December 13th, 2003, 07:34 AM
IDS why you need it : part 1.1 of IDS/Snort
this should be part of a huge paper that i am writing for research. please leave comments
1.1 What is an IDS?
Intrusion detection systems(IDS) could be defined as a system that employs process of gathering information (though logs or sniffing) and analyzing that information for possible attempts of intrusion. Throughout this paper Intrusions would be referring to both misuse and intrusions unless otherwise specified. Intrusions are attacks originating from outside of your network, while misuse on the other hand refers to attacks that originate from the inside of you network.
To further clarify this definition think of a burglar alarm or a surveillance system that watches your house when you are on vacation. If you house is robed then you could use logs from the burglar alarm and the video tape from the surveillance camera to identify the robber. An IDS functions in much the same way on your network that constantly looks through the network packets trying to detect an intrusion. Once an intrusion is detected it will take the proper action that you specified (sending an email to the security guy in the network, or just logging the alert). It is important that you understand that just like a surveillance camera, IDS is used for detection and not prevention.
Numerous IDS types are in the market today, although this paper will talk about HIDS, DIDS, and Hybrid IDS our main focus would be NIDS. Please note that IDS is not effective if you lack essential security. For example do not expect an IDS to be effective on a network that uses telnet or FTP for authentication and does not have a firewall in place. IDS is just an added layer of protection that substitutes of what firewalls lack, this includes:
1. Reliable logs
Most attackers (or at least smart ones) will clean up after they are done with there system compromise. Implemented effectively, IDS could block attackers from editing the IDS log files or at least present some more difficult challenge for the attacker.
These logs are also important if you later want to prosecute the attacker, remember that logs would be your only evidence that the attack even took place, and the attacker was the one who cracked your system.
2. Detailed logs
A good IDS will provide you with a detailed log and a captured packet of the attack. This might help you fix the problem with your security.
3. Real-time alert
Real-time alerting would notify you when an attack is underway this is definitely important against attacks that depend on speed and how much your system could handle before it crashes, an example of such attack is a Denial of Service(Dos) attack.
4. Detecting prelude(beginnings) of an attack
Since most hackers need to follow a process before attacking a network, beginning mostly with footprinting and network probing (portscaning, vulnerability scanning, etc.). It is quite possible that a smart admin (or a lucky one) could be able to catch an attack before it even happens.
5. Insider threat
While firewalls do a great job in detecting attacks originating from the outside of the network, they could do little to stop or even detect attacks originating from the inside. A recent study done by CSI/FBI 2003 showed that 45% of reported attacks originated from the inside of the network, mainly because they know too much about the systems around them and the daily routine.
6. Possible policy violation
For example some networks prohibits the use of P2P programs, such as Kazaa and GNUTella because the expose your network to many security threats. A good IDS could be configured to detect these kinds of programs on your network and report their use to the network or system administrator.
As you have seen there are many benefits of IDSs. One thing to keep in mind though, just like you would not put money on the street, monitor it and expect it to be there the following morning, you should not leave your network wide open and vulnerable expecting your IDS to help you. An IDS does not substitute for security they just aid in making it better. A firewall is essential to your network if you do not have one implemented correctly on your network then and IDS should be saved for latter. As a recap, an IDS is basically a system that collects information (through logs or sniffing) and then logs or alerts the proper persons when an intrusion is detected.
any comments on how to improve it and if i missed some improtant information are welcome