Intrusion-detection apps boost security

In their earliest versions, intrusion-detection systems focused extensively on postevent audit-trail analysis. Today, IDS applications monitor, detect and respond to unauthorized activities within networks in real time. IDS applications have emerged to strengthen security on the perimeter and maximize the capabilities of already deployed network firewalls.

Most intrusion attacks are in one of three major categories - reconnaissance (ping sweeps, port scans and indexing public Web servers to find Common Gatewat Interface holes), exploits (using hidden features or bugs to gain network access) or denial-of-service attacks, through which an intruder tries to crash a system or overload a network.

IDSs attempt to stop these attacks by scanning network traffic for signatures (any pattern or sequence of patterns that constitutes a known security violation); for policy anomalies, such as variations in traffic or network protocol that can signal impending illegal activity; and for signs of unwarranted activity that could point to attacks from inside or outside the network.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In their earliest versions, intrusion-detection systems focused extensively on postevent audit-trail analysis. Today, IDS applications monitor, detect and respond to unauthorized activities within networks in real time. IDS applications have emerged to strengthen security on the perimeter and maximize the capabilities of already deployed network firewalls.

Most intrusion attacks are in one of three major categories - reconnaissance (ping sweeps, port scans and indexing public Web servers to find Common Gatewat Interface holes), exploits (using hidden features or bugs to gain network access) or denial-of-service attacks, through which an intruder tries to crash a system or overload a network.

IDSs attempt to stop these attacks by scanning network traffic for signatures (any pattern or sequence of patterns that constitutes a known security violation); for policy anomalies, such as variations in traffic or network protocol that can signal impending illegal activity; and for signs of unwarranted activity that could point to attacks from inside or outside the network.

Every user or device has a pattern of usage, one that is potentially unique. Any anomalies that cannot be resolved are considered potential attacks and are investigated. Once an attack signature is detected, several actions can be taken to stop or trace the attacker, as well as record the event and notify an administrator.

Network IDSs have three primary components: sensors, managers and consoles. Sensors are applications that are deployed throughout networks to monitor for suspicious behavior. Managers store signature data and alert data from the sensors and activity logs. Consoles are graphical user interfaces for managing individual sensors throughout networks.

Typically, sensors are deployed inside and outside firewalls. A sensor outside a firewall can watch for unsuccessful reconnaissance missions from unauthorized users, and if a hacker gets past the firewall, provide a complete audit trail of how the intrusion occurred, to prevent future unauthorized entries. Behind the firewall, sensors collect data that is fed from switched network segments.

As traffic flows through an IDS sensor, the sensor analyzes TCP packets to determine if the destination address (or other criteria) falls within the range for which it is responsible; if not, it ignores the packet and the corresponding sensor eventually picks it up. If it does fall within the range of responsibility, the sensor compares the packet against the manager's database of attack signatures. Many IDS applications now allow for stateful signature inspection, wherein a sensor can detect, identify and prevent more sophisticated attacks that take place over a series of packets, which individually seem innocuous. IDS managers also can store and dynamically develop baseline metrics for a network's typical operating profile throughout the day, week, month and year. Traffic patterns that don't adhere to the baselines represent potential intrusions.