News Stay informed about the latest enterprise technology news and product updates.

Intrusion detection systems grow up

Security is a key consideration for network design. Here network security engineer Michael Martin talks about what intrusion detection systems (IDS) will and won't do for networks. Martin says that for an IDS to be useful in real world conditions, it must strike a balance between network security and network usability.

What is IDS and how does it does it differ from traditional firewall technology?
Intrusion is different from traditional firewalls because it involves the detecting of a security breach. In most cases it translates into defending against a security breach, in my opinion it's sort of part system administration. If you look at the way IDS evolved originally the idea was that if I set up a particular probe or a particular application, I'll be able to detect unauthorized access.

Live Web cast on intrusion detection systems
Michael Martin will discuss intrusion detection systems and answer questions during a SearchNetworking Web cast Thursday at 3 p.m., EDT.

To register click here
Most of those things prior to the creation of the security industry were things that network engineers already implemented. So a lot of the earlier tools such as Transmission Control Protocol (TCP) wrappers and the original ISS applications, and several others were original developed and released as open-source tools. IDS today is very different than what it was seven or eight years ago. How does IDS technology work?
There are three approaches. The first is a blind a barricade, which is similar to a firewall. You implement a wrapper or some sort of a scanner that looks for specific events. When it sees the event it correlates it and decides whether or not it's an acceptable event or an unacceptable event. So if I try and log into a system and it tells me that I don't have the right credentials, when that failure occurs an application will then alarm some other console to say that there is an unauthorized access. What is the last approach?
Profile or anomaly detection, the most recent. As an administrator you create profiles of your system and you determine what their normal operational parameters are, and you look for events that are out of profile. So for instance I have a Web server and as a Web server it only runs SSH. Then one day all of a sudden it starts running HTTP clients that should set up a major flag. It would be an indication, if I was running a Microsoft server for example, that I've got Code Red virus or something like that. Please give an example.
If I am running is a firewall environment, and the firewall administrator doesn't want me to run AOL Instant Messenger (AIM), he doesn't permit the service to happen. If I turn on Secure Socket Layer (SSL) now all of a sudden I can run AIM and the firewall administrator can't do anything about it. So the idea is that this sort of working around will be incorporated into the tools that hackers make and they will be able to completely evade IDS because they will be interpreted as normal traffic. Can you explain the concept of deep packet inspection and how it relates to IDS?
The problem with most signature-based events is basically that they are looking at just the (packet) header to be able to determine the potential attack. The idea of deep packet inspection now is that you can actually look inside the data-stream to determine whether or not an attack is really being perpetrated. This is a very relevant form of IDS that is just starting to be developed. Developers are getting smart enough now so that they can write around firewalls so that they can keep their applications in use. What is the second way?
Signature based. Signature based works on a host or a network basis where a particular type of packet or data stream is looked for. When the scanner sees it, it generates an alarm. The issue with signature based applications is that they're really only as good as the signatures are. So they leave a large area to be desired in terms of total effectiveness. What factors should be considered when tuning an Intrusion Detection System to your network?
It is all based on success and cost. Success means that IDSes need to be tuned, and they need an enormous amount of tuning. That is probably the biggest problem with them. Secondly, they cost an excessive amount of money.
More about Michael Martin
Michael Martin, author of "Understanding The Network: A Practical Guide to Computer Networking, has been building and managing the internal network and its systems at ANS Communications Inc. since 1994. His book stems from a series of talks and materials distributed to clients and employees while at ANS. Martin has also worked as a consultant, trainer and lecturer and is known in the networking community for his practical expertise. Martin has built networks for small to large organizations and Internet service providers.
So typically what happens is that some one will buy an IDS and implement it, and it will alarm for everything, because it needs to be tuned. Of course when it goes through the tuning process they then have to make assumptions about what to permit and what not to permit. Then you have to make these decisions about what am I going to permit as part of my security policy. What is the result?
So what typically happens is a company will decide that they need to implement IDS. So they will go out and buy a product and they will put the product in and the product will sit dormant, because nobody wants to take the time to actually fix it. Or they'll implement it without dealing with all the underlying issues which is not running a secure environment to begin with, and they'll have just spent a lot of money. What has the IDS market been doing?
There has been a lot of fluctuation. Enterasys has been severely impacted in the market overall, so they are making a desperate attempt to try and grow their product out. It has a very big following so I tend to believe the product will survive and continue to grow. ISS has been very aggressively developing a globalized system, integrating technologies from other companies that they've acquired to build out their original product base. Cisco is radically redesigning its IDS package. The Cisco Security Policy Manager is growing out and they are beginning to integrate IDS functionality in both their switches and routers. There is a potential growth market here. Describe a typical IDS architecture in terms of its components and their functions.
That's driven by cost, but the ideal architecture would be multi-faceted. It would start with a standard border filter where you're just filtering out all the noise, stuff that just happens randomly, people looking for holes in your network that shouldn't be there if you're running any type of security at all. The second component would typically be some sort of network probe for looking at network-based events. The third level might be some sort of host or signature-based system. Then depending on what you are looking at and what you are defending, an anomaly-based system is also a big value. What are some emerging trends in IDS technology?
People are going to be looking for are centralized collection, analysis and reporting. Also people will be looking at things like profiler trending. That is looking at how the network is behaving in the context of a multi-faceted system, and using that profiling to detect events that you wouldn't see with a signature based system. With profiling you can detect anomalies ahead of time before they have significant impact on your network.


Best Web Links on security

Dig Deeper on Network Security Best Practices and Products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.