Sunday, December 15, 2024

Intrusion Detection Foundations

Share

The number of internet attacks is dramatically increasing. Vulnerabilities, configuration problems and different type of attacks are discovered daily.

Managing and identifying network attacks are critical operations. Intrusion detection systems are designed to analyze and respond to computer attacks. These systems provide the necessary tools to make sure connected networks are safe and ready to respond to hacker and other intruders.

History of Intrusion Detection

The concept of intrusion detection for computer systems was invented in the late 80’s. Several models were designed by the US Department of Defense (DOD) to track and analyze different types of attacks. The concept initially created was Distributed Intrusion Detection Systems (DIDS). This systems used popular methods to detect intruders -analysis web logs, router audit trails and unusual activity.

Two models were prototyped to select the type of analysis performed by these systems: misuse detection models and anomaly detection models. Misuse detection is based on identifying improper usage or modification of the system security. Most commercial intrusion detection systems use this type of model.

The anomaly-based model tries to understand and learn the patterns of the protected systems’ usage. For example, a user who normally logs in every weekday but now is logging in a at 1am on Saturday would be interpreted as a possible attacker. Anomaly based intrusion detection systems try to find deviations in user and network traffic operations.

Current Intrusion Detection Alternatives

Intrusion detection means many things to many people. Some people think it is just log analysis, others think it is systems inspection. The concept of intrusion detection is defined as the act of trying to gain unauthorized access to a protected system. Commercial applications of this systems include network based and host based intrusion detection systems.

As sniffers, network-Based IDS (NIDS) are engines that parse network traffic. In addition to capturing all network traffic, NIDS compare the traffic with a set of pre-classified attack signatures. Once a signature is found in a network packet, a protective action is launched and the attack is stopped and logged. NIDS engines can be easily deployed without suffering major network modifications.

Host based IDS (HIDS) are more centric. They analyze specific actions and operations on a specific computer or device. HIDS are more complex to deploy. They require intervention of the administrator in order to be installed. A program called agent needs to be installed on each protected server. Most HIDS implement a combination of binary integrity operations, user log analysis or network log analysis.

Planning the Implementation of an Intrusion Detection System

The criteria of choosing an IDS depends on several factors: vendor reputation, product features and operation of the product. When choosing an IDS solution, vendor update reliability and support are critical success factors. Secondly, product features and extension are necessary to successfully deploy the system. Depth of coverage and accuracy are very important components of an IDS. Finally, an individual needs to be responsible of the operation of the system. This includes managing the day-to-day tasks to make sure the system is updated and tuned.

Accuracy. False positives are a big problem of IDS. In large networks, misinterpretations fire alerts that jeopardize the effort to detect an intruder. This is a hard factor to detect on newly released products.

Architecture. Several factors form an IDS solution. A robust product architecture should permit security officers to easily maintain and manage updates. In addition, a complete management console and real time access to attack and alerts data is very important.

Integration. Integration with current IT architectures and systems is a big issue. It is very important to have the ability to write custom signatures and extend the functionality of the IDS to interoperate with current and future architectures and environments.

Discovering Intruders with Microsoft Internet Security and Acceleration Server

Microsoft Intrusion Detection strategy is based on a license patented by Internet Security Systems. ISA Server provides basic intrusion detection functionality to detect simple attacks. Internet Security Systems was one of the first vendors to provide a commercial intrusion detection system and has one of the easiest products to implement and administer in an Intrusion Detection Framework.

To select the type of attacks to be detected:

1. Click on Start, point to Programs, then Microsoft ISA Server. Click on ISA Management.

2. Click on Name, where Name is your server Name to expand the configuration tree.

3. Right click on IP Packet Filters, and then Properties.

4. Click on Intrusion Detection.

5. Select the list of attacks to be detected including: WinNuke, Land, Ping of Death, IP half-scan, UDP bomb and port scan.

ISA Server writes and an event log and generates an action if an intrusion is detected or attempted. These features can be customized for different types of port scans.

To customize the port-scan intrusion detection engine:

1. Click on Start, point to Programs, then Microsoft ISA Server. Click on ISA Management.

2. Click on Name, where Name is your server Name to expand the configuration tree.

3. Right click on IP Packet Filters, and then Properties.

4. Click on Intrusion Detection.

5. Select the number of ports on the Detect after attacks well-known ports and Detect after attacks on ports options.

6. In this case, 5 and 10 are the selected values.

Although ISA Server provides an integrated set of protection features, high-security networks should inspect and evaluate security products that will integrate and add security layers to Microsoft ISA Server. When dealing with confidential data stores or any type of sensitive date, a complete intrusion detection system should be considered to be protected from advanced attacks such as distributed denial of service, arp spoofing, etc.

*Originally Published at : 2000Trainers.com

To sign up for FREE B2B / Technology newsletters from murdok, click here!

Leonard Loro, MCSE, MCSD, ISS, MCT, CCNA, is a recognized e-Business specialist. His experience includes engaging, managing and implementing large consulting projects for government agencies and companies like Microsoft, Nissan as well as other Fortune 500’s. Leonard can be reached at Leonardo.loro@enresource.com.

Table of contents

Read more

Local News