How Does IDS Work?

How Does IDS Work?

All IDS are monitoring tools that serve an essential service—they detect potential security events and alert administrators. Some IDS can even help perform automated actions such as issuing Access Control List (ACL) updates to firewalls. IDS, however, should not be confused with perimeter security devices such as firewalls since they do not directly prevent security events through blocking and authentication mechanisms themselves.

As we've previously discussed, an NIDS should be intelligently distributed in the network and an HIDS installed on critical systems. While we'll discuss detailed deployment strategies and best practices for deploying IDS in the enterprise in the next chapter, let's briefly cover basic NIDS configurations and functionality.

NIDS are deployed where services or important traffic traverses network devices. A typical IDS deployment, attack, and response sequence is shown in Figure 1.4.

Click To expand
Figure 1.4: A Typical NIDS Deployment

In this NIDS deployment, all network traffic that traverses the DMZ switch is inspected by the IDS via its Monitoring Interface. The NIDS could obtain data from the DMZ switch via a Cisco RSPAN port or a network tap. Alternatively, the NIDS could be an internal component of the switch such as a Cisco IDS Switch Module. We'll discuss these possibilities further later in the book. Regardless, should an attacker initiate a series of malicious actions against servers on the DMZ network, it might unfold this way:

  1. A hacker working from a remote workstation on the Internet begins an attack on the DMZ-located target host. Perhaps the hacker is using freely available software to scan for open Windows file shares. Since the connection between the attacker and the target host traverses the DMZ switch, the NIDS "hears" the attacker's attempts to scan and mount unprotected Windows file shares via its Monitoring Interface.

  2. Since the NIDS is listening on the network and actively comparing all traffic against predefined attack signatures, it detects the attacker's scanning attempts. Depending upon how the NIDS is configured, several outcomes could result at this point. The IDS could simply send an alert to administrators via its Control and Reporting Interface. Alternatively, the NIDS could automatically reset the attacker's connection or add rule sets to the firewall or router to deny the attacker further access.

  3. After the NIDS sends an alert via its Control and Reporting Interface, administrators can take action based on security policy. This may mean manually placing deny statements in the firewall rule set to deny the attacker, or reporting the attack to management and the proper authorities depending upon its severity.

We have discussed several varieties of IDS, all with different ways of accomplishing the same goal. The means by which these systems actually function can also be different. Typically, IDS are either signature-based detection devices or anomaly-based detection devices. We'll discuss each in this section.

Signature-Based IDS

The most prevalent form of intrusion detection is through signature matching. Referred to as signature-based IDS, these systems monitor the network or server and match packet traffic attributes against a set of predetermined attack lists or signatures. Should a particular network conversation match a signature configured on the IDS, the system alerts administrators or takes other pre-configured action.

Signature-based IDS can be quite effective in security monitoring, yet they have several drawbacks. To detect most potential attacks, the signature database on the IDS must be large. As the speed of networks increases, it is difficult for signature-based IDS to keep pace with network traffic. Typically, signature-based IDS must be de-tuned by removing some of the signatures from the active database before use. While this permits the IDS to function properly, it does so at the risk of missing potential attacks. Similarly, because these IDS only alert administrators as to potential attacks for which it has a signature, new vulnerabilities and exploits will not be detected until the vendors or administrators develop new signatures.


Note

Intrusion detection systems must be properly tuned once they're in the network environment. Because each signature within an IDS consumes system resources, it may not be advisable to load all signatures based on your network requirements and services. For instance, if you don't run a specific service or block access to the service at perimeter security devices, it might not be necessary to monitor for potential attacks against that service.

Anomaly-Based IDS

Anomaly-based IDS do not use static signatures to detect potential security events. Rather, these IDS use network traffic baselines to determine a "normal" state for the network and compare current traffic to that baseline. If network anomalies occur, the IDS alerts security administrators.

Two types of anomaly-based systems exist, behavior anomaly and protocol anomaly IDS. Both use the same type of statistical calculations to determine whether current traffic deviates from "normal" traffic, yet they specifically track different attributes. Behavior anomaly systems tend to monitor network resources using timing, volume, and similar resource characteristics while protocol anomaly IDS typically monitor application-level traits such as RFC compliancy and other operational protocol content attributes.

As compared to a signature-based IDS, an anomaly-based IDS has the potential to detect new attack vectors as they occur. Anomaly IDS, however, can suffer from numerous false positives as security administrators attempt to determine the dynamic definition of "normal" network operations.