My TechnoBlogs

For those who can create wonders with Technology……

Location of IDS in the network

Posted by Ravi shankar on March 2, 2009

In Intrusion detection, the components are general purpose components and may vary in terms of the processing of data that they collect. There are events correlation mechanism and attack signature database in the heart of each IDS. These components are used to distinguish IDSes from network monitor. The event correlation mechanism are either arranged as a filter that works by the matching packets contents with the known attack pattern, or operate in a somewhat more sophisticated intelligent manner, detecting network abnormalities and abuse.
This is nearly always a utility or sensor that operates in promiscuous mode. This mode name implies that the network card “listens” to all packets being sent in so called collision domain. This means that this group of packets does not include the audit file processing system that are associated with their work, that resides on the server.
When deploying either distributed or centralized IDS attention should be paid to follow the same guidelines as those used by experts who are responsible for installing the sensor being guided by the common sense and well thought out and balanced security policy.

To attempt to consider a suitable location for the distributed IDS engine, the first decision that must be made is to configure the computer to accomodate the IDS application. The workstation to install an IDS on, should be hidden to make it difficult for intruder to trace. The trick is that one should configure the system so that it should not respond to any incoming packets. In addition one should protect the system by adding  firewall to the computer. An IDS should reside in a collision domain, which means all the device within such a domain should have same address called the broadcast address and must not be isolated by switches. The IDS will perform perform well if it is within the same domain as the firewall. This is particulary important where large private network are concernes.

Designers started to develop system with arrayed sensor. Such sensor can be installed throughout a private network on the server and client workstation to collect and redirect information to the selected central location where the information is processed in accordance with the preestablished rules. The potential intruders who either manages to get inside a private network or who will attack from inside may deduct on seeing large number of checking packets directed towars a single address, that this network host an IDS. It may also detect the IDS and freeze its acitivty. It is therefore considerably important to provide security criticical points with a traditional solution ie. to tie a seperate undetectable workstation having a local IDS into the network.

An IDS-Firewall Interaction:

A IDS excels at detecting break in events, so it is complimentary to firewall to possibly reconfigure the firewall rules. The advantage is obvious- a successful intruder who had used a system flaw to penetrate the network may be automatically blocked at the firewall. Different opinion exist on where an IDS has to sit-ie. upstream or downstream from the firewall. But it is a secondary matter, as even if the firewall is placed behind the firewall and will not audit all incoming packets, the firewall itself may be taken over its activity by registering suspicious packets. The only problem may appear with the event correlation, since a certain portion of the unwanted packets may get inside the network whilst another portion may be blocked by the firewall. Frequently the IDS and Firewall is installed on the same machine.

A simple trap to catch the intruder:
There are two IDS devices: one sits between a perimeter router and firewall and another inside the network trap. The first firewall’s task is to detect an attack and reconfigure the firewall rules so that each packet being sent by a potential intruder will be securely traped. Here another IDS watches intuder activities and collects the proof for further analysis or possible criminal prosecution. Naturally registering the intruder attempts is possible when a server residing on the network trap is attacked . A well configured IDS will remain invisible for him and will quickly and silently be able to identify what is going on.

Advertisements

One Response to “Location of IDS in the network”

  1. Phishing For Your Identity Who hasn’t received an email directing them to visit a familiar website where they are being asked to update their personal information? The website needs you to verify or update your passwords, credit card numbers, social security number, or even your bank account number. You recognize the business name as one that you’ve conducted business with in the past. So, you click on the convenient “take me there” link and proceed to provide all the information they have requested. Unfortunately, you find out much later that the website is bogus. It was created with the sole intent to steal your personal information. You, my friend, have just been “phished”. Phishing (pronounced as “fishing”) is defined as the act of sending an email to a recipient falsely claiming to have an established, legitimate business. The intent of the phisher is to scam the recipient into surrendering their private information, and ultimately steal your identity. It is not at easy as you think to spot an email phishing for information. At first glance, the email may look like it is from a legitimate company. The “From” field of the e-mail may have the .com address of the company mentioned in the e-mail. The clickable link even appears to take you to the company’s website, when in fact, it is a fake website built to replicate the legitimate site. Many of these people are professional criminals. They have spent a lot of time in creating emails that look authentic. Users need to review all emails requesting personal information carefully. When reviewing your email remember that the “From Field” can be easily changed by the sender. While it may look like it is coming from a .com you do business with, looks can be deceiving. Also keep in mind that the phisher will go all out in trying to make their email look as legitimate as possible. They will even copy logos or images from the official site to use in their emails. Finally, they like to include a clickable link that the recipient can follow to conveniently update their information. A great way to check the legitimacy of the link is to point at the link with your mouse. Then, look in the bottom left hand screen of your computer. The actual website address to which you are being directed will show up for you to view. It is a very quick and easy way to check if you are being directed to a legitimate site. Finally, follow the golden rule. Never, ever, click the links within the text of the e-mail, and always delete the e-mail immediately. Once you have deleted the e-mail, empty the trash box in your e-mail accounts as well. If you are truly concerned that you are missing an important notice regarding one of your accounts, then type the full URL address of the website into your browser. At least then you can be confident that you are, in fact, being directed to the true and legitimate website. Pachuca Press

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: