Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint

IDS Groundwork

In a nutshell, IDSs detect attacks against a given set of computer assets from a single desktop PC to a major corporate enterprise network. IPSs are essentially the same thing (often, IPS solutions are simply an IDS configured differently) with the key difference being that, whenever they detect an attack in progress, an IPS blocks the activity detected as malicious. In both cases, attacks are detected by looking for a predetermined set of criteria that is not present during normal daily use. IDS solutions maintain their flexibility against ongoing security threats by having a framework that enables these criteria to be updated over time without modifying the core underlying software package. This is similar to the way that an antivirus product downloads new definitions to detect new threats without touching the scanning engine.

At their highest level, IDSs break into two primary categories: host-based and network-based. As their names imply, these categories are delineated based on the IDS’ location, with host-based IDS solutions being installed directly on the hosts they are designed to protect, and network-based IDSs running as independent systems at critical network junctures (typically points of ingress/egress, such as immediately behind a firewall). Because the relative merits of the two system types have been exhaustively discussed elsewhere, this book does not revive that debate; it simply focuses on network IDSs.

Historically, IDSs were labeled either signature based or anomaly based, both of which are detailed later in this chapter. However, the natural evolution of this defensive strategy has transitioned to several other niche IDSs: behavioral IDS and statistical IDS. Behavioral deployments generate a baseline of known network traffic from data flows and alert when deviations occur. It is specifically addressed in Chapter 6, “Network Flows and Anomaly Detection.” Statistical deployments are a specialized case and use the IP and port level header information to correlate malicious intentions. Chapter 10, “Geospatial Intrusion Detection,” addresses a particular methodology of statistical IDS.

Among network IDS systems, the distinction between IDS and IPS is one of the more crucial ones, even if many existing products can be run in either mode by simply tweaking configuration options. As recently as four years ago, the debate still raged among the network security community about whether an IPS should ever be deployed on a production network, because of its potential to cause major disruptions to end users. Any time that legitimate activity is incorrectly flagged as malicious (commonly referred to as false positives), it is blocked. Unfortunately, that activity is effectively shut down until a network administrator identifies the problem and updates the IPS’ configuration. In some environments, this process can take days or weeks. Conversely, many people in the industry—particularly security-sensitive end users, such as defense contractors and law enforcement—felt that detecting an attack after the damage was done had little value, and that it was worth dealing with occasional service interruptions to ensure that no malicious traffic made its way into the networks. Although that debate has been resolved in favor of giving individual security engineers/architects the choice of which methodology to use, the question of whether to block suspicious network traffic or simply flag it for analysis is one that network security analysts still face today.

  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint