Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System...
-
date post
19-Dec-2015 -
Category
Documents
-
view
259 -
download
15
Transcript of Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System...
![Page 1: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/1.jpg)
Guide to Network Defense and Countermeasures Second Edition
Chapter 7Intrusion Detection System Concepts
![Page 2: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/2.jpg)
Guide to Network Defense and Countermeasures, Second Edition 2
Objectives
• Identify the components of an intrusion detection system
• Explain the steps of intrusion detection
• Describe options for implementing intrusion detection systems
• Evaluate different types of IDS products
![Page 3: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/3.jpg)
Guide to Network Defense and Countermeasures, Second Edition 3
Examining Intrusion Detection System Components
• Network intrusion– Attempt to gain unauthorized access to network
resources
• Intrusion Detection System (IDS)– Consists of more than one application or hardware
device – Incorporates more than just detection
• Intrusion Detection– Involves prevention, detection, and response
![Page 4: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/4.jpg)
Guide to Network Defense and Countermeasures, Second Edition 4
![Page 5: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/5.jpg)
Guide to Network Defense and Countermeasures, Second Edition 5
Examining Intrusion Detection System Components (continued)
• Components– Network sensors – Alert systems– Command console– Response system– Database of attack signatures or behaviors
![Page 6: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/6.jpg)
Guide to Network Defense and Countermeasures, Second Edition 6
Network Sensors
• Sensor– Electronic “eyes” of an IDS– Hardware or software that monitors traffic in your
network and triggers alarms– Attacks detected by an IDS sensor
• Single-session attacks
• Multiple-session attacks
• IDS types– Host-based IDS– Network-based IDS
![Page 7: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/7.jpg)
Guide to Network Defense and Countermeasures, Second Edition 7
Network Sensors (continued)
• Sensors should be placed at common-entry points– Internet gateways– Connections between one LAN and another– Remote access server that receives dial-up
connections from remote users– Virtual private network (VPN) devices
• Management program controls sensors
• Sensors could be positioned at either side of the firewall– Behind the firewall is a more secure location
![Page 8: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/8.jpg)
Guide to Network Defense and Countermeasures, Second Edition 8
![Page 9: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/9.jpg)
Guide to Network Defense and Countermeasures, Second Edition 9
![Page 10: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/10.jpg)
Guide to Network Defense and Countermeasures, Second Edition 10
Alert Systems
• Trigger– Circumstances that cause an alert message to be
sent• Types of triggers
– Detection of an anomaly– Detection of misuse
![Page 11: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/11.jpg)
Guide to Network Defense and Countermeasures, Second Edition 11
Alert Systems (continued)
• Anomaly detection– Requires you to make use of profiles
• For each authorized user or group of users• Describe services and resources normally accessed by
users– Some IDSs can create user profiles
• During “training period”– Accuracy problems
• False negatives• False positives
![Page 12: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/12.jpg)
Guide to Network Defense and Countermeasures, Second Edition 12
Alert Systems (continued)
• Misuse detection– Triggers alarms based on characteristic signatures of
known attacks– IDS comes equipped with a set of signatures
• Can start protecting the network immediately
– Need to maintain state information
• Other detection mechanisms– Traffic rate monitoring– Protocol state tracking– IP packet reassembly
![Page 13: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/13.jpg)
Guide to Network Defense and Countermeasures, Second Edition 13
![Page 14: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/14.jpg)
Guide to Network Defense and Countermeasures, Second Edition 14
Command Console
• Provides a graphical front-end interface to an IDS– Enables administrators to receive and analyze alert
messages and manage log files
• IDS can collect information from security devices throughout a network
• Command console should run on a computer dedicated solely to the IDS– To maximize the speed of response
![Page 15: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/15.jpg)
Guide to Network Defense and Countermeasures, Second Edition 15
Response System
• IDS can be setup to take some countermeasures• Response systems do not substitute network
administrators– Administrators can use their judgment to distinguish a
false positive– Administrators can determine whether a response
should be escalated• Increased to a higher level
![Page 16: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/16.jpg)
Guide to Network Defense and Countermeasures, Second Edition 16
Database of Attack Signatures or Behaviors
• IDSs don’t have the capability to use judgment– Can make use of a source of information for
comparing the traffic they monitor
• Misuse detection– References a database of known attack signatures– If traffic matches a signature, it sends an alert– Keep database updated– Passive detection mode
• Anomaly-based IDS– Store information about users in a database
![Page 17: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/17.jpg)
Guide to Network Defense and Countermeasures, Second Edition 17
![Page 18: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/18.jpg)
Guide to Network Defense and Countermeasures, Second Edition 18
Examining Intrusion Detection Step by Step
• Steps– Installing the IDS database– Gathering data– Sending alert messages– The IDS responds– The administrator assesses damage– Following escalation procedures– Logging and reviewing the event
![Page 19: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/19.jpg)
Guide to Network Defense and Countermeasures, Second Edition 19
![Page 20: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/20.jpg)
Guide to Network Defense and Countermeasures, Second Edition 20
Step 1: Installing the IDS Database
• IDS uses the database to compare traffic detected by sensors
• Anomaly-based systems– Require a training period (over a week)– IDS observes traffic and compile a network baseline
• Misuse-based IDS– Can use database immediately– You can provide it with your own database
![Page 21: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/21.jpg)
Guide to Network Defense and Countermeasures, Second Edition 21
Step 2: Gathering Data
• Network sensors gather data by reading packets• Sensors need to be positioned where they can
capture all packets– Sensors on individual hosts capture information that
enters and leaves the host– Sensors on network segments read packets as they
pass throughout the segment• Sensors on network segments cannot capture all
packets– If traffic levels become too heavy
![Page 22: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/22.jpg)
Guide to Network Defense and Countermeasures, Second Edition 22
Step 3: Sending Alert Messages
• Sensors capture packets• IDS software compares captured packets with
information in its database• IDS sends alert messages
– If captured packets match an attack signature or – Deviates from normal network behavior
![Page 23: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/23.jpg)
Guide to Network Defense and Countermeasures, Second Edition 23
Step 4: The IDS Responds
• Command console receives alert messages– Notifies the administrator
• IDS can be configured to take actions when a suspicious packet is received– Send an alarm message– Drop the packet– Stop and restart network traffic
![Page 24: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/24.jpg)
Guide to Network Defense and Countermeasures, Second Edition 24
Step 5: The Administrator Assesses Damage
• Administrator monitors alerts– And determines whether countermeasures are
needed
• Administrator need to fine-tune the database– The goal is avoiding false negatives
• Line between acceptable and unacceptable network use is not always clear
![Page 25: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/25.jpg)
Guide to Network Defense and Countermeasures, Second Edition 25
![Page 26: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/26.jpg)
Guide to Network Defense and Countermeasures, Second Edition 26
Step 6: Following Escalation Procedures
• Escalation procedures– Set of actions to be followed if the IDS detects a true
positive
• Should be spelled out in company’s security policy• Incident levels
– Level One• Might be managed quickly
– Level Two• Represents a more serious threat
– Level Three• Represents the highest degree of threat
![Page 27: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/27.jpg)
Guide to Network Defense and Countermeasures, Second Edition 27
Step 7: Logging and Reviewing the Event
• IDS events are stored in log files– Or databases
• Administrator should review logs– To determine patterns of misuse– Administrator can spot a gradual attack
• IDS should also provide accountability– Capability to track an attempted attack or intrusion
back to the responsible party– Some systems have built-in tracing features
![Page 28: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/28.jpg)
Guide to Network Defense and Countermeasures, Second Edition 28
![Page 29: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/29.jpg)
Guide to Network Defense and Countermeasures, Second Edition 29
![Page 30: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/30.jpg)
Guide to Network Defense and Countermeasures, Second Edition 30
Options for Implementing Intrusion Detection Systems
• Network-based IDS• Host-base IDS• Hybrid implementations
![Page 31: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/31.jpg)
Guide to Network Defense and Countermeasures, Second Edition 31
Network-Based Intrusion Detection Systems
• Locating an NIDS on the Network– Network-based IDS (NIDS)
• Monitors network traffic– Common locations for NIDS sensors
• Behind the firewall and before the LAN• Between the firewall and the DMZ• Any network segment
– Management and analysis software must be installed on a dedicate computer
– Positioning sensors at network perimeter• Enables IDS to sniff traffic
![Page 32: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/32.jpg)
Guide to Network Defense and Countermeasures, Second Edition 32
![Page 33: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/33.jpg)
Guide to Network Defense and Countermeasures, Second Edition 33
Network-Based Intrusion Detection Systems (continued)
• Advantages and disadvantages of NIDS– NIDS handles a high volume of traffic– Requires dedicated hardware appliance
![Page 34: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/34.jpg)
Guide to Network Defense and Countermeasures, Second Edition 34
Host-Based Intrusion Detection Systems
• Host-based IDS (HIDS)– Deployed on a host in the LAN
• Protected by the firewall
– Evaluates traffic generated by the host– Gathers system variables such as
• System processes
• CPU use
• File accesses
– Does not sniff packets as they enter the LAN
![Page 35: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/35.jpg)
Guide to Network Defense and Countermeasures, Second Edition 35
Host-Based Intrusion Detection Systems (continued)
• Configuring an HIDS– Centralized configuration
• HIDS sends all data to a central location
• Host’s level of performance is unaffected by the IDS
• Alert messages that are generated do not occur in real time
– Distributed configuration• Processing of events is distributed between host and
console
• Host generates and analyzes it in real time
• Performance reduction in host
![Page 36: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/36.jpg)
Guide to Network Defense and Countermeasures, Second Edition 36
![Page 37: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/37.jpg)
Guide to Network Defense and Countermeasures, Second Edition 37
![Page 38: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/38.jpg)
Guide to Network Defense and Countermeasures, Second Edition 38
Host-Based Intrusion Detection Systems (continued)
• Choosing the host computer– Centralized configuration
• RAM, hard disk memory, and processor speed requirements are minimal
– Distributed configuration• Host should be equipped with maximum memory and
processor speed
![Page 39: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/39.jpg)
Guide to Network Defense and Countermeasures, Second Edition 39
Host-Based Intrusion Detection Systems (continued)
• Advantages and disadvantages of HIDSs– Advantages
• Detect events on host systems
• Can process encrypted traffic
• Not affected by use of switched network protocols
• Can compare records stored in audit logs
![Page 40: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/40.jpg)
Guide to Network Defense and Countermeasures, Second Edition 40
Host-Based Intrusion Detection Systems (continued)
– Disadvantages• More management issues
• Vulnerable to direct attacks and attacks against host
• Susceptible to some denial-of-service attacks
• Can use large amounts of disk space
• Could cause increased performance overhead on host
![Page 41: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/41.jpg)
Guide to Network Defense and Countermeasures, Second Edition 41
Hybrid IDS Implementations
• Hybrid IDS– Combines the features of HIDSs and NIDSs
• Gains flexibility and increases security
• Combining IDS sensor locations– Put sensors on network segments and network hosts– Can report attacks aimed at particular segments or
the entire network
![Page 42: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/42.jpg)
Guide to Network Defense and Countermeasures, Second Edition 42
Hybrid IDS Implementations (continued)
• Combining IDS detection methods– IDS combines anomaly and misuse detection– Database enables IDS to run immediately– Anomaly-based systems keep the alert system
flexible– Can respond to the latest, previously unreported
attacks• Both external and internal attacks
– Administrators have more configuration and coordination work to do
![Page 43: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/43.jpg)
Guide to Network Defense and Countermeasures, Second Edition 43
Hybrid IDS Implementations (continued)
• Shim IDS– Acts like a type of NIDS– Involves sensors being distributed around a network
• Data collected by sensors is sent to a central location
– Sensors are installed in selected hosts and network segments
• Those that require special protection
![Page 44: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/44.jpg)
Guide to Network Defense and Countermeasures, Second Edition 44
Hybrid IDS Implementations (continued)
• Distributed IDS– Multiple IDS devices are deployed on a network– Reduces response time– Two popular DIDSs
• myNetWatchman
• DShield
![Page 45: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/45.jpg)
Guide to Network Defense and Countermeasures, Second Edition 45
![Page 46: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/46.jpg)
Guide to Network Defense and Countermeasures, Second Edition 46
Hybrid IDS Implementations (continued)
• Advantages– Combine aspects of NIDS and HIDS configurations– Can monitor network as a whole– Can monitor attacks that reach individual hosts
• Disadvantages– Need to get disparate systems to work in coordinate
fashion– Data gathered by multiple systems can be difficult to
absorb and analyze
![Page 47: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/47.jpg)
Guide to Network Defense and Countermeasures, Second Edition 47
Evaluating Intrusion Detection Systems
• Survey various options and match them to your needs
• Review topology of your network identifying– Number of entry points– Use of firewalls– Number of network segments
• Evaluating IDSs can be time consuming
![Page 48: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/48.jpg)
Guide to Network Defense and Countermeasures, Second Edition 48
Freeware NIDS: Snort
• Ideal for monitoring traffic on a small network or individual host– Does not consume extensive system resources
• Intended for installation on a computer at network perimeter
• Comes with a collection of rule files
• Separate rules exist for– Port scans– Back door attacks– Web attacks
![Page 49: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/49.jpg)
Guide to Network Defense and Countermeasures, Second Edition 49
![Page 50: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/50.jpg)
Guide to Network Defense and Countermeasures, Second Edition 50
Commercial HIDS: Norton Internet Security
• Firewall designed to protect a home-based standalone computer– Or a computer on a small network
• Contains a limited number of intrusion detection features– Block port scans– Block attack attempts on ports used by known Trojan
programs
• Can be trained to identify normal network use
• Alert messages appear as pop-up windows
![Page 51: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/51.jpg)
Guide to Network Defense and Countermeasures, Second Edition 51
![Page 52: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/52.jpg)
Guide to Network Defense and Countermeasures, Second Edition 52
IDS Hardware Appliances
• Can handle more network traffic– Have better scalability than software IDSs
• Plug-and-play capabilities– One of its major advantages– Do not need to be configured to work with a
particular OS
• Examples– iForce– Intrusion SecureNet– StealthWatch G1
![Page 53: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/53.jpg)
Guide to Network Defense and Countermeasures, Second Edition 53
IDS Hardware Appliances (continued)
• You should create a custom configuration– To reduce the number of false positives and false
negatives
• Upgrade appliances periodically– Can be complicated and expensive
![Page 54: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/54.jpg)
Guide to Network Defense and Countermeasures, Second Edition 54
Summary
• Intrusion Detection System (IDS)– Supplementary line of defense behind firewalls and
antivirus software
• IDS components– Network sensors– Alert messages– Command console– Response system– Database of signatures
![Page 55: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/55.jpg)
Guide to Network Defense and Countermeasures, Second Edition 55
Summary (continued)
• IDS steps– Install set of attack signatures– Sensors monitor packets– IDS responds
• False positives are highly likely– Require administrators to fine-tune the system– If attack is legitimate, escalation procedures should be
followed
• IDS logs alarmed events– They can be reviewed later
![Page 56: Guide to Network Defense and Countermeasures Second Edition Chapter 7 Intrusion Detection System Concepts.](https://reader036.fdocuments.net/reader036/viewer/2022081420/56649d265503460f949fd2f7/html5/thumbnails/56.jpg)
Guide to Network Defense and Countermeasures, Second Edition 56
Summary (continued)
• IDS implementation– Network-based IDS (NIDS)– Host-based IDS (HIDS)– Hybrid IDS– Shim IDS– Distributed IDS (DIDS)
• Types of IDS products– Open-source IDSs such as Snort– Commercial firewalls such as Norton Internet Security– IDS hardware appliances