How does an IDS identify a computer on the network. I mean do IDS' actually check whether a device is actually what it claims to be ? If so what factors does it check (MAC etc) ?
For e.g. if a device was banned from the network due to malicious activity (My friend claims that when he tried ARP spoofing in his college; his laptop was banned from the network and he was caught). How does the IDS keep track or identify the device when it re-enters the network ?
First of all realize when talking about an IDS we are talking about a passive device. With a passive device they commonly log/alert and nothing else. On the other hand if this device was an IPS that is where the active "shunning" blocking or whatever else it was built to do happens.
Much like anti-virus technologies there are two types of network sensing technologies signature based (e.g. Snort), and heuristic based (e.g. Fireye kinda!).
As for detecting anomalous activity at layer 2 it is uncommon for the IDS/IPS to usually take care of this. This however does not mean that something on the network else could monitor this instead. That something is usually a NAC (Network Access Control) solution (e.g. FreeNAC) and it is possible there is a suite of tools that may run together with the IPC/IDS and does this but as a different part of a product (see palo alto).
With all that said at the internet touch points there are many ways to passively finger print a device based of its traffic. In fact Nessus actually does this very good, and additionally, if you have ever played with pOf you have already done this yourself. Things like web requests, smb connection attempts, and other bits of traffic help those systems pull together quite a bit of information passively.
See this Nessus page explaining more.
http://www.tenable.com/blog/enhanced-operating-system-identification-with-nessus
This post is old, but I thought id metion if you want to learn about IDS/IPS in a more practical environment. I would Download PfSense its pretty easy to set up, and the best way to do it is use things like yersenia and all of the tools in Kali Linux and see how it logs the traffic your giving it. Also Splunk is pretty decent, i have it set up on the DC in my vmware lab i use for research and such.
pfsense: http://www.pfsense.org/ Splunk: http://www.splunk.com/
It doesn't. The IDS is only going to look for what's in its rule-set. So it sees the ARP spoof attempt logs it and alerts the operator. The operator manually shuns the ip, blocks the mac, disables the switch port, whatever. Most IDS systems can also be scripted for active responses so when the IDS sees the arp spoof attempt. A script fires off telling the switch/firewall to block the ip/mac address..etc. I know of a couple products that do however integrate there device tracking capabilities with the IDS. To keep tabs on "bad" devices.
It depends on where you place your IDS in the network.
user -> IDS -> Proxy/Firewall -> Internet
The IDS will trigger the event with the specific user's IP address who made the arp spoof attack.
user -> Proxy/Firewall -> IDS -> Internet
The IDS will trigger the event with the Proxy/Firewall as source IP address
In short as long as these appliances keep logs, they can trace you down in the network
IDS doesn't keep track the record of MAC addresses. In IDS only the internal & external is configured to differentiate between the internal & external network traffic. IDS has predefined rules to launch the verdict(IN case of IDS it may be log or alert) against any intrusion activity from inside to outside and outside to inside. Consider the scenario in a network Your system -> switch/hub(obsoleted) -> proxy/DNS -> firewall -> IDS/IPS -> gateway -> internet As you are telling your friend get caught during the arp spoofing its because of prevention mechanism applied on the switch that is MAC binding. Using logs they can identify & on behalf that they can apply ip access control list.
In the case of your friend he probably wasn't caught by an IDS, he would have triggered a Network Access Control device, or most likely the switch that he was plugged into was configured to only allow a single MAC address per port and the port was shut down automatically when he tried to use a MAC address other than his own.
Since you mentioned the IDS on network, I suppose it was NIDS.
Actually, NIDS doesn't identify a computer. Its function is detect abnormal behaviour from network traffic, so it tracks only the IP addresses. In case of computer's IP changing over the time, NIDS couldn't help. If you deploy an Security Information & Events Management, it includes a lot of tools such as Assets Discovery/Management to identify computer and correlate events into contexts, so that you can monitor the flow of traffic and computer's activities on network easier.
You may like more information at: http://www.alienvault.com
