has had a few that have allowed an attacker to execute code on the IDS just by sending a carefully crafted attack vector over the network the IDS is monitoring.

However, as noted, it's possible to do logging on an other system, or using write-once media. I've seen a good implementation using one of those good old dot matrix printers. Of course you need a lot of paper if you're attacked. The benefit is that a secretary can change paper in a printer.