The Intrusion Detection Systems available for network
administrators today are some amazing pieces of equipment able to
detect everything from a single pin-pointed attack to a well masked
distributed attack on your network. These vital parts of your
network provide the administrator with immediate notification of
issues or potential threats and if integrated with an Intrusion
Prevention System are able to repel attacks. The first part of the
process is making a positive identification of a potential threat.
Historically this is done based off of signature files similar to
traditional virus scanners. As of this writing they are able to
analyze traffic patters, sources of data, combined logs from outside
nodes, and other resources to detect threats. In general, they are
trying to check for any compromise of confidentiality, integrity, or
availability of resources.
There are a lot of different alerts that could act as triggers for
the Intrusion Detection System such as an excess of ping or traffic
patterns that are extremely abnormal. There is also the data source
of the requests to take into consideration. An easily detectable
source would be from a single node while a distributed attack may
take the intrusion detection system longer to detect.
How can you use an Intrusion Detection System in your network?
It all boils down to available resources and money. Seriously,
money. Who has the money to put down on something that is just going
to sit there? Well now you do. Now is the time to let your boss
know the threats that are out there and business impact of those
threats. Ask someone in finance if they are able to give you a
ballpark figure of how much money would be lost if the company was
unable to perform their work for one hour. If you work for a medium
to large size business then the number they give you may surprise
you. Historically companies have been down for many hours at a time
waiting for an attacker to finish getting their kicks or for
anti-virus companies to update definitions to get rid of a botnet.
To me, the few thousand dollars for an Intrusion Detection System is
cheap insurance for keeping the company running.
Up until now I have not been specific on a network intrusion
detection system or a host intrusion detection system. Well, that is
because what I talked about was kind of generic. To close out here I
would like to bring up the network side of things. Granted there is
a lot of encrypted traffic on the network, they are still able to
analyze traffic patterns that may be problematic for your network.
There is a huge amount of data that needs to be processed on a
network and so the system requirements for such a device cannot be
something like an old school 486. Don't know what that is? Ok, not
even a Pentium (ya the original) would work out for you unless you
had very little traffic to check. An interesting part about the
network detection is that it doesn't have to be in line with any of
your network and so an attacker would have no clue that it even
exists. It can be on a mirrored port of your switch.
-- Joe McShinsky
Monday, March 12, 2012
Subscribe to:
Posts (Atom)