Wednesday, May 7, 2008

Intrusion Detection System (IDS) / Intrusion Prevention System (IPS)

Types of Intrusion Detection Systems
An Intrusion Detection System (IDS) is a program that analyzes what happens or has
happened during an execution and tries to find indications that the computer has been
misused. An IDS detects and records evidence of intrusion activity that passes through the firewall, whether ultimately successful or not. When an attack occurs, IDS software helps you determine what happened and how to prevent the breach from recurring. Some IDSs can instruct other parts of the network infrastructure to shut down attacks in progress. However, IDSs are reactive--they report what has happened--and can only detect activity on the links they monitor. And IDS is not a "set it and forget it" technology, either. Firewalls and intrusion detection systems (IDS) are essential parts of a small or medium-size business's (SMB) network and its security. With the number of attacks on SMBs on the rise, a robust system is equally important for an SMB as it is for a large enterprise. And despite the challenges of recent Web and application-level attacks, a strong perimeter defense of firewalls -- as old-fashioned as it may sound -- is still necessary to protect your SMB.

Distributed IDS
A Distributed IDS (DIDS) consists of several IDS over a large network(s), all of which communicate with each other, or with a central server that facilitates advanced network monitoring. In a distributed environment, DIDS are implemented using co-operative intelligent agents distributed across the network(s)

Setting Up an IDS
Setting up firewalls is part of a day's work for networking types, and they should already have the appropriate skills without having to look for dedicated security professionals. So where do you set up an IDS? That depends on where (from which network or network segment) you expect threats to originate. The most obvious location is at the network perimeter, just inside the firewall. That's a hotspot because traffic that doesn't get through the firewall is of no interest, and any logging system that captures unfiltered Internet activity is likely to fill up quickly. Positioning an IDS inside the firewall helps you understand attacks that originate outside your network. It may not, however, cover exploits that originate from inside your network targeting your hosts, depending on your network's topology.

Managing an IDS
Intrusion detection is not for the faint at heart. But, if you are a network administrator chances are you're under increasing pressure to ensure that mission-critical systems are safe--in fact impenetrable--from malicious code, buffer overflows, stealth port scans, SMB probes, OS fingerprinting attempts, CGI attacks, and other network intruders. Designing a reliable way to detect intruders before they get in is a vital but daunting challenge. Because of this, a plethora of complex, sophisticated, and pricy software solutions are now available. In terms of raw power and features, SNORT, the most commonly used Open Source Intrusion Detection System, (IDS) has begun to eclipse many expensive proprietary IDSes. In terms of documentation or ease of use, however, SNORT can seem overwhelming. Which output plugin to use? How do you to email alerts to yourself? Most importantly, how do you sort through the immense amount of information Snort makes available to you? Many intrusion detection books are long on theory but short on specifics and practical examples. Not Managing Security with Snort and IDS Tools. This new book is a thorough, exceptionally practical guide to managing network security using Snort 2.1 (the latest release) and dozens of other high-quality open source other open source intrusion detection programs. Managing Security with Snort and IDS Tools covers reliable methods for detecting network intruders, from using simple packet sniffers to more sophisticated IDS (Intrusion Detection Systems) applications and the GUI interfaces for managing them. A comprehensive but concise guide for monitoring illegal entry attempts, this invaluable new book explains how to shut down and secure workstations, servers, firewalls, routers, sensors and other network devices. Step-by-step instructions are provided to quickly get up and running with Snort. Each chapter includes links for the programs discussed, and additional links at the end of the book give administrators access to numerous web sites for additional information and instructional material that will satisfy even the most serious security enthusiasts. Managing Security with Snort and IDS Tools maps out a proactive--and effective--approach to keeping your systems safe from attack.




Case study & Tips for administering a firewall
1. Keep all databases, or other systems with confidential customer information, tucked away inside your internal network and not in your DMZ. The same goes for any encryption keys or other mission-critical internal systems you wouldn't want exposed to the outside world.

2. Use your networking staff to administer your firewalls and IDS if you don't have a dedicated information security team. Setting up firewalls is part of a day's work for networking types, and they should already have the appropriate skills without having to look for dedicated security professionals. Set up paging on your IDS to alert networking staff members of intrusion attempts and possible incidents.

3. Establish firewall rules as a joint effort between the business and IT (or networking) staff. Make sure they work for everyone and aren't too restrictive or too open. Policies must include what types of applications and traffic are allowed into and out of your network through your firewalls.

4. Have regular audits and log reviews to tune up your perimeter defenses and see if there are patterns in the types of attempted intrusions.

Vendors that offer affordable firewalls for small or medium-sized businesses include Juniper Networks Inc., SonicWALL Inc., NetScreen and Check Point Software Technologies Ltd. They're all nimble enough for small players and can be set up as part of a dual firewall system. Cisco PIX also offers a line of firewalls for the smaller enterprise. On the IDS side, Nessus and Snort are two popular products that are lightweight enough for small networks but strong enough to have stood the test of time.

No comments: