Intrusion detection plays an important part in the forming of a secure network. If you don’t have a method of checking the traffic that’s flowing through your network, how do you know whether your systems are safe and secure? There isn’t much a firewall can do to protect your systems from some types of attack. For example, you may be running a Web server and although the firewall will stop malicious attempts to attack the operating system, it passes through all traffic on port 80. If a script kiddie or perhaps a seriously skilled BlackHat, (working for a corporate competitor) is attempting to exploit vulnerabilities in your Web server you would have little knowledge until the system had finally been breached and your Web site defaced. That’s the best case scenario—in the worst case, you wouldn’t know that the system had been compromised. The system could then be used as a staging area from which further attacks could be launched or private data relayed externally.

Unless your firewall has an Intrusion Detection System (IDS ) built in along with an Intrusion Prevention System (IPS) then it really cannot be blamed. A firewall is simply a device to control the flow of data between zones that have differing levels of trust; for example, between your corporate LAN and the Internet. Pre-defined rules tell the firewall which type of network connections can pass through the gateway and which should be blocked. Once the connection has been established (or denied), the firewall has done its job and will not scan the data passing through it.

A Network IDS‘s job is to inspect all of the traffic flowing through a monitored network segment and attempt to match any suspicious activities against pre-defined rules and signatures. Most IDSs are comprised of three core components: first, the sensor which will generate events based on rules; second, the engine which handles the events by recording data in logs/databases and sending out alert notifications; and third is, of course, a console or graphical user interface to allow administrators to see what’s happening and control the sensor/engine.

Active or passive?

There are two models to consider whilst looking at Intrusion Detection–passive and active systems.

First, let’s consider passive systems. A passive IDS will detect potential security issues or breaches and log an event, which may send alerts to an administrator. The administrator can then analyse the alert in more detail and take the appropriate action.

An active system will pick up suspicious activity and then take defensive action, such as terminating the specific network session in question or dynamically adding rules to the firewall. Strictly speaking, the active system as a whole should be referred to as an IPS.

Network or host?

IDSs can be broken down into many types although there are two that would be considered under typical circumstances–host- and network-based systems.

Host-based IDS watch the host system for signs of compromise. It will monitor all areas of a system such as system logs, kernel activity, filesystem access, memory operations, and so on. Host-based Network Intrusion Systems also exist; these are NIDS which are resident on a host and monitor activity on that system’s IP address.

Network-based IDS sits on a network and analyses raw packets of data in real-time. Filters will allow the system to ignore irrelevant traffic and thereby make more efficient use of the monitoring stations. A monitoring station will check the remaining traffic against signatures and perform other types of analysis. If suspicious content is detected then an alert will be generated. If the IDS is part of a more complex IPS, then action will be taken to terminate the session.

Most people will be wondering which type of system offers better protection. The answer is that it depends on your goal and the environment with which you are working. In cases where security is paramount, both of these would be used along with application and protocol based monitoring. In a small office (let’s say five PCs, one server, and a router) a host-based NIDS would most likely be more than adequate.

But do I really need it?

So are Intrusion Detection Systems an essential part of any security setup or a luxury for the sys admins with too much time on their hands? I personally think anyone responsible for the security of systems holding private and confidential data (customer records, corporate information, e-mail, etc) needs to be paranoid by default. Although there is no way of knowing without a doubt that systems are secure and remain uncompromised (even NASA have breaches from time to time), it is necessary to take all reasonable measures to ensure that systems remain secure, and if a breach of security does occur, you know about it!