Higher Ed IT Pros: Take the SANS Survey & Enter to Win iPad

Intrusion Detection FAQ: The Importance of Intrusion Protection

(last updated 8/1/00)

Evolution
When we talk about Intrusion Detection Systems (IDS), management automatically assumed it is THE solution to all network, organization and social problems. Most people deal with this technology like it is a monolithic solution. This is not a good way to consider any security technology, it does not work like that. The majority fails to recognize that IDS' initial design and function is to protect the organization's vital information from an outsider.

However, this is now slowly changing, as more organizations want to monitor their "networks" because studies shows the majority of all losses in the commercial sector involve insiders. They now want to use the IDS in any of the following combinations: To track down insiders, catch them in the act, get the evidence needed for prosecution, fire them or take them to court for indictment.

Another factor to consider is technology is still at its infancy and intrusions get missed due to its immaturity. RAID'99 identified that in order to reach its full potential as a forensic tool, IDS' role must evolve to include better logging and a collections of forensic tools to use the information as evidence (http://www.raid-symposium.org/).

New attack techniques are coming out each month and the IDS technology must adapt to these rapid changes. The list of all known attacks constantly changes rendering codifying the statistical "signature" of a new attack a daunting task for R&D labs.

Current Network Intrusion Detection System (NIDS) products (first generation) use a predominantly passive approach to collect data via protocol analysis by watching traffic on the network. Most IDS have been built on signature-base and anomaly detection, providing the capability to look for set "patterns" in packets, but they can also be tuned to look for things you should never see. The addition of specific string search signature (i.e. look for confidential), logging and TCP reset features has greatly enhance the IDS capability as a detection and protection tool.

The work done by Common Vulnerabilities and Exposures (CVE) Editorial Board is a result of a collaborative effort, which will advance and standardize attack names and definitions across vendors. Since its implementations (1999), a large number of organizations have declared that they are working to make their product or database CVE-compatible. This list can be viewed at http://cve.mitre.org.

Tomorrow's IDS
Due to the inability of NIDS to see all the traffic on switched Ethernet, many companies are now turning to Host-based IDS (second generation). These products can use far more efficient intrusion detection techniques such as heuristic rules and analysis. Depending on the sophistication of the sensor, it may also learn and establish user profiles as part of its behavioral database. Charting what is normal behavior on the network would be accomplished over a period of time.

Strength and Limits facing IDS
Today, we recognize that IDS have evolved and are still very much in research stages to refining and moving the technology forward (RAID 2000 at http://www.raid-symposium.org/raid2000/). However, here is a list of advantages and limitations to consider before deploying them:
Strength
  • A strong IDS Security Policy is the HEART of commercial IDS
  • Provides worthwhile information about malicious network traffic
  • Can be programmed to minimise damage
  • A useful tool for ones Network Security Armory
  • Help identify the source of the incoming probes or attacks
  • Can collect forensic evidence, which could be used to identify intruders
  • Similar to a security "camera" or a "burglar alarm"
  • Alert security personnel that someone is picking the "lock"
  • Alerts security personel that a Network Invasion maybe in progress
  • When well configured, provides a certain "peace" of mind
  • Part of a Total Defense Strategy infrastructure
Limits
  • Not a cure-all for most security ills
  • Produces false positive (false alarms)
  • Produces false negative (failed to alarm)
  • Large-scale attacks could overwhelm a sensor
  • NIDS cannot properly protect high-speed networks
  • All products have weaknesses
  • Not a replacement for:
    • well managed firewall
    • regular security audit
    • a strong security policy
As part of the Total Defense Strategy of an organization, they offer additional protection and deterrence against:
  • Script kiddies
  • Hackers
  • Would-be hackers
  • Crackers
  • Industrial espionage
  • Elite Blackhat
Total Defense Strategy
IDS is just another tool part of a good security architecture and Multi-Layered Defense Strategy. It has its strengths and weaknesses, which must be assessed and weighed before a decision is made to deploy one on your network. The decision can be made after you test two or three against your baseline in a lab environment. This way, you measure as accurately as possible its effects against your network (i.e. workload, detection accuracy, etc.). You may also want to check some IDS lab studies. In November 1999, one was published by Network computing at http://www.nwc.com/1023/1023f1.html

The power of IDS is that it demonstrates a positive degree of readiness, which may be critical for long term success. If your business depends on networking, IDS is good business and well worth the return.

Guy Bruneau
DND CIRT