Home     Our Company     The Staff      Partners     Contact Us     Request Info

Intrusion Detection Systems Explained

            Intrusion Detection Systems are software and hardware based systems utilized to detect intrusions of computer systems or networks. These systems, when strategically place within a LAN/WAN environment, can detect possible attempts of intruders, alert on these attempts, and are designed to collect forensics data for analysis of the possible or completed intrusion. These systems utilize “signatures” or “rules” and software processes to determine the existence of a possible intrusion. When implemented correctly and with a great deal of understanding of an environment, the IDS alerts will prove to be of relevance and reduce the effects of “false positives”.

             Intrusion detection systems for the most part are only reactive, not proactive measures that an organization can utilize to protect their valued assets. How ever, there are some IDS systems when utilized in conjunction with Firewall or Routers which can be implemented to proactively Block or “session disconnect” an attempt or intrusion. As in all additional for security layers, a business has to decide on and develop and business strategy for the implementation, cost effectiveness and practicality of IDS within their environment.

  Steps for Implantation of IDS:

• Develop and ROI of IDS which meets or exceeds the business model requirements for data security
• Perform a detailed assessment of the overall environment which the IDS needs to be placed
• Perform a Vulnerability Assessment of the environment to assess the risk, develop mitigation strategies of the vulnerabilities and reduction of “False Alerts” which are inherent to IDS
• Implement the IDS
• “Tune the rules or signatures and processes to meet the needs of the business environment
• Monitor, alert and act upon attempted or completed intrusions
• Implement possible changes to the environment to reduce or stop the effects of the intrusions

Types of Intrusion Detection Systems:

• Network-Based
• These types of IDSs primarily, “sniff” IP network packets to detect actions, anomalies and scans of a network
• Host-Based
• These types of IDSs primarily are placed on a “Host” computer system and detect changes to the Host, Operating Systems or it’s files systems
• Application-Based
• These types of IDSs primarily are developed specifically for a type application or are embedded within the application for detection of changes or corruptions
• Honey Pots
• These types of IDSs primarily are used as a decoy and point of deception for attracting and tracking of intruders
• Padded Cell systems
• These types of systems run in parallel to a traditional IDS and when an attacker is noted by the IDS they are redirected to the “Padded Cell’ where they can do little or not damage

  Pros and Cons of IDS:

• Pros
• Cost effective to implement compared to the cost of replacement or redevelopment of data within a network or host
• Host-Based IDSs can see traffic that Network IDSs can not
• Well implemented IDSs do not add ANY reduction of network throughput
• They can sustain a great deal of traffic when tuned correctly
• The data collected by a IDS can be utilized for prosecution of an attempted or completed attacker
• Easy to maintain and update
• Most have Graphical and Statistical analysis of data collected and can perform “trending” for future risk analysis
• Cons
• In most cases they require a trained person for analyze the data
• In large gigabyte environments, Networked-Based IDSs have problems processing all the packets effectively
• Network-Based IDSs do not analyze encrypted traffic
• Without detailed analysis, a determination of a completed or successful attack can not be confirmed
• Host-Based IDSs can add slightly to the load required for processing within the Host

   

  Please contact us for more information about Intrusion Detection IDS@SecurityGauntlet.com