In Intrusion detection, the components are general purpose components and may vary in terms of the processing of data that they collect. There are events correlation mechanism and attack signature database in the heart of each IDS. These components are used to distinguish IDSes from network monitor. The event correlation mechanism are either arranged as a filter that works by the matching packets contents with the known attack pattern, or operate in a somewhat more sophisticated intelligent manner, detecting network abnormalities and abuse.
This is nearly always a utility or sensor that operates in promiscuous mode. This mode name implies that the network card “listens” to all packets being sent in so called collision domain. This means that this group of packets does not include the audit file processing system that are associated with their work, that resides on the server.
When deploying either distributed or centralized IDS attention should be paid to follow the same guidelines as those used by experts who are responsible for installing the sensor being guided by the common sense and well thought out and balanced security policy.
To attempt to consider a suitable location for the distributed IDS engine, the first decision that must be made is to configure the computer to accomodate the IDS application. The workstation to install an IDS on, should be hidden to make it difficult for intruder to trace. The trick is that one should configure the system so that it should not respond to any incoming packets. In addition one should protect the system by adding firewall to the computer. An IDS should reside in a collision domain, which means all the device within such a domain should have same address called the broadcast address and must not be isolated by switches. The IDS will perform perform well if it is within the same domain as the firewall. This is particulary important where large private network are concernes.
Designers started to develop system with arrayed sensor. Such sensor can be installed throughout a private network on the server and client workstation to collect and redirect information to the selected central location where the information is processed in accordance with the preestablished rules. The potential intruders who either manages to get inside a private network or who will attack from inside may deduct on seeing large number of checking packets directed towars a single address, that this network host an IDS. It may also detect the IDS and freeze its acitivty. It is therefore considerably important to provide security criticical points with a traditional solution ie. to tie a seperate undetectable workstation having a local IDS into the network.
An IDS-Firewall Interaction:
A IDS excels at detecting break in events, so it is complimentary to firewall to possibly reconfigure the firewall rules. The advantage is obvious- a successful intruder who had used a system flaw to penetrate the network may be automatically blocked at the firewall. Different opinion exist on where an IDS has to sit-ie. upstream or downstream from the firewall. But it is a secondary matter, as even if the firewall is placed behind the firewall and will not audit all incoming packets, the firewall itself may be taken over its activity by registering suspicious packets. The only problem may appear with the event correlation, since a certain portion of the unwanted packets may get inside the network whilst another portion may be blocked by the firewall. Frequently the IDS and Firewall is installed on the same machine.
A simple trap to catch the intruder:
There are two IDS devices: one sits between a perimeter router and firewall and another inside the network trap. The first firewall’s task is to detect an attack and reconfigure the firewall rules so that each packet being sent by a potential intruder will be securely traped. Here another IDS watches intuder activities and collects the proof for further analysis or possible criminal prosecution. Naturally registering the intruder attempts is possible when a server residing on the network trap is attacked . A well configured IDS will remain invisible for him and will quickly and silently be able to identify what is going on.