Intrusion Detection Systems are hardware and/or software devices designed to monitor a network for potentially malicious activity and report it to network administrators for further investigation.
There are many intrusion-detection systems available for use with a range of networks, from the smallest network to large corporate networks. An IDS can be a dedicated hardware device designed to handle high-bandwidth connections (and costing thousands of pounds), and at the lower end of the scale there is free software such as Snort.
A Network-Based IDS system is designed to monitor an entire network for malicious activity. These systems are very good at detecting distributed attacks, but may miss attacks on individual hosts, such as a virus infections.
A Host-Based IDS System usually takes the form of a software agent placed on some other resource such as:
n Accounting, HR and research databases
n LAN and WAN backbones, routers and switches
n Guest host machines
n SMTP, HTTP and FTP servers
n File servers
IDS alone is not effective unless it is backed up and supported by a knowledgeable team. Security procedures should be continuously reviewed in response to security alerts and any experience of past or recent attempts to enter, infect or disrupt the network.
Concerns around IDS may include:
n IDS interferes with legitimate business traffic such that rules will be lessened to reduce false positives
n System and network latency
n If too many services are installed on a network, CPU and system RAM can be over utilised, resulting in sluggish performance. Host based IDS should be monitored for its affect on system response
n Communicating with agents
n Bandwidth intensive, running IDS across a 56 Kb/s modem link is not a good idea
n Hackers triggering IDS
A recent vulnerability concerns hackers deliberately triggering IDS to cause Denial of Service attacks when the response systems are overloaded
n IDS application testing
Always test a new IDS on an isolated subnet to test bandwidth.
Ensure host based machines carrying IDS have high quality NIC for fast performance. Make sure system I/O is fast. Most vendors of network based IDS fit SCSI hardware