An introduction to intrusion detection systems
|An Introduction to Intrusion Detection Systems (IDS)|
A network monitor (eg: the Dragon Sensor) watches live network packets and looks for signs of computer crime, network attacks, network misuse and anomalies. When it observes an event, the Dragon Sensor can send pages, email messages, take action to stop the event and record it for future forensic analysis.
Typically, Dragon Sensors are deployed on standalone systems in front of firewalls or at key network choke points.
Dragon Sensors can detect thousands of unique signature based security events and hundreds of policy based network traffic events. Signatures are used to detect common attacks such as buffer overflows and DNS probes. Policy based events are used to detect new illegal network services, traffic which should have been stopped at a firewall and other IP-based events.
For signature selection, Dragon administrators can choose from over 1200 signatures located at our support site. Signatures are added weekly and sometimes daily.
All Dragon events are categorised into suspicious, probe, attack, compromise, success, failure, virus, collection and maintenance groups. Most other NIDS concentrate on attack and probe detection, while the Dragon Sensor can usually collect enough evidence to indicate if an attack has succeeded or failed. These groupings are key to reducing false positives and presenting a holistic picture of collected event data.
The performance and efficiency of a Dragon Sensor is such that a dual Pentium III 700 Mhz class computer running Linux can observe network attacks on a 225Mb/s gigabit Ethernet link. Of course exact performance depends on the signature load, packet size and system hardware, but customers routinely deploy their Dragon Sensors on links faster than 100Mb/s.
Dragon Sensors are not vulnerable to common IP-fragment and TCP de-synchronization NIDS evasion techniques. Dragon Sensors have many fail-safe mechanisms, which also generalize detection of new NIDS evasion techniques.
Network monitoring can be accomplished through any network interface and does not require the use of a network IP stack. For management, Dragon Sensors have no open ports, which also make them not vulnerable to insider attacks.