3.4 Differentiate the following types of intrusion detection, be able to explain the concepts of each type, and understand the implementation and configuration of each kind of intrusion detection system
o Network Based
o Active Detection
o Passive Detection
o Host Based
o Active Detection
o Passive Detection
o Honey Pots
o Incident Response
Intrusion Detection System (IDS)
An IDS is a device that both monitors and examines network or system activity and traffic for attacks. They generally keep a log when they find suspicious behavior and may notify the administrator and sometimes attempt to stop the attack. There are two types of IDSes and two responses that each can take.
- Network-based IDSes can either be hardware or software-based that is connected to a network. It examines traffic on the network for suspicious activity with a network interface card (NIC) set in "promiscuous mode," which allows it to pick up all of the traffic on its segment of the network. Often there will be an IDS in each segment of the network or sensors are placed in each segment to pick up traffic in that segment. Sometimes one is placed between the router and firewall to watch for attacks at the entry point or in the DMZ to watch for attacks there.
- Active detection - active detection occurs when the IDS takes some sort of action upon finding an attack. There can be a variety of defensive action to take, such as disabling services or configuring a firewall to block certain packets.
- Passive detection - passive detection is just monitoring the network. When an attack is found, it logs the event and usually alerts the administrator.
2. Host-based IDSes are software installations usually only on important servers that monitor the local system for intrusions and attacks. They can check log files for anything suspicious and may monitor resources, important files, and applications.
- Active Detection - active detection would consist of shutting down services that are being exploited, logging users off, or stopping certain network connections.
- Passive Detection - passive detection is, again, just monitoring the system and alerting somebody if a potential attack is found.
Additionaly, IDSes can detect attacks by two methods: signatures and behavior analysis (heuristics)
- Behavoir-based IDSes monitors traffic for anything out of the ordinary. Of course, it must first learn what the ordinary traffic is like, which is known as establishing a baseline. Once this is done, anything that deviates from the baseline is logged and may alert the administrator. The pros of this type include the fact that it can detect unknown attacks and does not need updating as much as a signature-based IDS, but they can have a large number of false alarms.
- Signature-based IDSes contain a database of signatures similar to many antivirus programs that store information about common attacks. These must be updated frequently to be able to detect the newest attacks.
Honeypots
Honeypots are essentially lures that hope to draw attackers away from the normal network. These are usually systems configured to let attackers in and monitor the activity of the attacker, but they should be secured so the attacker does not attack the network from the honeypot. There are also honeynets which simulate an entire network and analyze and monitor the attacker's actions.
Incidence Response
Of course, an attack should be reported to the proper authorities. The evidence should be kept and handled with care.