4

in these days i'm reading about intrusion prevention/detection systems.When reading i really confused in some points.

First, the firewall and antivirus technologies are known terms for years, however now IDS becomes popular.

My question includes:

  • in organizational network architectures when/where do we use these systems ?
  • What are the benefits of using each ?
  • Does Firewall contains all these others?

If you give me some examples, it will help much.

Thanks.

Berkay
  • 431
  • 4
  • 17

3 Answers3

11

Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) are a rather broad topic. As such, my answer here is far from comprehensive.

The types of IDS include network and host based.

Network based IDS, such as SNORT, analyze and log network traffic based on a set of rules. These rules would match potential vulnerabilities, thus potentially providing advance warning of attempted intrusion and forensic data after the fact.

Host based IDS include software such as AIDE, which compare hashes of the files on the filesystem on a recurring basis. This would allow someone to monitor changes on the system and identify unauthorized changes.

Central logging could arguably be part of your host based IDS solutions. Central logging enables control and auditing of your logs in a central place. Additionally, keeping logs in a central place minimizes exposure and allows an additional audit trail, in case a system is compromised and the logs are no longer trusted.

Packet filtering (firewalling) is a security mechanism for controlling traffic to and from your network. Firewalls are not IDS.

A well run IT infrastructure includes many of these technologies and many professionals would not consider them optional.

Warner
  • 23,440
  • 2
  • 57
  • 69
  • 1
    Just about nails it, although there's alot of blur and overlap in security technology, so I can understand the confusion: many firewalls feature IDS features, anti-virus software often includes a firewall, and so on. – gravyface Mar 27 '10 at 22:31
  • thanks for the answer, what about antivirus software? where is it deployed? can we say that antivirus software are signature based intrusion detection ? – Berkay Mar 28 '10 at 05:05
  • It gets into semantics - antivirus usually refers to software installed on hosts to prevent infection by malware, rather than intrusion per se, as an "intrusion" could also happen from any number of vectors that wouldn't be prevented or detected by antivirus software. However, as gravyface points out, there's lots of overlap and many antivirus programs are part of security "suites" that include firewall software and/or HIDS. – nedm Mar 28 '10 at 07:02
  • I wouldn't consider antivirus software in the same category as IDS but someone could potentially argue semantically there. – Warner Mar 28 '10 at 17:50
4

A few things I want to add (IMO, Warner's excellent answer already covers most of the points):

Firewalls separate your network into areas with different levels of trust:

  • Company external/internal
  • Host external/internal
  • Certain IP addresses in a whitelist/blacklist/neutral
  • ...

IDS on the other hand, are often used to distinguish valid traffic from attacks, although they all originate from the same zone. A naive assumption that is often made by companies, is that all traffic that originates from the company's LAN can be trusted. But this leads to the problem, that even a small security breach, which seems to be harmless its surface (e.g. it allows the attacker to send certain "harmless" requests from the company's web server to the LAN) can easily become a much larger problem. So IDS rather assume, that the attacker is already somewhere inside the network, and look for abnormalities.

One more thing about IDS: Listening on one point of your network is often not enough! Due to the nature of switches, not every attack spreads through the entire network. So an optimal IDS would monitor (theoretically)

  1. all hosts
  2. all network traffic between any two points.

It's also useful to monitor the state of switches (to defend against attacks like port stealing).

Chris Lercher
  • 3,982
  • 9
  • 34
  • 41
0

If you are running a web application, make sure you have a Web Application Firewall. For instance mod_security is an excellent web application firewall that is free and open source.

The default rule sets for Mod_secuirty can prevent against sql injection, xss and many other attacks. Mod_Security isn't as good as Cisco ACE, which is a very expensive commercial product. Cisco ACE's best feature is anti-DDoS.

Rook
  • 2,615
  • 5
  • 26
  • 34