Monday, March 12, 2012

Security+ Topic - IDS

The Intrusion Detection Systems available for network administrators today are some amazing pieces of equipment able to detect everything from a single pin-pointed attack to a well masked distributed attack on your network. These vital parts of your network provide the administrator with immediate notification of issues or potential threats and if integrated with an Intrusion Prevention System are able to repel attacks. The first part of the process is making a positive identification of a potential threat. Historically this is done based off of signature files similar to traditional virus scanners. As of this writing they are able to analyze traffic patters, sources of data, combined logs from outside nodes, and other resources to detect threats. In general, they are trying to check for any compromise of confidentiality, integrity, or availability of resources.


There are a lot of different alerts that could act as triggers for the Intrusion Detection System such as an excess of ping or traffic patterns that are extremely abnormal. There is also the data source of the requests to take into consideration. An easily detectable source would be from a single node while a distributed attack may take the intrusion detection system longer to detect.


How can you use an Intrusion Detection System in your network?


It all boils down to available resources and money. Seriously, money. Who has the money to put down on something that is just going to sit there? Well now you do. Now is the time to let your boss know the threats that are out there and business impact of those threats. Ask someone in finance if they are able to give you a ballpark figure of how much money would be lost if the company was unable to perform their work for one hour. If you work for a medium to large size business then the number they give you may surprise you. Historically companies have been down for many hours at a time waiting for an attacker to finish getting their kicks or for anti-virus companies to update definitions to get rid of a botnet. To me, the few thousand dollars for an Intrusion Detection System is cheap insurance for keeping the company running.


Up until now I have not been specific on a network intrusion detection system or a host intrusion detection system. Well, that is because what I talked about was kind of generic. To close out here I would like to bring up the network side of things. Granted there is a lot of encrypted traffic on the network, they are still able to analyze traffic patterns that may be problematic for your network. There is a huge amount of data that needs to be processed on a network and so the system requirements for such a device cannot be something like an old school 486. Don't know what that is? Ok, not even a Pentium (ya the original) would work out for you unless you had very little traffic to check. An interesting part about the network detection is that it doesn't have to be in line with any of your network and so an attacker would have no clue that it even exists. It can be on a mirrored port of your switch.

-- Joe McShinsky