Previous Page | Next Page

  1. Introduction
  2. Your Needs
  3. What to Protect
  4. Security Policies
  5. Security Policy Requirements
  6. Incident Procedures
  7. Security Categories
  8. Software Vulnerability Control
  9. Hostile Software
  10. Network Layout
  11. Traffic Filtering
  12. Mail
  13. Firewall Protection
  14. Network Intrusion Detection
  15. Network Port Scanning
  16. Network Tools
  17. Passwords
  18. Types of Attacks
  19. Protocol Use
  20. Entry Points
  21. Cost
  22. Application Level Protection
  23. System Protection
  24. User Issues
  25. Other Recommendations
  26. Terms
  27. Credits

Network Intrusion Detection

Your network should have some network intrusion detection system. With that said, the method of detecting intrusions, how to monitor, and how to interpret the data is a complex subject.

Intrusion Detection Types

  • Network - Used to protect the network or a large part of it. It listens to all available network packets and tries to find any intrusion pattern based on the information in the packets. Where this type of IDS is placed on the network is important since it cannot analyze all packets behind routers, bridges, or switches.
  • System - Used to protect a specific host such as a webserver. This kind of intrusion system can be especially effective when a server is in an area off the firewall such that it is neither on the internet or on the internal network { Known as a Demilitarized zone (DMZ) }. These kinds of intrusion detection systems can usually only protect one service well.

Intrusion Detection Requirements

The intrusion detection requirements mentioned in this section are generally for network intrusion detection systems rather than system intrusion detection systems. The requirements mentioned here are general and will depend on the size of your network, traffic load on your network, and the type of intrusion detection software you install. Read the manufacturers instructions for specific recommendations.

Intrusion detection systems typically consist of two parts which are an engine and a control console. These two parts are usually on separate computers. Obviously the console is used to control and make changes to the behavior of the intrusion detection engine. The engine analyzes the network traffic and takes appropriate action if an intrusion is detected.

Since network intrusion detection systems must process a lot of network data in a short time, these systems require a good deal of processing power. They also require much RAM for high performance, and may require much hard drive space to store log information.

Intrusion Detection Features

  • Attack patterns are saved in a database.
  • Data packet reassembly - Some may or may not re-assemble IP packets the same way a receiving system would reassemble them. Most IDS do not reassemble the packets in this manner. Without reassembling the packets as the receiver, some attacks may go unnoticed.
  • Checksum verification - A good IDS will verify packet checksums to be sure the packet has not been tampered with.

Intrusion Detection Actions

  • Log intrusion information or save raw packets.
  • Send an alert to an administrator using email or another method.
  • Interfere with the attack. There are several actions that may be taken:
    • Session disruption - The IDS can send ACK-FIN packets to both ends of a connection (by IP spoofing each computer) to close a session. This may be done if a hacker appears to be gaining unauthorized access.
    • Modify the firewall or router behavior during an attack.