Jobs & Careers | Warranty & Testing | Privacy Policy | Asset Recovery Services

Buy Juniper & Cisco Equipment Online

Used Cisco | Used Extreme | Used Foundry | Used Nortel | New Force10 | New F5 Networks | New Juniper | Used HP

Search Telecom and Network EquipmentProduct SpecialsAwardsForumsCompany InformationPress ReleasesComputer & Technology ArticlescertificationsWe Sell to GovernmentContact Us

Bookmark and Share |

Jump to Telecom Equipment

Request a Free Quote

Sell to us or Recycle your Equipment

Watch Company Virtual Tour

Top Networking Brands
Networking Products

Understanding Intrusion Detection Systems

You can request a quote for Cisco Intrusion Detection Systems or Juniper Intrusion Detection Systems from Network Liquidators.

Page:  1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 or Go To our Certification Articles Section

In Information Security, intrusion detection is the process of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource. When Intrusion detection takes a preventive measure without direct human intervention, then it becomes an Intrusion-prevention system.

Intrusion detection can be performed manually or automatically. Manual intrusion detection might take place by examining log files or other evidence for signs of intrusions, especially with network traffic. A system that performs automated intrusion detection is called an Intrusion Detection System (IDS). An IDS can be either host-based, if it monitors system calls or logs, or network-based if it monitors the flow of network packets. Modern IDSs are usually a combination of these two approaches. Another important distinction is between systems that identify patterns of traffic or application data presumed to be malicious (misuse detection systems), and systems that compare activities against a 'normal' baseline (anomaly detection systems).

An Intrusion Detection System (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.[1] In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSs have become a necessary addition to the security infrastructure of nearly every organization.

IDPSs typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPSs can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment When a likely intrusion is discovered by an intrusion detection system, typical actions to perform would be logging relevant information to a text file or database, generating an email alert or generating a message to mobile phone or blackberry. Juniper SRX Firewalls have an extended package that allows intrusion detection. However, this feature is at an additional cost and is not built in the core package.

Determining what the probable intrusion actually is and taking some form of action to stop it or prevent it from happening again are usually outside the scope of intrusion detection. However, some forms of automatic reaction can be implemented through the interaction of Intrusion Detection Systems and access control systems such as firewalls.

Some authors classify the identification of attack attempts at the source system as extrusion detection (also known as outbound intrusion detection) techniques.

Small networks to large networks need some form of intrusion detection system. The cost of having your network compromised could allow a malicious attacker to steal financial data, download company secrets or cause all sorts of chaos. Your network administrator should research all the features of an IDS system to ensure he is up to speed in how that device works. Different manufacturers will have different features, usage and setup.

Types of Intrusion Detection Systems

Network intrusion detection system (NIDS) - It is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub, network switch configured for port mirroring, or network tap. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors captures all network traffic and analyzes the content of individual packets for malicious traffic. An example of a NIDS is Snort.

Host-based intrusion detection system (HIDS) - It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control lists, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent. Some application-based IDS are also part of this category. An example of a HIDS is OSSEC.

How do Intrusion Detection Systems compare to Firewalls?

We know they both create network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system that terminates connections is called an intrusion prevention system, and is another form of an application layer firewall.

Common IDS Definitions

  • Alert/Alarm: A signal suggesting that a system has been or is being attacked.
  • True Positive: A legitimate attack which triggers an IDS to produce an alarm.
  • False Positive: An event signaling an IDS to produce an alarm when no attack has taken place.
  • False Negative: A failure of an IDS to detect an actual attack.
  • True Negative: When no attack has taken place and no alarm is raised.
  • Noise: Data or interference that can trigger a false positive.
  • Site policy: Guidelines within an organization that control the rules and configurations of an IDS.
  • Site policy awareness: The ability an IDS has to dynamically change its rules and configurations in response to changing environmental activity.
  • Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.
  • Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.
  • Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information, inflict harm or engage in other malicious activities.
  • Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users.
  • Misfeasor: They are commonly internal users and can be of two types: An authorized user with limited permissions or a user with full permissions and who misuses their powers.
  • Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured.


About the Author - Admin: The Admin is a true IDS operative. That is all you need to know.

Page:  1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 or Go To our Certification Articles Section

You are Viewing article understanding intrusion detection systems

Site Navigation

Home
Cisco
Extreme
Foundry
Force10
HP
Nortel

Used Compaq
F5 Networks
Juniper
Search
Contact
Forums

Definitions

Copyright © 2012 Network Liquidators ®. All rights reserved.

Contact Information

Office: 813.852.6400
Email: sales@nweq.com
Oldsmar, FL 34677