Intrusion-detection systems are evolving

Intrusion-detection systems (IDS) are quickly becoming an integral part of any organization's network. For most companies, implementing an IDS is the next logical step after deploying a firewall, since it provides a second layer of security by helping to identify an attack or malicious traffic that makes it through the firewall. As with any technology, several IDS variants are available. Traditionally, two main models have been used: signature systems and anomaly-based systems.

A signature system contains a database of known attack signatures and alerts administrators when it identifies traffic on the network that matches one of these signatures. Detractors are quick to point out the faults of these systems, which include the need to keep the signature database updated, the fact that attacks using packet fragmentation go unnoticed, and the sheer inability of some systems to keep up with network bandwidth, dropping packets when they're overloaded with data.

Anomaly-based systems were designed to combat the database signature problems and be a bit more proactive than signature systems. These systems understand protocols such as file transfer protocol, HTTP and Telnet. Exploits usually don't follow the standards, or they make an unexpected request; anomaly-based systems look for these events and alert administrators when they occur.

Although anomaly-based systems removed the signature database from the picture, they still don't address two main problems: large numbers of false positives, meaning they raise alerts against valid traffic, and the fact that they're still very reactive solutions -- by the time an administrator has received an alert, the attack has usually already occurred.

ForeScout Technologies Inc. in San Mateo, Calif., has introduced an approach to intrusion detection that aims to decrease the number of false positives and be a bit more proactive in its response. ForeScout ActiveScout recognizes network reconnaissance -- ping sweeps, port scans and user-name enumeration -- or the tools attackers use to gather information about a given network to launch a targeted attack.

For example, when ActiveScout identifies a port scan, it tags the traffic and sends back an answer to the attacker that appears to be a valid response but isn't. ActiveScout may return a value for the port scan saying that FTP is open on port 21, when it isn't actually open on the server. When the attacker tries to exploit this nonexistent FTP server, ActiveScout knows this is an exploit attempt and sends an alert. Once an alert has been sent, ActiveScout can take several actions: monitor activity, report activity or block traffic from the source.

IDSes provide value in any organization as long as they can handle the amount of traffic thrown at them and they limit the number of false positives reported to administrators. New developments in IDS technology are working to resolve these issues, with ForeScout's ActiveScout being the latest addition.

No single type of IDS solution can provide adequate protection. The best approach is a hybrid that combines the better aspects of signature detection, protocol analysis and network reconnaissance. Once the integration of Network ICE Corp.'s IDS technology is complete, Atlanta-based Internet Security Services Inc.'s Real Secure product will be a strong signature/protocol analysis hybrid. ForeScout is adding a small signature database to ActiveScout with the addition of some known malicious or suspicious Web addresses. Expect to see more and more hybrid solutions on the market in the future.

Andress covers security for the InfoWorldTest Center. Contact her at

Special Report

The Security Action Plan

Stories in this report:

This story, "Intrusion-detection systems are evolving" was originally published by InfoWorld.


Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon