The intrusion detection system (IDS) has come a long way since James Anderson helped develop some of the early concepts in a 1980s white paper, Computer Security Threat Monitoring and Surveillance. We can be thankful that IDS technology has continued to advance, because attack patterns are changing. Virus writers and hacker groups are continuing to coalesce and develop more virulent code. The IDS plays a critical role in protecting the IT infrastructure.
An IDS is a great tool for monitoring network activity, detecting unauthorized access, and alerting the appropriate individuals to an intrusion so that counteractions can be taken. An IDS is typically network or host based, and it has a difficult job -- it must quickly process a vast amount of traffic and classify the results. There are many brands of IDS, but they can be grouped into two broad categories:
- Anomaly detection: functions by learning what's normal and then alerting to abnormal activity.
- Signature detection: functions by matching traffic to a database of known attacks. These attacks have been loaded into the system as signatures.
No matter which method of detection you use, one of the most critical choices you will have to make is where to place the sensors. Sensor placement will determine what types of traffic you will detect. This requires some consideration because, after all, a sensor in the demilitarized zone (DMZ) will work well at detecting misuse there but will prove useless against attackers that are inside the network. Final placement will require that you determine what type of activity you are monitoring for and what policies and guidelines management has put forward.
Once sensor placement has been determined, you will still need to perform system tuning and configuration. Without specific tuning, the sensor will generate alerts for all traffic that matches a given criterion, regardless of whether the traffic is indeed something that should produce an alert. An IDS must be trained or programmed to look for suspicious activity. There are four basic responses an IDS can produce:
- True positive: An alarm was generated, and an event did occur.
- True negative: An alarm was not generated, and an event did not occur.
- False positive: An alarm was generated, and an event did not occur.
- False negative: An alarm was not generated, and an event did occur.
The worst of these responses is a false negative. A false negative means that an event did occur but no alert was generated. Spending the appropriate amount of time on tuning can help prevent this. If you would like to get more hands-on IDS experience without sinking a ton of cash, a good place to start is Snort.
Snort is a freeware IDS developed by Martin Roesch and Brian Caswell. Snort is a network-based IDS that can be set up on a Linux or Windows host. Although the core program has a command-line interface, many individuals have developed GUIs and add-ons, including SnortSnarf and IDS Center. Snort operates as a network sniffer and logs activity that matches predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP).
Now that you have been introduced to intrusion detection, I hope you are motivated to start exploring how it could be a useful tool for your organization. A good defense requires detection and response. Intrusion detection can make the difference between a minor security blip and a full-fledged disaster.
About the author:
Michael Gregg is the president of Superior Solutions Inc., a Houston-based training and consulting firm. He has more than 15 years of experience in IT and is an expert on networking, security and Internet technologies. Michael holds two associate degrees, a bachelor's degree and a master's degree. He presently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.