Corporate networks do not become safe simply because someone installs a firewall and firewalls alone cannot insure that security policies are enforced throughout the network. Corporations have good business and legal reasons for setting up suitable policies and an adequate compliance plan.

An intrusion detection system (IDS) monitors and analyzes events that occur on a network or system, looking for intrusion attempts or breaches in security policy. The increase and severity of attacks now make intrusion detection systems a necessary part of corporate security strategy.

Types of intrusion detection systems

Network-Based

Network-based IDSs capture and analyze packets that pass on the network segment by placing the network interface card in promiscuous mode. Each sensor looks only at packets that are carried on the network segment to which the sensor is connected, thus protecting multiple hosts connected to that segment. A sensor can also be on a boundary device such as a switch allowing it to inspect all packets on the subnet. A network deployment typically consists of one or more sensors performing local analysis and reporting attack information back to a centralized console.

Host-Based

Software needs to be loaded directly on the host to be monitored. Once deployed on the host, the software monitors system files, processes, and log files for suspicious activity. In addition, some host-based IDSs can monitor for changes in user privileges. Gaining higher-level privileges or setting up new user accounts is a common approach used by an adversary on the internal network. On critical servers, detection of this kind of abuse is important and needs to be monitored directly on the host. Therefore, experts recommend a combination of host-based and network-based detection on large networks. Understanding the high-risk areas on the network is key to a successful deployment for both network-based and host-based intrusion detection.

Signature-Based Detection

A majority of IDS products are signature-based; they examine the network packets traffic for specific patterns of attack. Signatures must be developed specifically for the attack so the IDS can recognize the attack. These systems require large signature databases so that every packet can be compared to the database. One of the greatest challenges of these systems is they must have advance knowledge of the attack to be detected. Because new attacks are discovered every day, intrusion detection systems relying solely on this approach will always be out of date. The other challenge for these systems is keeping up with the speed of the network. As network speeds increase, the sensors lack the resources to look at every packet, so some packets are discarded. Attacks could easily go unnoticed by the IDS. In addition, higher speeds can increase the false positive rate. Higher-speed networks are resulting in decreased detection and increased false positives.

Protocol-Anomaly Detection

Protocol-anomaly detection focuses on the content of the network communications at the protocol level. Many attacks target protocols such as Telnet, HTTP, RPC, and SMTP. Packets are statefully inspected in the context of previous packets of the same conversation. As a conversation progresses, it is evaluated by a protocol state machine to determine if the protocol has been abused in any way. The state machines, which cover the popular protocols in layers three through seven, are derived from the RFC protocol standards. Common misuses of the protocols are also built into the state machines to allow for legitimate network traffic that deviates from the protocol standards. Attackers can use certain programming errors (buffer overflows) to compromise or damage a system. These attacks exploit poor programming practices and are quite common. When protocol rules are modeled directly in the sensors, it is easy to identify traffic that violates the rules, such as unexpected data, extra characters, and invalid characters.

Protocol-based VS. Signature-Based Systems

Protocol anomaly detection eliminates the need for extensive attack-signature databases, which have plagued legacy IDSs with scalability and manageability issues. More important, watching for protocol anomalies is a more effective method of attack detection than watching for attack signatures. New attack methods and exploits are constantly being discovered. By contrast, new protocols and extensions to existing protocols are developed more slowly. The rules to ensure that a conversation is adhering to the protocol standards are specified in the protocol RFCs. Any deviations from these rules create protocol anomalies.

Given the types of attacks to date, experience shows that 80% of attacks violate protocol rules. Hackers develop programs that attack poorly defined areas of protocol; attacks can be spotted by protocol-anomaly-based IDSs. Protocol-anomaly IDSs detected Code Red attacks, unlike signature-based systems, which had to wait for an update to detect the attacks while leaving the firm at risk. The protocol-detection module is a precise model of the HTTP protocol based on its RFC. The Code Red attack violates the HTTP protocol because it uses a GET request to post and execute malicious code on the victim server. Protocol IDSs recognize the violation and alert the administrator that an attack just occurred.