Overview of IDS
Intrusion detection systems come in many shapes and sizes. Some are small, one rack unit appliances that tuck neatly into your server rack while others are modules, such as the Cisco IDSM, that insert directly into active network components. Some IDS are simply software applications that run on servers or workstations. Their general purpose is to monitor events on systems and networks and notify security administrators of an event that the sensor determines is worthy of alert. An IDS weighs these situations using a variety of means. Some IDS compare network conversations they "hear" to a list of known attack sequences or signatures. When the network traffic matches a known exploit signature, they trigger an alert. These IDS are known as Signature-based IDS. Other IDS collect a baseline of "normal" network operations over time. They then continue to monitor the network for situations that don't match what they've determined as normal. If this happens, they trigger an alert. These IDS are called anomaly-based IDS.
Some IDS can perform automated actions beyond simply sending alerts, such as resetting malicious connections by using a technique called TCP Reset, blocking offending source addresses, or shunning the IP address. Some of the more advanced IDS sensors can even reconfigure ACLs on routers and firewalls dynamically.
On today's busy networks, a lot of information and data is transferred between clients and servers. While most of this communication is legitimate and beneficial, some of it might not be. But how could you possibly determine which is which? How are you to know if a reconnaissance attack or data retrieval attack is underway, while hidden among the normal, good network traffic? Such knowledge is simply not possible without an IDS. In this section, we'll discuss the various types of IDS and some of the ways in which these devices function.
Types of IDS
There are several types of IDS that can be deployed to aid security administrators in their endeavors. Two types, network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS) are most prevalent in modern security deployments. There are other types of IDS, however, which include file integrity and log file checkers, and decoy devices known as honeypots. Additionally, there exist hybrid systems that combine some of the different functionalities mentioned earlier. We'll discuss each of these IDS in this section.
Network IDS
Network-based intrusion detection systems (NIDS) are devices intelligently distributed within networks that passively inspect traffic traversing the devices on which they sit. NIDS can be hardware or software-based systems and, depending on the manufacturer of the system, can attach to various network mediums such as Ethernet, FDDI, and others. Oftentimes, NIDS have two network interfaces. One is used for listening to network conversations in promiscuous mode and the other is used for control and reporting.
With the advent of switching, which isolates unicast conversations to ingress and egress switch ports, network infrastructure vendors have devised port-mirroring techniques to replicate all network traffic to the NIDS. There are other means of supplying traffic to the IDS such as network taps. Cisco uses Switched Port Analyzer (SPAN) functionality to facilitate this capability on their network devices and, in some network equipment, includes NIDS components directly within the switch. We'll discuss Cisco's IDS products in the next chapter.
While there are many NIDS vendors, all systems tend to function in one of two ways; NIDS are either signature-based or anomaly-based systems. Both are mechanisms that separate benign traffic from its malicious brethren. Potential issues with NIDS include high-speed network data overload, tuning difficulties, encryption, and signature development lag time. We'll cover how IDS work and the difficulties involved with them later in this section.
Host IDS
host-based intrusion detection systems (HIDS) are systems that sit at service endpoints rather than in the network transit points like NIDS. The first type of IDS that's widely implemented, Host IDS, is installed on servers and is more focused on analyzing the specific operating system and application functionality residing on the HIDS host. HIDS are often critical in detecting internal attacks directed towards an organization's servers such as DNS, mail, and web servers. HIDS can detect a variety of potential attack situations such as file permission changes and improperly formed client-server requests.