we're always on watch
because we specialize in security
Intrusion Detection
Network Based (IDS)Host Based (HIDS)
Intrusion Prevention (IPS)
How We Can Help
An intrusion is the attempt or threat of deliberate and unauthorized access to information on a system, manipulating such information or rendering a system unreliable or unusable. The goal of intrusion detection is to identify these threats.
Intrusion detection is accomplished by strategically placing sensors throughout a given network. There should be enough to see as much of the traffic as possible without becoming a network bottleneck. Once in place, they go through a tuning process in preparation to be monitored by engineers trained in analyzing the data generated by the intrusion detection systems.
These sensors detect malicious traffic using several methods and can be network based or host based and be passive or reactive. A brief description and examples of such systems are given below:
Network Based (IDS)
A network based IDS detects malicious traffic using several methods, the most common of which is by use of a signature. Detection can also be based on anamalous traffic or a statistical deviation from a baseline. To complicate things further, IDSes can be passive or reactive.
A passive IDS simply alerts when an intrusion is detected. A reactive IDS can take action when an intrusion is detected. These actions include the attempt at resetting a connection or modifying a firewall or router rule. The thing to note, however, is that the IDS alone cannot block traffic. An IPS can do this and is discussed further below.
Common network-based IDS solutions include
Host Based (HIDS)
A host based IDS is intrusion detection software running locally on a machine rather than a dedicated machine monitoring a network segment. It has the distinct advantage of being able to the endpoint directly resulting in far fewer false positives. We'll explain why in the next couple paragraphs.
Because the detection is done on the endpoint itself, it has a better understanding of how the host responds to an exploit and whether or not it was successful. Often times a host based IDS will detect changes to the system well before a signature is written to detect a specific vulnerability. The key to early detection in this case is having trained analysts watching the systems closely.
Another advantage a host IDS has over a network IDS is if the policies are properly constructed, fale positives are drastically minimized. For instance, if the policy is designed correctly a Windows host should not fire an alert when it sees an exploit for a Solaris machine.
Common host based IDS solutions include:
- OSSEC HIDS
- Tripwire
- Proventia Endpoint (Formerly BlackICE)
- Symantec Endpoint Protection
- McAfee Host IDS
Intrusion Prevention (IPS)
Network IPSes are nearly identical to Network IDSes. The main difference is they go beyond detecting an attack; they prevent an attack from taking place. An IPS sits inline between two network segments such as a firewall and a switch. This provides the IPS with the ability to drop malicious traffic so that it never reaches the target.
If the IPS is not properly tuned, you run the risk of blocking legitimate traffic and inflicting a Denial of Service (DoS) against your own network. For this reason, IPSes have the ability to run in a non-blocking state. This essentially turns an IPS into an IDS to provide the intrusion analyst with the opportunity to tune the system before placing it into a blocking (IPS) mode.
One last feature of note is the behavior during power loss. If power to the IPS is interrupted or a power supply fails, you don't want to DoS yourself. To remedy the situation, IPSes come in two flavors. The first flavor is the ability to fail open. This way, in the event of a power issue, traffic still will flow unimpeded. The downside is attacks will go undetected and unprevented. The other flavor is the ability to fail closed. This severs the network connection if the IPS loses power. Obviously this is the safest way although the opportunity cost due to the loss of business usually warrants a fail open configuration.
How We Can Help
Intrusion Detection devices are very complicated and require trained and dedicated personnel to install, manage and most importantly to monitor these devices. Most companies operate on a limited budget and therefore cannot buy an endless supply of IDSes. Nor can they hire dedicated employee(s) to monitor these systems. That's where we come in.
We will ensure you are getting the most coverage with the IDS deployment you do have. Furthermore, we are trained by SANS - the best when it comes to security. It only makes sense to have the most highly trained individuals watching your IDSes. Not only that, but outsourcing your management and monitoring gives you more flexibility in your budget.
