Intrusion Detection

Why intrusion detection?

A pro-active method of protecting your data should include an intrusion detection system.  The purpose of an Intrusion Detection System (IDS) is to maintain a guard over your network of computers, monitoring the traffic for unauthorized attempts to access resources from outside or within the local net.  Small and medium sized networks typically run nearly barefoot over the internet.  These networks usually only have a minimal firewall or proxy server in place with no other protection for the local network.  Every system has weaknesses, even firewalls.  Some firewalls have even been discovered to have vulnerabilities which allowed malicious intrusions of the systems they were supposed to be protecting.

The IDS monitors the network traffic according to a pre-defined set of rules and alerts the network administrator if a rule is violated.  In addition, automatic recording and reporting of the nature of the intrusion begins, allowing the administrator to make the necessary steps to thwart the intruder and block the hole.

Many experts assert that IDS should be dedicated systems running no other services which might make them vulnerable to exploitation.  The systems are configured so that it is impossible to access the IDS except through the local console or an administration port physically isolated from the network they monitor.  IDS should be installed wherever the cost of even a single intrusion would exceed the cost of installation and maintenance of the IDS.  Typically IDS are installed at the LAN/WAN interface either in the DMZ or along side a gateway.  Additionally, an IDS can be installed within the LAN, monitoring the intra-network traffic as well.  Internal IDS are used to ensure that otherwise un-detected Trojan horse or malicious programs are not worming from within and sending your proprietary information to the outside.  IDS rules sets are defined at installation and refined as usage dictates.  Care must be exercised to adjust for a minimal number of false alarms, at the same time taking care not to reduce sensitivity to an actual intrusion.  Intrusion detection becomes a detect, analyze, document, secure process.

Analysis tools are used to document actual intrusions.  Adjustments can then be made to member machines, firewalls and user practices to eliminate vulnerabilities as they are found.