Using IDS as a hack detection tool

An IDS is a great tool for monitoring network activity, detecting unauthorized access, and alerting the appropriate individuals to an intrusion so that counteractions can be taken. An IDS is typically network or host based, and it has a difficult job -- it must quickly process a vast amount of traffic and classify the results. There are many brands of IDS, but they can be grouped into two broad categories:

• Anomaly detection: functions by learning what's normal and then alerting to abnormal activity.
• Signature detection: functions by matching traffic to a database of known attacks. These attacks have been loaded into the system as signatures.

No matter which method of detection you use, one of the most critical choices you will have to make is where to place the sensors. Sensor placement will determine what types of traffic you will detect. This requires some consideration because, after all, a sensor in the demilitarized zone (DMZ) will work well at detecting misuse there but will prove useless against attackers that are inside the network. Final placement will require that you determine what type of activity you are monitoring for and what policies and guidelines management has put forward.

Once sensor placement has been determined, you will still need to perform system tuning and configuration. Without specific tuning, the sensor will generate alerts for all traffic that matches a given criterion, regardless of whether the traffic is indeed something that should produce an alert. An IDS must be trained or programmed to look for suspicious activity. There are four basic responses an IDS can produce:

• True positive: An alarm was generated, and an event did occur.
• True negative: An alarm was not generated, and an event did not occur.
• False positive: An alarm was generated, and an event did not occur.
• False negative: An alarm was not generated, and an event did occur.

The worst of these responses is a false negative. A false negative means that an event did occur but no alert was generated. Spending the appropriate amount of time on tuning can help prevent this. If you would like to get more hands-on IDS experience without sinking a ton of cash, a good place to start is Snort.

Snort is a freeware IDS developed by Martin Roesch and Brian Caswell. Snort is a network-based IDS that can be set up on a Linux or Windows host. Although the core program has a command-line interface, many individuals have developed GUIs and add-ons, including SnortSnarf and IDS Center. Snort operates as a network sniffer and logs activity that matches predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP).

Now that you have been introduced to intrusion detection, I hope you are motivated to start exploring how it could be a useful tool for your organization. A good defense requires detection and response. Intrusion detection can make the difference between a minor security blip and a full-fledged disaster.

About the author:
Michael Gregg is the president of Superior Solutions Inc., a Houston-based training and consulting firm. He has more than 15 years of experience in IT and is an expert on networking, security and Internet technologies. Michael holds two associate degrees, a bachelor's degree and a master's degree. He presently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation Preventing hacker attacks with network behavior analysis IPS Rogue access points: Preventing, detecting and handling best practices The TPM chip: An unexploited resource for network security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in USB storage devices: Two ways to stop the threat to network security Network Security Best Practices and Products 3Com acquisition confirms HP-Cisco battle for China Enterprises demand next-generation firewalls with IPS, app visibility Preventing hacker attacks with network behavior analysis IPS Is there a way to trace my stolen laptop computer? Integrating NAC with network security tools Should organizations separate technical from administrative security? What network equipment is needed to secure a small business LAN? Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anti-replay protocol  (SearchNetworking.com) dynamic packet filter  (SearchNetworking.com) HELLO packet  (SearchNetworking.com) packet filtering  (SearchNetworking.com) rule base  (SearchNetworking.com) stateful inspection  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.