Intrusion Detection Systems

March 30, 2008

As a first line of defense for your network security, the implementation of an intrusion detection system greatly enhances the security of your network. An intrusion detection system can monitor your network and host systems for suspicious behavior that can indicate if someone is trying to break in or damage your system. By proactively monitoring the system, the detection system can immediately notify an administrator via paging or e-mail of the intrusion. Some detection systems can self-repair the problem and either disconnect suspicious network connections or turn off network services that are being attacked.

Two main types of intrusion detection systems exist:

Network-Based: A network-based system analyzes network traffic going in and out of your network. It can detect suspicious behavior that can indicate unauthorized access or network attacks against network hosts.

Host-Based: A host-based system protects one specific host or device. By analyzing incoming and outgoing network activity, and logging user logins and access, it can detect any possible attempts to compromise security.

Intrusion Detection Systems can be either active or passive. In an active detection system, intrusion attempts are dealt with immediately, by shutting down network connections or services that are being attacked. A passive detection system relies on notification to alert administrators of an intrusion.

A Network Intrusion Detection System (NIDS) typically consists of the following components:

Detector Agent: The detection agents of an intrusion detection system usually are physically installed in a network and are attached to core network devices, such as routers, firewalls, and switches. Detection agents can also be software agents that use network management protocols, such as Simple Network Management Protocol (SNMP). They simply collect the data passing through the network and send it on to the network monitor for analyzing.

Monitor: The network monitor is fed information from the detection units and analyzes the network activity for suspicious behavior. This is the heart of of the intrusion detection system, which collects information from the network, analyzes it, and then uses the notification system to warn of any problems.

Notification System: The notification system is used for notification and alarms, which are sent to the administrator. Once the network monitor recognizes a threat, it writes to a log file and uses the notification system to send an alert, such as an e-mail or a page, to the administrator. The notification system is usually configurable, to allow for a variety of methods of communication.

To protect the entire network, an intrusion detection system is usually located at a central point, such as a main router, switch or firewall system. A detection system can only monitor what it sees, so placing it further down in the system lessens the chance of finding intrusions, especially because your firewall and routers are the entry points to the network.

%d bloggers like this: