Network Security incidents are becoming a bigger and bigger problem for businesses of all sizes. Recent attacks on large entities such as NASA, Lockheed Martin, RSA, and Google have shown us that no company is completely safe. Managers need to figure out ways to mitigate risks and develop contingency plans for the inevitable break in. There are a variety of tools and systems available, but the one we want to talk about today is the Intrusion Detection System, otherwise known as IDS. The intrusion detection system focuses on detecting malicious activity. By using these tools to recognize when an incident has occurred, administrators are able to respond quickly to take corrective measures.
Malicious users or hackers can get access to an organization's internal systems in various ways, includingSoftware bugs called vulnerabilitiesLapses in administrationLeaving systems to default configuration
An Intrusion Detection System (IDS) complements firewall security. While the firewall protects an organization from malicious attacks from the Internet, the IDS detects attempts on breaking through a firewall. If someone attempts or manages to break through the firewall security, the system springs into action. It alerts a system administrator, functioning much like a burglar alarm.
There are two main types of Intrusion Detection systems: host based IDS and network based IDS. The host-based sensor is software that runs on the host being protected, monitoring system audit and event logs. When any of these files change, the IDS sensor compares the new log entry with attack signatures to see if there is a match. In case a match is found, the sensor notifies the management console. These sensors do not do any packet level analysis. Instead, they monitor system level activities. For example, the system would detect events such as an unauthorized user (not an administrator) changing registry files in a Windows NT system, changing /etc/password or /etc/shadow file in a Unix system, or a user trying to login late at night when only authorized for normal business hours. These indications are useful for detecting suspicious activities that may indicate a compromise.
The host-based sensors monitor these kinds of activities, responding with administrator alerts when anomalies occur. Host based IDS have grown over the years. Some systems checks key system files and executables via checksums at regular intervals for unexpected changes. Other products listen to port based activity and alert administrators when specific ports are accessed. Each system solution has its own advantages and disadvantages. What is important is that managers determine which solution is correct for their companies.
To learn more, please visit Host-Based IDS