Location of IDS in the network

In Intrusion detection, the components are general purpose components and may vary in terms of the processing of data that they collect. There are events correlation mechanism and attack signature database in the heart of each IDS. These components are used to distinguish IDSes from network monitor. The event correlation mechanism are either arranged as a filter that works by the matching packets contents with the known attack pattern, or operate in a somewhat more sophisticated intelligent manner, detecting network abnormalities and abuse.
This is nearly always a utility or sensor that operates in promiscuous mode. This mode name implies that the network card “listens” to all packets being sent in so called collision domain. This means that this group of packets does not include the audit file processing system that are associated with their work, that resides on the server.
When deploying either distributed or centralized IDS attention should be paid to follow the same guidelines as those used by experts who are responsible for installing the sensor being guided by the common sense and well thought out and balanced security policy.

To attempt to consider a suitable location for the distributed IDS engine, the first decision that must be made is to configure the computer to accomodate the IDS application. The workstation to install an IDS on, should be hidden to make it difficult for intruder to trace. The trick is that one should configure the system so that it should not respond to any incoming packets. In addition one should protect the system by adding  firewall to the computer. An IDS should reside in a collision domain, which means all the device within such a domain should have same address called the broadcast address and must not be isolated by switches. The IDS will perform perform well if it is within the same domain as the firewall. This is particulary important where large private network are concernes.

Designers started to develop system with arrayed sensor. Such sensor can be installed throughout a private network on the server and client workstation to collect and redirect information to the selected central location where the information is processed in accordance with the preestablished rules. The potential intruders who either manages to get inside a private network or who will attack from inside may deduct on seeing large number of checking packets directed towars a single address, that this network host an IDS. It may also detect the IDS and freeze its acitivty. It is therefore considerably important to provide security criticical points with a traditional solution ie. to tie a seperate undetectable workstation having a local IDS into the network.

An IDS-Firewall Interaction:

A IDS excels at detecting break in events, so it is complimentary to firewall to possibly reconfigure the firewall rules. The advantage is obvious- a successful intruder who had used a system flaw to penetrate the network may be automatically blocked at the firewall. Different opinion exist on where an IDS has to sit-ie. upstream or downstream from the firewall. But it is a secondary matter, as even if the firewall is placed behind the firewall and will not audit all incoming packets, the firewall itself may be taken over its activity by registering suspicious packets. The only problem may appear with the event correlation, since a certain portion of the unwanted packets may get inside the network whilst another portion may be blocked by the firewall. Frequently the IDS and Firewall is installed on the same machine.

A simple trap to catch the intruder:
There are two IDS devices: one sits between a perimeter router and firewall and another inside the network trap. The first firewall’s task is to detect an attack and reconfigure the firewall rules so that each packet being sent by a potential intruder will be securely traped. Here another IDS watches intuder activities and collects the proof for further analysis or possible criminal prosecution. Naturally registering the intruder attempts is possible when a server residing on the network trap is attacked . A well configured IDS will remain invisible for him and will quickly and silently be able to identify what is going on.

Intrusion Detection System

Intrusion Detection System:

IDS is a software or hardware designed to detect unwanted attempts at accessing, manipulating and/or disabling of computer system, mainly through the network.  It is used to detect several types of malicious behaviour that can compromise the security and trust of the computer system. This includes the network attacks againts vulnerable services, data driven  attacked on the application, host based attacks such as privelege escalation, unauthorised login, access to sensitive files, and malware (viruses, trojan horses and worms).

An IDS is composed of several components:
-Sensor:    Which generates the security events
-Console:    To monitor events and alerts an control the sensor
-Central Engine:That records events logged by the sensor in a database and uses a system of rules to generate alerts from security events received.

There are several ways to categories an IDS depending on the type and location of the sensor and the methodology used by the engine to generate alerts. In many simple IDS implementation the three components are combined in a single device or appliances.

Types of IDS:

Network IDS (NIDS): It identifies the intrusion by examining network traffic and monitors multiple hosts. NIDS gain access to network traffic by connecting to a hub, network switch configured for port mirroring or network trap. Ex: SNORT

Protocol Based IDS (PIDS): The system is kept at the front end of the server, monitoring and analyzing the communication protocol between a connected device and server.
For Web Server this would typically monitor the HTTPS protocol stream and understand the HTTP protocol relative to the Web Server/system. When HTTPS is in use then this system would reside in the “shim” or interface between where HTTPS is un-encrypted and immediately prior to its entering the Web presentation layer.

Application Protocol baased IDS (APIDS): It consist of system or agent that would typically sit within a group of server, monitoring and analysing the communication on application specific protocol. For example: In a Web Server with a database this would monitor the SQL protocol specific to the middleware/business logic as it transacts with  the database.

Host based IDS (HIDS): It consisit of an agent on a host which identifies intrusion by analysing system calls, application logs, file system modification (binaries, passowrd files, capability /acl databases) and other host related activities and state. An example of a HIDS is OSSEC.

Hybrid IDS: It combined two or more approaches. Host agend data is combined with the network information to form a comprehensive view of the network. An example of Hybrid IDS is Prelude.

Passive system vs Reactive system:

In Passive system the IDS sensor detects a potential breach, logs information and signals an alerts on the console and or owner. In Reactive system also know as IPS (Intrusion Prevention System) , the IDS responds to suspicious activity by resetting the connection or reprogramming the firewall to block network traffic from the malacious sources. This can happen automatically or by the command of the operator.

A system which terminates connection is called an IPS and is another form of application layer firewall. The term IDPS is commonly used to refer to hybrid security system that both detect and prevent.

IDS uses one the two detection techniques: Statistical anomaly based and/or Signature based

Statistical anomaly based IDS: A statistical anomaly based IDS establishes a performance baseline based on normal network traffic evaluation. It will then sample traffic activity to this baseline in order to detect whether or not it is within baseline parameter. If the sampled traffic is not within the baseline parameter an alarm will be triggered.

Signature based IDS: Network traffic is examined for preconfigured and predetermined attacks pattern know as signature. Many attacks today have distinct signature. In good security practice, a collection of these signature must be constantly updated to mitigate emerging threats.

Free IDS:
Snort, Endian Firewall, Untangle, Bro NIDS, Prelude Hybrid IDS, Osiris HIDS, OSSEC HIDS, Flowmatrix

Professional IDS:
Sourcefire