6.3.2 Intrusion Detection Tools
Intrusion Detection Systems
Network Monitoring Tools
Anti-Virus Software
Intrusion Detection Systems
An intrusion detection system (IDS) for a computer is like a security system for a home. When an intrusion is detected, the IDS alerts the network administrators, just as the alarm of the home security system would go off to alert the homeowners. An IDS gathers and analyzes information within a computer or a network to identify possible security breaches. In case of a security breach, an IDS can provide traces of events to help track down the intruder. However, an IDS does not block potentially malicious traffic. When used with a firewall, an IDS can verify the firewall configurations and serve as an added layer of security that alerts network administrators of suspicious data that passed through the firewall. Compared to firewall, IDS provides more in-depth traffic monitoring.
An IDS works by matching incoming traffic against an intrusion detection (ID) signature database of known attacks or suspicious activity, and alerts administrators when a match occurs. An ID signature can be a special TCP state, special bytes in the IP header, or a special byte stream in a packet. Some intrusion signatures and incident databases are publicly available. IDS can also send automatic notifications to alert system administrators of potential security breaches via a variety of channels, including email and mobile phones. These notifications would help network administrators identify subsequent steps for resolving the security breach and they can help strengthen security policies.
Strengths of IDS:
Can trace each step of an attack
Cannot be easily circumvented
Weaknesses of IDS:
Cannot block intruding traffic
Only as strong as its signature database
Possibility of false alarms
Set up may require some level of configuration and security knowledge
An example of an open source network IDS is Snort. It keeps an active log file to detect possible intrusions or access violations occurring in real-time. It can also monitor and inspect network traffic and failed connection attempts, connections to/from unusually locations, unauthorized network probes, systematic port scans, traffic contrary to firewall setup, and unusual file transfer activity.
Setting up an IDS
Typically, an IDS is set up behind the firewall to examine more thoroughly packets that have filtered through the firewall. The figure below illustrates how an IDS could be set up in a network system.
Figure 1 Setting up an IDS
Network Monitoring Tools
Network monitoring should be conducted continuously to maintain confidence in the security of a protected network and data resources. Network monitors may be installed at strategic locations to collect and examine information continuously that may indicate suspicious activity. Some systems can react to suspicious network activity by blocking suspect connections, limiting or disabling affected services, isolating affected systems, and collecting evidence for subsequent analysis. Additionally, monitoring can help determine whether security countermeasures are effective.
Below is a list of network monitoring tools with brief descriptions to provide you with a sense of what type of network monitoring tools are being used today.
Tripwire®- enables you to detect unexpected contents of files and directories
Analyzer/Sniffer- captures and analyzes network packets. It gathers information about data passing through your network and decodes the analyzed data.
Big Brother- tests system conditions and the availability of network services, and notifies administrators about system problems.
Ethereal- enables you to examine data from live network or from a captured file on disk. It is a free network protocol analyzer for UNIX and Windows (including Win2K).