What sort of intruders are we looking for?
|
Intruder alert:
Intrusion Detection Systems 1. IDS types 2. Intruders, responses and how well do they work? 3. IDS vs IPS 4. Where to deploy? About RMIT Test Labs |
Theoretically, if a vulnerability or attack is known, all systems should be patched, or workarounds applied and thus the need for a signature based IDS would be nil. Unfortunately the reality is that many systems are not patched or upgraded as vulnerabilities are discovered. This is clearly indicated by the number of system compromises that occur everyday, and the fact that most of the problems are predominantly old, well-known problems, with fixes available.
Problem response
Most IDS system consoles are configured to log everything to a database and e-mail the Security Officer (SO) should a problem occur. The problem with this is that an attack like Nimda or Code Red could easily see an administrator flooded with e-mail, and you end up with a system that provides too much information to process. One system we have seen in use is to set the threshold for e-mailing or paging fairly high, but to also have the console beep an alert when it detects a problem. This allows the SO to keep an eye on the odd problem as it crops up, but if the system is sounding increasing alerts, they will know there is a real problem.
If the SO is not always around, or there is a reason for heightened security, some IDSes can be configured to automatically respond to attacks. This may take the form of a simple e-mail or page as above, or could include a more active response to stop the attack in progress and then block that entry point.
Direct intervention to disrupt communications between an attacker and victim is often called session sniping or knockdown, which is performed by injecting packets to break down the connection that triggered the response. The most effective way to knockdown a TCP connection is to forge packets to reset the connection. To do this, the IDS must forge packets to send to one or both systems with the TCP Reset bit set.
Other intervention methods include reconfiguring the perimeter routers and firewalls to block the IP address of the attacker, or block the protocols that are being used. In severe cases, it may be better to break all communications to the targeted system than have it compromised. Further responses may include attempts to actively gain information about the attacker’s host or site, or even attack it in return. Again, we stress that you should seek legal advice before turning these functions on.
How well do they work?
IDSes are used by many organisations, large and small, to protect their networks and systems. Any business that takes its security seriously should have an intrusion detection system as part of its security suite.
On their own, IDSes work fairly well, but they are often too late detecting the problem and shut the gate just as the horse slips out. Implementing IDSes as one layer in a multi-layer overall security architecture (such as firewalls, access control and authentication mechanisms, monitoring tools, vulnerability scanning tools, ID systems, and security training) makes penetration by external intruders more difficult while making intrusion prevention and detection somewhat easier.
Intrusion detection is needed because in practice, firewalls cannot provide complete protection against intrusion. Experience teaches us that we should never rely on a single defensive line or technique. A firewall generally serves as an effective filter, stopping many attacks before they can enter an organisation’s networks. However, firewalls are vulnerable to errors in configuration and ambiguous or undefined security policies. They are generally unable to protect against malicious mobile code, insider attacks, and unsecured internal networks and interfaces. Firewalls rely on the existence of a central point through which traffic flows when the growing trend is towards geographically distributed networks with inside and outside users traversing the same subnets and, therefore, the absence of central points for firewall monitoring purposes.
The principle of Defence in Depth is common in physical security, and so it should be the same in IT Security.
14%
7%
You have miss-spelled organisation, authorised, unauthorised, analysing, & analyse which should be organization, authorized, unauthorized, analyzing, & analyze. Just thought you should know, doesn't look very good or very professional.