Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
IDS systems are security applications used to detect malicious activity within your network traffic. IDS stands for Intrusion Detection Systems. The purpose of IDS security systems is to identify malicious activity and to log and enable the investigation of such activity.
There are six fundamental approaches to intrusion detection and prevention in IDS systems. Some of these methods are implemented in various software packages, while others are strategies an organisation can use to reduce the likelihood of a successful attack.
Looking at the history of IDS systems, we see the network devices we call HUBs. Until a few years ago, the network devices we called HUBs were widely used. The biggest issue stemmed from the fact that a HUB broadcast any request arriving on one port to all ports. Today, devices called switches are used instead of hubs. With a hub, when a packet was forwarded from a source network to a destination network and reached the final segment, a MAC address was used to find the destination. All computers on that segment could also see the sent packet. However, because the other computers’ MAC addresses did not match the destination MAC address, they ignored the packet, and only the computer with the correct MAC address accepted it.
At some point, it became apparent that if network devices chose not to ignore packets, they could see all traffic on the network segment. In other words, if a HUB was in use on a network, all incoming and outgoing packets could be observed. This is how the first systems we call packet sniffers emerged. This was then followed by the need to analyse these packets for signs of an attack, and intrusion detection systems came into being. The idea of detecting intrusions by listening to all packets on the network had taken shape.
Preventive blocking refers to systems that attempt to prevent intrusions before they occur. Their operating principle involves observing potential threats or warning signs and blocking the user or IP address from which those signs originated. We can explain this with an example. If frequent port scans are coming from a specific IP address and you notice that your system is being scanned, this represents a potential attack and you block the IP address in the firewall.
In today’s technological world, this kind of intrusion detection and evasion has become extremely complex. There is a potential for accidentally blocking a legitimate user. The complexity stems from the inability to distinguish legitimate traffic from an indicator of an attack. This situation arises when the system mistakenly identifies legitimate traffic as a type of attack, which can lead to the problems we call false positives.
Generally, a software system can alert you that suspicious activity is taking place. A network administrator then decides whether to block the traffic. If the software automatically blocks addresses it considers suspicious, you face the risk of blocking legitimate users. This is where IDS systems come in. If the software automatically blocks an attack, the systems used are called IPS — Intrusion Prevention Systems.
Beyond the basic components, IDS systems can be classified according to how they respond to detected anomalies or how they are deployed. A passive IDS merely logs the activity and alerts the administrator. An IPS / Active IDS stops the relevant anomaly. You can also classify IDS / IPS according to whether a single machine or an entire network segment is being monitored. If it is a single machine, this is called a HIDS (host-based intrusion detection system) or HIPS (host-based intrusion prevention system).
Anomaly detection refers to security software that works to detect intrusion attempts and inform the administrator. The general process is straightforward. The system — that is, the intrusion detection security application — searches for any abnormal behaviour. All activity that does not match the normal user access pattern is noted and logged. The software compares observed activity with expected normal usage profiles. Profiles are generally developed for specific users, user groups, or applications. Any activity that does not match the normal behaviour definition is considered an anomaly and is logged. This is sometimes called “backtracking” detection or process.
Specific ways in which an anomaly can be detected are as follows:
Threshold monitoring pre-sets acceptable levels of behaviour and observes whether these levels are exceeded. It can involve a simple rule such as a limited number of failed login attempts, or a complex set of rules such as monitoring the times at which a user connects and the amount of data a user downloads. Thresholds provide a definition of acceptable behaviour. Unfortunately, characterising intrusive behaviour purely by threshold limits can be somewhat difficult. Establishing appropriate threshold values, or appropriate time frames within which those values are checked, will often be challenging. This situation can lead to a high rate of errors — that is, false positive situations.
Resource profiling measures resource usage across the system and develops a usage profile. Looking at how a user normally uses system resources allows the system to recognise usage levels that fall outside normal parameters. Abnormal readings of this kind can be an indicator of illegal activity in progress. An increase in usage might also indicate something benign, such as an increased workload, rather than an attempt to compromise security.
In user / group work profiling, the IDS maintains individual work profiles for users and groups. These users and groups are expected to comply with their defined profiles. As users change their activities, the expected work profile is updated to reflect these changes. Some systems attempt to track the interaction of short-term and long-term profiles. Short-term profiles capture recently changed working patterns, while long-term profiles reveal usage over an extended period. However, profiling an irregular or dynamic user base will be difficult. Profiles defined too broadly will allow any activity to go unreviewed, while profiles defined too narrowly can hamper user work.
Executable profiling aims to measure and monitor how programmes use resources requested by a specific source user. For example, system services generally cannot be traced to a specific user who initiated them. Viruses, Trojan horses, worms, trapdoors, and other software attacks are also addressed by determining how system objects such as files and printers are normally used — not just by users themselves, but also by other system subjects on behalf of users. In most traditional systems, any programme — including a virus — inherits all the privileges of the user running the software. The software is not limited to only the privileges required for proper execution by the principle of least privilege.
Executable profiling enables the IDS to identify activity that could indicate an attack. When a potential threat is identified, it adopts a method of informing the administrator, such as a network message or email.
Each IDS system on the market has its strengths and weaknesses. Deciding which system is best for a particular environment depends on many factors, including the network environment, the required level of security, budget constraints, and the skill level of the person who will work directly with the IDS.
Snort is the best-known open-source intrusion detection and prevention system. It appears as a software application installed on a server to monitor incoming traffic. Generally, a host-based firewall approach is implemented in a system where both firewall software and Snort run on the same machine. Snort is available for UNIX, Linux, FreeBSD, and Windows. The software is free to download and its documentation can be accessed at www.snort.org. Snort operates in one of three modes: sniffer, packet logger, and network intrusion detection.
In packet sniffer mode, the console (shell or command prompt) displays a continuous stream of the contents of all packets arriving at the machine. These applications are very useful for a network administrator. Finding out what traffic is passing through a network is the best way to identify where potential problems lie. We can also say it is a good way to check whether transmissions are encrypted. There are many sniffers, and they are among the essentials for network administrators.
Packet logger mode is similar to sniffer mode. The difference is that instead of displaying the packet contents on the console, they are written to a text file log. Once the data has been recorded to a text file, users can scan for specific information using the search feature of a word processor.
In network intrusion detection mode, Snort uses a heuristic approach to detect abnormal traffic. This means it is rule-based and learns from experience. A set of rules governs a process at the outset. Over time, Snort begins to learn to optimise its performance. It then logs this traffic and can alert the network administrator. This mode requires the most configuration, as the user can specify the rules they want applied when scanning packets.
Configuring Snort is mostly about knowing the right commands and understanding their outputs. Anyone with moderate experience with Linux shell commands or DOS commands can quickly master Snort configuration commands. Snort is a good tool when used alongside host-based firewalls, or when used as an IDS to provide additional security on each server.
The Cisco brand uses its networking expertise as an advantage in this area too. Alongside its firewalls and routers, Cisco offers a range of intrusion detection models, each with a different focus and purpose. In the past, Cisco had two specific, widely used IDS products: the Cisco IDS 4200 Series Sensors and the Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2).
Within this group there are a number of products, notably the Firepower 4100 series, Firepower 8000 series, and Firepower 9000 series. All products include sandbox protection as well as protection against malware. These Cisco products also provide cyber threat intelligence features.
The 4100 series is for small networks and the 9000 series is designed for large-scale networks. One of the main benefits of using Cisco security products is their widespread use in the industry and the prevalence of training systems for them. Cisco also supports a range of certifications related to its products, demonstrating whether an individual is qualified in a specific Cisco product.
You May Be Interested In These
