May 4, 2008

Network Intrusion Detection

Network Intrusion Detection

Your network should have some network intrusion detection system. With that said, the method of detecting intrusions, how to monitor, and how to interpret the data is a complex subject.

Intrusion Detection Types

  • Network - Used to protect the network or a large part of it. It listens to all available network packets and tries to find any intrusion pattern based on the information in the packets. Where this type of IDS is placed on the network is important since it cannot analyze all packets behind routers, bridges, or switches.
  • System - Used to protect a specific host such as a webserver. This kind of intrusion system can be especially effective when a server is in an area off the firewall such that it is neither on the internet or on the internal network { Known as a Demilitarized zone (DMZ) }. These kinds of intrusion detection systems can usually only protect one service well.

Intrusion Detection Requirements

The intrusion detection requirements mentioned in this section are generally for network intrusion detection systems rather than system intrusion detection systems. The requirements mentioned here are general and will depend on the size of your network, traffic load on your network, and the type of intrusion detection software you install. Read the manufacturers instructions for specific recommendations.

Intrusion detection systems typically consist of two parts which are an engine and a control console. These two parts are usually on separate computers. Obviously the console is used to control and make changes to the behavior of the intrusion detection engine. The engine analyzes the network traffic and takes appropriate action if an intrusion is detected.

Since network intrusion detection systems must process a lot of network data in a short time, these systems require a good deal of processing power. They also require much RAM for high performance, and may require much hard drive space to store log information.

Intrusion Detection Features

  • Attack patterns are saved in a database.
  • Data packet reassembly - Some may or may not re-assemble IP packets the same way a receiving system would reassemble them. Most IDS do not reassemble the packets in this manner. Without reassembling the packets as the receiver, some attacks may go unnoticed.
  • Checksum verification - A good IDS will verify packet checksums to be sure the packet has not been tampered with.

Intrusion Detection Actions

  • Log intrusion information or save raw packets.
  • Send an alert to an administrator using email or another method.
  • Interfere with the attack. There are several actions that may be taken:
    • Session disruption - The IDS can send ACK-FIN packets to both ends of a connection (by IP spoofing each computer) to close a session. This may be done if a hacker appears to be gaining unauthorized access.
    • Modify the firewall or router behavior during an attack.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts