CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [102]
FIGURE 4.8 AD-IDS using expert system technology to evaluate risks
Whenever there is an attack, there is almost always something created that identifies it—an entry in the login report, an error in a log, and so forth. Those items represent intrusion signatures, and you can learn from them and instruct IDS to watch for and prevent repeat performances of those items.
MD-IDS and AD-IDS are merging in most commercial systems. They provide the best opportunity to detect and thwart attacks and unauthorized access. Unlike a firewall, the IDS exists to detect and report unusual occurrences in a network, not block them.
The next sections discuss network-based and host-based implementations of IDS and the capabilities they provide. I’ll also introduce honeypots and incident response.
Working with a Network-Based IDS
A network-based IDS (N-IDS) approach to IDS attaches the system to a point in the network where it can monitor and report on all network traffic. This can be in front of or behind the firewall, as shown in Figure 4.9.
The best solution to creating a secure network is to place IDS in front of and behind the firewall. This double security provides as much defense as possible.
Placing the N-IDS in front of the firewall provides monitoring of all network traffic going into the network. This approach allows a huge amount of data to be processed, and it lets you see all the traffic coming into the network. Putting the N-IDS behind the firewall only allows you to see the traffic that penetrates the firewall. Although this approach reduces the amount of data processed, it doesn’t let you see all the attacks that might be developing.
FIGURE 4.9 N-IDS placement in a network determines what data will be analyzed.
The N-IDS can be attached to a switch or a hub, or it can be attached to a tap. Many hubs and switches provide a monitoring port for troubleshooting and diagnostic purposes. This port may function in a manner similar to a tap. The advantage of the tap approach is that the IDS is the only device that will be using the tap. Figure 4.10 illustrates a connection to the network using a hub.
FIGURE 4.10 A hub being used to attach the N-IDS to the network
Port spanning, also known as port mirroring, copies the traffic from all ports to a single port and disallows bidirectional traffic on that port. Cisco’s Switched Port Analyzer (SPAN) is one example of a port spanning implementation.
In either case, the IDS monitors and evaluates all the traffic to which it has access.
Two basic types of responses can be formulated at the network level: passive and active. They’re briefly explained in the following sections.
Real World Scenario
Working with Network Audit Files
You’re the network administrator of a relatively busy network. Your company has gone through a couple of cutbacks, and your staffing is limited. You want to make sure that your network stays as secure as you can make it. What can you do to ease your workload?
You should consider two primary possibilities to protect your network: Either install an IDS or reduce the logging levels of your network audit files. An alternative is to install an audit log-collection system with filtering.
You might be able to reduce the amount of logged traffic in your audit files by changing the settings that determine what you audit. However, changing audit rules would prevent you from seeing what’s happening on your network because most events wouldn’t be logged.
Installing an IDS would allow you to establish rules that would provide a higher level of automation than you could achieve by reviewing audit files. Your best solution might be to convince your company to invest in an IDS. An IDS