|
Network Intrusion Detection is a method for discovering and sometimes preventing unauthorized intrusions into a computer network. To implement this type of cyber-attack protection, organizations will use a Network Intrusion Detection System (NIDS), which is a type of computer intrusion detection system that monitors the traffic on a network to look for malicious activity. These attacks could include denial of service (DoS), port scans, or attempts to crack computers. A NIDS detects attacks by listening to all of the available network packets and looking for intrusion patterns. This includes incoming and outgoing packets. A NIDS typically requires a lot of processing power and hard drive space to store log information. Location is also important when placing a NIDS because it cannot analyze all of the packets behind routers, bridges, or switches. Intrusion detection systems (IDS) usually have a detection engine for analyzing network traffic and taking automated actions, and a control console so system administrators can make changes to the engine’s behavior. An IDS has two detection techniques. The first is a signature-based technique that looks through the network traffic for certain attack patterns. These commonly recognized attack patters (e.g. Cross Site Scripting, DoS) can be detected by a modern IDS. A good practice is to update the signatures that your system recognizes to stay ahead of emerging threats. The other IDS detection technique looks for statistical anomalies in network traffic. The system will establish a baseline for normal network traffic activity and whenever the sampled traffic is outside of the baseline parameters, the system will trigger an alarm. An IDS can be either passive or reactive. A passive IDS constantly monitors a system and if it detects a potential security breach, it logs the information and triggers an alert on the console. A reactive system automatically responds to suspicious activity on the system by either resetting the connection or by reprogramming the firewall so that it will block traffic from the source that is suspected to be malicious. Reactive systems are also called intrusion prevention systems (IPS). The main difference is that passive systems alert, while reactive systems try to prevent. Some systems can be configured to do both. Finally, there are some limitations that users of any IDS should know about. The first is noise, which consists of bad packets that commonly trigger false alarms and make it difficult to know which ones are real security breaches. In many situations, real attacks are very rare compared to the false alarms, which can be frequent. This increases the likelihood that a real attack will be missed and ignored. Outdated signatures can also be a major issue for an IDS because software versions are constantly changing and the pattern signatures need to reflect these changes in order to catch new attack strategies. Other intrusion detection systems include Host-based intrusion detection systems (HIDS), Protocol-based intrusion detection systems (PIDS), and Application protocol-based intrusion detection systems (APIDS). [Bro](http://en.wikipedia.org/wiki/Bro_(software)) and [Snort](http://en.wikipedia.org/wiki/Snort_(software)) are two NIDS solutions that are free and open source.
(comments are locked)
|
