My TechnoBlogs

For those who can create wonders with Technology……

Intrusion Detection System

Posted by Ravi shankar on March 2, 2009

Intrusion Detection System:

IDS is a software or hardware designed to detect unwanted attempts at accessing, manipulating and/or disabling of computer system, mainly through the network.  It is used to detect several types of malicious behaviour that can compromise the security and trust of the computer system. This includes the network attacks againts vulnerable services, data driven  attacked on the application, host based attacks such as privelege escalation, unauthorised login, access to sensitive files, and malware (viruses, trojan horses and worms).

An IDS is composed of several components:
-Sensor:    Which generates the security events
-Console:    To monitor events and alerts an control the sensor
-Central Engine:That records events logged by the sensor in a database and uses a system of rules to generate alerts from security events received.

There are several ways to categories an IDS depending on the type and location of the sensor and the methodology used by the engine to generate alerts. In many simple IDS implementation the three components are combined in a single device or appliances.

Types of IDS:

Network IDS (NIDS): It identifies the intrusion by examining network traffic and monitors multiple hosts. NIDS gain access to network traffic by connecting to a hub, network switch configured for port mirroring or network trap. Ex: SNORT

Protocol Based IDS (PIDS): The system is kept at the front end of the server, monitoring and analyzing the communication protocol between a connected device and server.
For Web Server this would typically monitor the HTTPS protocol stream and understand the HTTP protocol relative to the Web Server/system. When HTTPS is in use then this system would reside in the “shim” or interface between where HTTPS is un-encrypted and immediately prior to its entering the Web presentation layer.

Application Protocol baased IDS (APIDS): It consist of system or agent that would typically sit within a group of server, monitoring and analysing the communication on application specific protocol. For example: In a Web Server with a database this would monitor the SQL protocol specific to the middleware/business logic as it transacts with  the database.

Host based IDS (HIDS): It consisit of an agent on a host which identifies intrusion by analysing system calls, application logs, file system modification (binaries, passowrd files, capability /acl databases) and other host related activities and state. An example of a HIDS is OSSEC.

Hybrid IDS: It combined two or more approaches. Host agend data is combined with the network information to form a comprehensive view of the network. An example of Hybrid IDS is Prelude.

Passive system vs Reactive system:

In Passive system the IDS sensor detects a potential breach, logs information and signals an alerts on the console and or owner. In Reactive system also know as IPS (Intrusion Prevention System) , the IDS responds to suspicious activity by resetting the connection or reprogramming the firewall to block network traffic from the malacious sources. This can happen automatically or by the command of the operator.

A system which terminates connection is called an IPS and is another form of application layer firewall. The term IDPS is commonly used to refer to hybrid security system that both detect and prevent.

IDS uses one the two detection techniques: Statistical anomaly based and/or Signature based

Statistical anomaly based IDS: A statistical anomaly based IDS establishes a performance baseline based on normal network traffic evaluation. It will then sample traffic activity to this baseline in order to detect whether or not it is within baseline parameter. If the sampled traffic is not within the baseline parameter an alarm will be triggered.

Signature based IDS: Network traffic is examined for preconfigured and predetermined attacks pattern know as signature. Many attacks today have distinct signature. In good security practice, a collection of these signature must be constantly updated to mitigate emerging threats.

Free IDS:
Snort, Endian Firewall, Untangle, Bro NIDS, Prelude Hybrid IDS, Osiris HIDS, OSSEC HIDS, Flowmatrix

Professional IDS:
Sourcefire

Advertisements

One Response to “Intrusion Detection System”

  1. Phishing For Your Identity Who hasn’t received an email directing them to visit a familiar website where they are being asked to update their personal information? The website needs you to verify or update your passwords, credit card numbers, social security number, or even your bank account number. You recognize the business name as one that you’ve conducted business with in the past. So, you click on the convenient “take me there” link and proceed to provide all the information they have requested. Unfortunately, you find out much later that the website is bogus. It was created with the sole intent to steal your personal information. You, my friend, have just been “phished”. Phishing (pronounced as “fishing”) is defined as the act of sending an email to a recipient falsely claiming to have an established, legitimate business. The intent of the phisher is to scam the recipient into surrendering their private information, and ultimately steal your identity. It is not at easy as you think to spot an email phishing for information. At first glance, the email may look like it is from a legitimate company. The “From” field of the e-mail may have the .com address of the company mentioned in the e-mail. The clickable link even appears to take you to the company’s website, when in fact, it is a fake website built to replicate the legitimate site. Many of these people are professional criminals. They have spent a lot of time in creating emails that look authentic. Users need to review all emails requesting personal information carefully. When reviewing your email remember that the “From Field” can be easily changed by the sender. While it may look like it is coming from a .com you do business with, looks can be deceiving. Also keep in mind that the phisher will go all out in trying to make their email look as legitimate as possible. They will even copy logos or images from the official site to use in their emails. Finally, they like to include a clickable link that the recipient can follow to conveniently update their information. A great way to check the legitimacy of the link is to point at the link with your mouse. Then, look in the bottom left hand screen of your computer. The actual website address to which you are being directed will show up for you to view. It is a very quick and easy way to check if you are being directed to a legitimate site. Finally, follow the golden rule. Never, ever, click the links within the text of the e-mail, and always delete the e-mail immediately. Once you have deleted the e-mail, empty the trash box in your e-mail accounts as well. If you are truly concerned that you are missing an important notice regarding one of your accounts, then type the full URL address of the website into your browser. At least then you can be confident that you are, in fact, being directed to the true and legitimate website. Pachuca Press

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: