Lock IT Down: Implementing an intrusion detection system on your network

How to implement a network intrusion detection system

An intrusion detection system (IDS) is a key tool within a network security architecture, yet 60 percent of respondents to a recent NetAdmin poll (Figure A) said they have yet to implement one.

Intrusion detection is vital because it is impossible to keep pace with every current and potential threat and vulnerability in a network. These threats and vulnerabilities advance at lightening speed, and it takes time for vendors to catch up with patches and updates (and for admins to apply the updates). Therefore, IDSes have become indispensable in helping to manage these threats and vulnerabilities.

Once you decide you need an IDS, you must answer these four questions:
  • How can I use an IDS to benefit my security strategy?
  • What technologies are available to me?
  • Where do I deploy the technology?
  • How do I manage the information an IDS will provide?

Figure A

How can I use an IDS to benefit my security strategy?
An IDS is used to detect intruders to your network. I define intruders as individuals or groups that attempt to access or deny access to data. This would include both internal and external threats. When properly deployed, this tool will identify intruders' methods and provide an intelligent alert to the threat. Some IDS programs will even respond to stop the intrusion. A good IDS should support analysis to find out how the intruder got in and deny any similar exploitation in the future.

What technologies are available to me?
IDS sensors can be categorized into three main groups:
  • Host based—These are deployed on a single host and monitor packets directed at that system or processes inside the host.
  • Network based—These use network cards in promiscuous mode and analyze all packets on the network segment. Depending on the area of deployment and the topology of your network, this sensor will monitor multiple systems or the entire network.
  • Hybrid—This is a mixture of network- and host-based sensors.

Let's take a closer look at the network-based IDS and break it down further into two subcategories: appliances and software-based IDS.

Appliances are complete and fully loaded systems that require no additional hardware or software to monitor the network segments. An example of an IDS appliance is Cisco IDS (formerly known as NetRanger). This system consists of two major elements:
  • The Secure IDS Sensor is the appliance that you place at a specific connection to be monitored on your network, or you can install several appliances to monitor multiple locations. It detects unauthorized activity navigating the network by analyzing traffic against rules-based signature files. When unauthorized activity is detected, the sensor can send alarms to a management console with details of the activity and can control other systems, such as routers, to terminate the unauthorized session(s).
  • The Secure IDS Director is a software-based management system that centrally monitors the activity of single or multiple Cisco Secure IDS sensors located on local or remote network segments. The Cisco Secure IDS Director allows network and security technicians to quickly pinpoint the location and type of an attack, qualify its severity, and instantly respond.

Software-based IDS
A software-based IDS is a solution that you load on a compatible operating system to monitor and respond to network activity. An example of a software IDS is Internet Security Systems' RealSecure. Its system also consists of two major elements:
  • The RealSecure Sensor is software that you load and configure on a platform to provide broad-based detection, prevention, and response for attacks and misuse that originate from across a network. It sends automatic responses to improper activity and logs events to a database, and it can block/terminate a connection, send an e-mail, suspend or disable an account, and create a user-defined alert.
  • TheRealSecure SiteProtector is the software-based management platform. SiteProtector unifies the management of RealSecure IDS sensors and allows grouping of these sensors to provide real-time internal and external correlation of threats. The RealSecure SiteProtector also enables you to operate and monitor remote sensors and respond to identified intrusions.

Cisco's IDS and Internet Security Systems' RealSecure are just two of the many examples of the types of intrusion detection systems that can provide an excellent solution for enterprises. The next step is the actual deployment.

Where do I deploy the technology?
Depending on your security practices and topology, you'll typically consider four areas for monitoring. These are as follows:
  • Network perimeter—This includes any entry/exit point, such as on both sides of the firewall, dial-up servers, and on links to any collaborative networks. These links tend to be low-bandwidth (T1 speeds) and are usually the entry point of an external attack.
  • WAN backbone—This is a frequent area of unauthorized activity.
  • Server farms—Servers are generally placed on their own network segments and connected to switches. The problem with placing a sensor in this location is that IDS systems cannot keep up with high-volume traffic. If traffic is too high to monitor all of your servers, choose the targets of highest value and install sensors to monitor those specific targets.
  • LAN backbones—IDSes are usually impractical for LAN backbones because of their high amount of traffic.

When deciding where to deploy your sensor(s), consider what is most valuable and the attacker's most logical avenue of approach. You also need to make sure that your IDS doesn’t degrade the performance of the network segment that you’re monitoring.

How do I manage the information an IDS will provide?
First and foremost, remember to protect yourself. Some people tend to view IDS as a form of wiretap. If you’re going to deploy any sensors to monitor your internal network (which is your legal right), verify that you have a published policy explicitly stating "use of the network is consent to monitoring.”

Develop policies and procedures for events that occur during different hours of your business day. Some of the more robust intrusion detection systems will take actions for you to terminate access and change rules on other security devices to prevent future intrusions. If you have people physically monitoring your network 24 hours a day, you may not want automatic denial of services to potential customers or users based on a false intrusion event. As with any network security device, you will have to evaluate its effectiveness and level of responsibility for your network defense.

An IDS is an essential part of a good network security architecture. IDS solutions have their strengths and weaknesses, which must be measured and evaluated before you decide to deploy one on your network. When viewed and implemented as part of a network security fallback mechanism, an IDS is usually well worth the investment.

Editor's Picks