Having an intrusion detection system (IDS) on your computer or network is like having surveillance cameras or a motion sensor alarm in your home. You hope that the locks on your doors and windows will keep unauthorized intruders out, but should that fail, you want some means of monitoring the intrusion or alerting you that it has occurred. Similarly, you expect that your firewall will keep malicious traffic out of your network, but should something slip past the firewall, your IDS can monitor and alert you.
And that really is all an IDS does, monitor and alert. If your home also had some sort of automated lockdown mechanism to trap the intruder in the home until the authorities could arrive, or if you had armed guards who responded immediately to stop the intrusion, it would be more like an IPS.
An IDS can be networking based (NIDS, or network-based intrusion detection system) or installed on individual computers (HIDS, or host-based intrusion detection system), similar to a firewall. A NIDS examines actual packets traveling the network in real time to look for suspicious activity.A HIDS examines log files like the Windows Event Logs (System, Applications, and Security Event Logs) and looks for entries that suggest suspicious activity.
A NIDS has the advantage of detecting attacks in real time. It can also detect even an unsuccessful attack so that you are aware that the attempt occurred and can detect some types of attacks that a HIDS would miss because they can only be identified by looking at the packet headers.
Because a HIDS relies on checking the logs on the host system to identify attacks, it validates that an attack was successful. It can also detect attacks that don’t travel the network, such as an attacker sitting at the keyboard of the HIDS. HIDS can also detect attempts to access files or change file permissions, or changes to key system files that a NIDS would not detect.
Neither is necessarily better than the other, and both can be used in conjunction with the other to alert you to all the different types of attacks that might not be caught by just a NIDS or HIDS. Regardless of which you choose, intrusion detection techniques generally fall under one of two categories or a hybrid of both.
Signature-based detection works similar to the way most antivirus software does. It attempts to identify suspicious activity by comparing packet headers and other information with a database of known signatures of exploits, attacks, and malicious code.
The downfall of this method is the same as it is with antivirus software; it is reactive. Until a new attack exists, there is no way to develop a signature for it. In essence, someone must get attacked first before the IDS vendors or support groups can develop a signature. Moreover, the time lag between the release of an attack or exploit and receiving a signature you can deploy on your IDS is a time frame during which you won’t have protection for that threat.
Anomaly-based detection compares network packets and behavior with a known baseline and looks for patterns or actions that are abnormal. For example, if a certain
computer typically does not use FTP, but suddenly tries to initiate an FTP connection with a server, the IDS would detect this as an anomaly and alert you.The downside to anomaly detection is that it can require a lot of intensive “handholding” to define what normal traffic is for your network and establish the baseline. During this initial learning curve, you might get a lot of false-positive alerts or potentially miss malicious activity.
Both detection techniques have their pros and cons, but regardless of how suspicious or malicious activity is detected, the job of the IDS is to alert you.This might be done by sending a console message that pops up on your screen via the Windows Messenger Service or the IDS might send an e-mail or even send an alert to a pager in some cases. It is up to you to configure how you will be alerted. More important, however, it is up to you to respond to the alert. Having an IDS that detects and alerts you to the presence of suspected malicious activity is worthless if you don’t have a well-defined incident response plan to address the issue.
One of the best and most popular IDS programs is Snort. Snort is an open-source network intrusion detection (NIDS) application that is available for free. Because of its popularity and the fact that it is an open-source program, there are a number of support forums and mailing lists you can reference to learn about the program or to acquire updated signatures for new threats. Snort analyzes network packets and can detect a wide range of known attacks and malicious activity.
A newer technology exists that will handle that initial response for you. An IPS is somewhat like a hybrid between an IDS and a firewall, or it may work in conjunction with your existing firewall.The primary difference between an IDS and an IPS is that an IPS will do something to respond and attempt to stop the intrusion, whereas the IDS will simply let you know it’s going on.
An IPS monitors the network the same way that an IDS does and still uses the same signature and/or anomaly pattern-matching techniques for identifying potentially malicious activity. However, when an IPS detects that there is suspected malicious traffic, it can alter or create firewall rules to simply block all traffic on the target port or block all incoming traffic from the source IP address or any number of custom responses you might configure.
Typically, the IPS will be configured not only to take some immediate action to prevent any further malicious activity but also to alert you like an IDS. Even if your IPS has managed to block the offending traffic, you still need to be made aware of the attack or attempted attack and you might need to respond with a more thorough or long-term solution than the quick-fix measures put in place by the IPS.
Sometimes the line between firewall, intrusion detection, and intrusion prevention gets blurred as applications and devices come out that try to provide all-in-one protection. Small business networks might benefit from implementing intrusion detection or prevention, but for a home network, intrusion detection and prevention are probably more security than you need. However, a router-based firewall and personal firewall application are highly recommended to protect the perimeter of your network and ensure the maximum security for your computer.
