Detecting intruders

Intrusion detection systems have come a long way from just reacting to network anomalies after they happen.  More sophisticated systems now report problems as they happen and can in some cases predict occurrences. 

This week’s Technology Update author (throop@crossbeamsystems.com) takes a look at how IDSes work to monitor, detect and respond to unauthorized network activity.

 Our author says network IDSes have three primary components: sensors, managers and consoles. Sensors are applications that are deployed throughout networks and monitor specific network segments for suspicious behavior. Managers store signature data and alert data from the sensors and activity logs. Consoles are graphical user interfaces for managing individual sensors throughout networks.

Typically, sensors are deployed inside and outside firewalls: a sensor outside a firewall can watch for unsuccessful “reconnaissance missions” from unauthorized users and then, if a hacker gets past the firewall, provide a complete audit trail of how the intrusion occurred, to prevent future unauthorized entries. At the network interior, sensors collect data that is fed directly from switched network segments, the author states.

Finally, as traffic flows through an IDS sensor, the sensor analyzes TCP packets first to determine if the destination address (or other criteria) falls within the range for which it is responsible; if not, it ignores the packet and the corresponding sensor eventually picks it up. If it does fall within the range of responsibility, the sensor will compare the packet against the manager’s database of attack signatures.

It’s important to keep attack signature databases and any other tracking applications up to date. 

For more on this topic see: https://www.nwfusion.com/news/tech/2003/0113techupdate.html