An introduction to intrusion detection systems |
| An Introduction to Intrusion Detection Systems (IDS) |
|
|
There is no disputing the facts... the number of hacking and intrusion incidents is increasing year on year as technology rolls out. Unfortunately in todays inter-connected eCommerce world there is no hiding place: you can be found through a wide variety of means: DNS, Name Server Lookup, NSlookup, Newsgroups, web site trawling, e-mail properties and so on. Whether the motivation is financial gain, intellectual challenge, espionage, political, or simply trouble-making, you may be exposed to a variety of intruder threats. Obviously it is just common sense to guard against this, but business imperative. Intrusion Detection Systems are like a burglar alarm for your computer network... they detect unathorized access attempts. They are the first line of defence for your computer systems. There are basically two main types of IDS being used today: Network based (a packet monitor), and Host based (looking for instance at system logs for evidence of malicious or suspicious application activity in real time). The following segments examine both types, in the context of the leading Dragon IDS suite.
|
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
A network monitor (eg: the Dragon Sensor) watches live network packets and looks for signs of computer crime, network attacks, network misuse and anomalies. When it observes an event, the Dragon Sensor can send pages, email messages, take action to stop the event and record it for future forensic analysis.
Typically, Dragon Sensors are deployed on standalone systems in front of firewalls or at key network choke points.
|
|
A host monitor (eg: the Dragon Squire) looks at system logs for evidence of malicious or suspicious application activity in real time. It also monitors key system files for evidence of tampering.
Careful consideration is required in this area to ensure that performance is not degraded. Fortunately, Dragon Squire has been tuned to prevent high load levels and minimize any negative impact to a server's performance.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
An issue too often overlooked when considering intrusion detection is management - securely managing the system itself. Embraced within this aspect is reporting... it is essential that the reporting and analysis tools are first class, enabling proper interpetation of detected events.
Within the Dragon IDS suite the Dragon Server component facilitates secure management of all Dragon Sensors and Dragon Squires. It also aggregates all alerts into one central database so that disparate attack information can be correlated.
|
|
The range of features provided with the Dragon IDS is impressive. It is also well worth reading the functional description of the product.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Our growing list of frequently asked questions may offer further explanation of some of the concepts surrounding IDS.
|
|
You can now download IDS evaluation software from our download page.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
Copyright © 1993-2001 The Intrusion Detection System Group
Gateway Listed Security Policies and Audit