Computerworld - If a firewall is like having a security guard at your office door, checking the credentials of everyone coming and going, then an intrusion-detection system (IDS) is like having a network of sensors that tells you when someone has broken in, where they are and what they're doing.
Firewalls work only at the point of entry to the network, and they work only with packets as they pass in and out of the network. Once an attacker has breached the firewall, he can roam at will through the network. That's where intrusion detection is important.
There are a number of approaches that can be used for detecting intruders. Many experts advise using a combination of methods rather than relying on any single mechanism.
Perhaps the most famous IDS is Tripwire, a program written in 1992 by Eugene Spafford and Gene Kim. Tripwire exemplifies the host-based agent approach to intrusion detection: Installed on a host, it checks to see what has changed on the system, verifying that key files haven't been modified.
The agent is initially installed against a pristine host installation and records important system file attributes, including hashes of the files. The agent software then periodically compares the current state of those files to the stored attributes and reports any suspicious changes.
Another host-based approach monitors all packets as they enter and exit the host, essentially taking a personal firewall approach. Receipt of a suspicious packet triggers an alarm. Other commercial host-based products include Cupertino, Calif.-based Symantec Corp.'s Intruder Alert and Issaquah, Wash.-based CyberSafe Corp.'s Centrax.
Network-based intrusion-detection systems scrutinize all packets on a network segment, flagging those that look suspicious. A network IDS searches for attack signatures - indicators that the packets represent an intrusion. Signatures might be based on actual packet contents and are checked by comparing bits to known patterns of attacks. For example, the system might look for patterns that match attempts to modify system files.
Other network attacks are protocol-based. Attackers often seek weaknesses in a network by probing for active but poorly administered Web, file or other servers. These port attack signatures are identified by watching for attempts to connect to network ports associated with services that are often vulnerable.
An attack with a header signature uses malformed or illogical TCP/IP packet headers. For example, an attacker might try to send a packet that simultaneously requests to close and open a TCP connection; such a packet might cause a denial-of-service event for some systems.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The High-Performance WAN Find out what are some of the top problems associated with large WANs and the technologies typically used to solve them.
- Building Your Network Management Toolset Network Management is one of things that is sometimes overlooked make sure you don't. Find out how to take advantage of it and...
- Optimizing the Network The network has become a utility that users can't do without. Mobility and bandwidth-hungry apps demand faster and more efficient networks.
- Ultra-Low-Latency Networking In a world where so much trading is systematic, millisecond delays matter. Low-latency, high-performance networking, therefore, has become a competitive imperative.
- Application Acceleration: Optimize the End-User Experience Watch this on-demand webcast and learn how you can optimize your web content, accelerate performance across any device and browser combination, and offload...
- Making Your Application Delivery Environment Cloud-Ready Join Kavitha Mariappan, Director of Product Marketing at Riverbed Technology, and Bob Laliberte, Senior Analyst at Enterprise Strategy Group, as they discuss the... All LAN/WAN White Papers | Webcasts