- Security Lab
- Wednesday, 11 June 2003.
NIDS are used to monitoring the activities that take place on a particular network, Network-based intrusion detection analyzes data packets that travel over the actual network. These packets are examined and sometimes compared with empirical data to verify their nature: malicious or benign. They have n/w interface in promiscuous mode. Because they are responsible for monitoring a network, rather than a single host, Network-based intrusion detection systems (NIDS) tend to be more distributed than host-based IDS. Instead of analyzing information that originates and resides on a computer, network-based IDS uses techniques like "packet-sniffing" to pull data from TCP/IP orother protocol packets traveling along the network. This surveillance of the connections between computers makes network-based IDS great at detecting access attempts from outside the trusted network. In general, network-based systems are best at detecting the following activities:
- Unauthorized outsider access: When an unauthorized user logs in successfully, or attempts to log in, they are best tracked with host-based IDS. However, detecting the unauthorized user before their log on attempt is best accomplished with network-based IDS.
- Bandwidth theft/denial of service: these attacks from outside the network single out network resources for abuse or overload. The packets that initiate/carry these attacks can best be noticed with use of network-based IDS.
Some possible downsides to network-based IDS include encrypted packet payloads and high-speed networks, both of which inhibit the effectiveness of packet interception and deter packet interpretation. Examples of network- based IDS include Shadow, Snort!, Dragon, NFR, RealSecure, and NetProwler. One important topic about the NIDS is where to deploy the sensor, inside or outside the firewall. A interesting quote from SANS' GIAC Director Stephen Northcutt's book, Network Intrusion Detection: An Analyst's Handbook:
"An IDS before the firewall is an Attack detection and after the firewall is Intrusion detection.... In a switched network, since we don't have broadcasting, we have two better options on deploying the NIDS, using a hub to force a broadcast or using a mirroring-port in the switch."
Application Based IDS
Application Based IDS monitor only specific applications such as database management systems, content management systems, accounting systems etc. They often detect attacks through analysis of application log files and can usually identify many types of attack or suspicious activity. Sometimes application-based IDS can even track unauthorized activity from individual users. They can also work with encrypted data, using application-based encryption/decryption services.
IDS ModelsKnowledge-based IDS (signature-based model) Which alert administrators before an intrusion occurs using a database of common attacks.Behavioral IDS (anomaly model) That tracks all resource usage for anomalies & malicious activity.
Some IDSes are standalone services that work in the background and passively listen for activity, logging any suspicious packets from the outside. Others combine standard system tools, modified configurations, and verbose logging.