Friday, February 4, 2011

What is an Intrusion Detection System?

Definition from Wikipedia:

An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.

My own words:

Basically an IDS is a dedicated box tapped into a computer network which sniffs the traffic (raw packets) to check for anomalies/intrusions/virus/attacks. 

Fundamentally, this is very different from a Firewall, a firewall regulates the traffic using 5-Tuple, in which, it either allows or denies the traffic based on source IP, destination IP, source port, destination port and protocol(TCP/UDP). An IDS on the other hand goes way deep into the traffic inspection by looking at the actual payload information along with the protocol headers.

If any kind of suspicious traffic is detected, based on the business requirement those events are either reported/blocked/logged. Implementing an IDS infrastructure is tricky and there is no such thing as perfectly configured IDS system. Intrusion Detection is a continuously evolving technology and it has been in the mainstream from last one and half decade. 

Reliability of an IDS entirely relies on generating True Positive Alarms with greater accuracy. The other challenging requirement is to detect Zero Day Attacks, since most IDS systems works based on preconfigured signatures, detecting ZDAs is not successful everytime, though it is difficult but indirectly we can trigger alarms when there are anomalies in the traffic patterns, this method is called flow-based analysis, it doesn’t require a rule set or a database of signatures. Another challenging factor is amount of data processed to the data dropped without processing. 

IDS play a vital role in Financial, E-commerce and Government IT infrastructures. It is not a surprise to know that IDS systems were developed from the military funds primarily to protect the military bases, It was DARPA (Defense Advanced Research Projects Agency, USA) who funded several projects including BSD. As time went on several of its projects were privatized and commercialized. Now there are lot of platforms available in IDS systems. Whatever the system or the method of detection, the underlying principles are the same. Snort is one of the successful, free and powerful IDS platforms available, it is simple to deploy and comes with Open Source community support, its signatures are released every day (we too can create our own rules), it has rich set of preprocessors which means it can be implemented in almost any kind of environment and on any kind of OS platform, fortunately on Windows too, but not recommended. Well, that's all I can tell for now, may right another post covering few more topics on IDS. Thanks for reading!

No comments:

Post a Comment