The "No Network is 100% Secure" series
- Intrusion Prevention Systems (IPS) -
- Intrusion Detection Systems (IDS) -
A White Paper

All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants

Contact Us


What is an intrusion detection system?: An intrusion detection system is used to detect malicious behaviors that can compromise the security of a computer enterprise. This includes network attacks against vulnerable services, attacks on applications, host based attacks such as privilege escalation, unauthorized logins, denials of service (DDoS) and access to sensitive files as well as malware (viruses, trojans, worms and so on).

An IDS can be composed of several components: Sensors which generate security events, a Console to monitor these events and a central Engine that records events logged by the sensors. IDS systems are categorized by the type and location of the sensors and by the methodology used by the engine to generate alerts. In some IDS implementations all three components are combined in a single device or appliance.

Network-based IDS: In a network-based intrusion-detection system (NIDS), the sensors are located at choke points in network to be monitored, often in the demilitarized zone (DMZ) or at network borders. The sensor captures all network traffic and analyzes the content of individual packets for malicious traffic.

Host-based IDS: In a host-based system (HIDS), the sensor usually consists of a software agent, which monitors all activity of the host on which it is installed.

Protocol-based IDS: A protocol-based intrusion detection system (PIDS) consists of a system or agent at the front end of a server. The PIDS monitors and analyzes a specific communication protocol between a connected device and the server. For a web server this would typically monitor the HTTP/HTTPS protocol stream.

Application protocol-based IDS: An application protocol-based intrusion detection system (APIDS) consists of a system or agent that is typically installed within a group of servers, monitoring and analyzing the communication on application specific protocols. For example, in a web server with a database APIDS would monitor the SQL protocol specific to the middleware/business logic as it transacts with the database.

Hybrids: A hybrid intrusion detection system combines two or more of the above approaches. Host agent data is combined with network information to form a more comprehensive view of the network.

Passive IDS: In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console or passes it along to the NOC, a syslog server or some place else for further action.

Reactive IDS: In a reactive system, also known as an intrusion prevention system (IPS), the IDS responds to the suspicious activity by terminating the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. This can happen automatically or at the command of an operator.

Security capability overview: Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network.

An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system which terminates connections is called an intrusion prevention system, and is another form of an application layer firewall.

The term IDPS is commonly used to refer to hybrid security systems that both "detect" and "prevent".

Statistical anomaly based IDS: All Intrusion Detection Systems use one of two detection techniques: statistical anomaly based and/or signature based.

A statistical anomaly based IDS establishes a performance baseline based on normal network traffic evaluations. It then samples network traffic activity relative to this baseline in order to detect whether or not it is within baseline parameters. If the sampled traffic is outside baseline parameters an alarm will be triggered.

Signature based IDS: Network traffic is examined for preconfigured and predetermined attack patterns known as signatures. Many attacks have distinct signatures. In good security practice, a collection of these signatures must be constantly updated to mitigate emerging threats.

IDS limitations:

Noise can severely limit an IDS's effectiveness. Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false alarm rate.

Too few attacks. It is not uncommon for the number of real attacks to be far below the false alarm rate. If a real attack mass or duration is below the false alarm rate, it will be missed and ignored.

Signature updates. Outdated signature databases can leave the IDS vulnerable to new attack strategies.

Next in the security white paper series:

How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourced IT White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting

Last modified May 7, 2009
Copyright 1990-2009 Easyrider LAN Pro