Intrusion Detection Systems

Is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. Intrusion detection systems can also take some steps to deny access to would-be intruders.

Why use Intrusion Detection?

We want to protect our data and systems integrity. It is important that the system prevents access to critical files or authentication databases except by authorized systems administrators.

Types of Intrusion Detection systems

Intrusion Detection systems fall into two broad categories. These are:

1.Network based : Network Intrusion Detection Systems (NIDS) usually consists of a network appliance (or sensor) with a Network Interface Card (NIC) operating in promiscuous mode and a separate management interface. The IDS is placed along a network segment or boundary and monitors all traffic on that segment.

2.Host based: A Host Intrusion Detection Systems (HIDS) and software applications (agents) installed on workstations which are to be monitored. The agents monitor the operating system and write data to log files and/or trigger alarms. Hosts Intrusion detection systems (HIDS) can only monitor the individual workstations on which the agents are installed and it cannot monitor the entire network. Host based IDS systems are used to monitor any intrusion attempts on critical servers.

Active and passive IDS

An active Intrusion Detection Systems (IDS) is also known as Intrusion Detection and Prevention System (IDPS). Intrusion Detection and Prevention System (IDPS) is configured to automatically block suspected attacks without any intervention required by an operator. Intrusion Detection and Prevention System (IDPS) has the advantage of providing real-time corrective action in response to an attack.

A passive IDS is a system that’s configured to only monitor and analyze network traffic activity and alert an operator to potential vulnerabilities and attacks. A passive IDS is not capable of performing any protective or corrective functions on its own.

 

Intrusion Detection Systems use one of two detection techniques:

1.Signature detection : In signature-based IDS, there are rules or patterns of known malicious traffic that it is looking for. Once a match to a signature is found it generates an alert. These alerts can turn up issues such as malware, scanning activity, attacks against servers and much more.

2.Anomaly Detection: With anomaly-based IDS, the payload of the traffic is far less important than the activity that generated it. An anomaly-based IDS tool relies on baselines rather than signatures. It will look for unusual activity that deviates from statistical averages of previous activities or activity that has been previously unseen. Perhaps a server is sending out more HTTP activity than usual or a new host has been seen inside your DMZ.

In the next section we will see what makes up a Network intrusion detection system.

Goal of NIDS(Network Intrusion Detection System)

• Detect attacks as they happen: Real-time monitoring of networks
• Provide information about attacks that have succeeded: Forensic analysis
• Passive systems: monitoring and reporting
• Active systems: corrective measures adopted
• Good place to establish a NIDS: The perimeter network, or DMZ(Demilitarized zone).

Strategies

• Often NIDS are described as being composed of several parts

1. Event generator boxes
2. Analysis boxes
3. Storage boxes
4. Counter-measure boxes

• Analysis is the most complex element, and can use protocol analysis as well as anomaly detection, graph analysis, etc.

Elements of a NIDS

CIDF : Common Intrusion Detection Framework

Common analysis techniques

• Attempts pattern-matching against certain known attack types. For instance, substring matching.
• Passive protocol analysis: Emulate the sequence of protocol events to detect attacks.

Difficulties inherent in NIDS

• What defines an attack is not a packet, but its induced behavior on the receiving host. NIDS must determine this behavior.
• NIDS runs in a different machine, even a different part of the network. Proper function of the NIDS may require of each host being protected:
• Knowledge of its place in the network topology.
• Knowledge of its TCP/UDP implementation.
• OS-based behavior variance.

Difficulties inherent in NIDS

• What defines an attack is not a packet, but its induced behavior on the receiving host. NIDS must determine this behavior.
• NIDS runs in a different machine, even a different part of the network. Proper function of the NIDS may require of each host being protected:
• Knowledge of its place in the network topology.
• Knowledge of its TCP/UDP implementation.
• OS-based behavior variance.

Reference links:

1. http://en.wikipedia.org/wiki/Intrusion_detection_system
2. http://sectools.org/tag/ids/
3. http://nmap.org/
4. http://www.alienvault.com/blogs/security-essentials/open-source-intrusion-detection-tools-a-quick-overview

The wall of fire

Businesses have lost productivity and millions of dollars for not having a secure network. Organisations are using a variety of security products to keep their data secure such as scanners to conduct vulnerability assessment, and intrusion detection systems are available for businesses to use to protect their internet from attackers. Although all these tools serve a purpose in protecting the internet.

In the sections below we would discuss on Firewalls.

Let’s Start!!!

• A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
• A network firewall is similar to fencing in building construction, because in both cases they are intended to isolate one “network” or “compartment” from another.

Why do you need firewall?

A firewall works as a barrier, or a shield, between your PC and cyber space. When you are connected to the Internet, you are constantly sending and receiving information in small units called packets. The firewall filters these packets to see if they meet certain criteria set by a series of rules, and thereafter blocks or allows the data. This way, hackers cannot get inside and steal information such as bank account numbers and passwords from you.

Firewall Policies

• To protect private networks and individual machines from the dangers of the greater Internet, a firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules called firewall policies.

Policy Actions

Packets flowing through a firewall can have one of three outcomes:

1. Accepted: Permitted through the firewall.
2. Dropped: Not allowed through with no indication of failure.
3. Rejected: Not allowed through, accompanied by an attempt to inform the source that the packet was rejected.

Firewall Types

1.    Network layer or packet filters

Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established rule set.

Network layer firewalls generally fall into two sub categories:

• Stateful firewalls maintain context about active sessions, and use that “state information” to speed packet processing. Here they make use of State Table.
• Stateless firewalls require less memory, and can be faster for simple filters that require less time to filter than to look up a session. They may also be necessary for filtering stateless network protocols that have no concept of a session.

2.    Application-layer

Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets travelling to or from an application. They block other packets (usually dropping them without acknowledgment to the sender).

Application firewalls function by determining whether a process should accept any given connection. Application firewalls work much like a packet filter but application filters apply filtering rules (allow/block) on a per process basis instead of filtering connections on a per port basis.

3.    Proxies

A proxy server may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, while blocking other packets. A proxy server is a gateway from one network to another for a specific network application, in the sense that it functions as a proxy on behalf of the network user.

Proxies make tampering with an internal system from the external network more difficult and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall.

 

Free Third party Firewalls

1. Online Armor Free
2. Comodo Internet Security
3. Outpost Firewall Free

Paid Third party Firewalls

1. Comodo Internet Security Pro
2. Agnitum Outpost Pro Firewall
3. Kaspersky Internet Security

 

Note

In today’s world the malwares are getting very sophisticated and powerful and can easily bypass strong firewalls that are setup in any organizations. So extra care needs to be taken to secure the organization’s networks. As a saying goes “Better safe than sorry”, in IT world its “Better secure than sorry”.

Reference links:

1. http://en.wikipedia.org/wiki/Firewall_%28computing%29
2. https://www.cs.columbia.edu/~smb/classes/f06/l15.pdf
3. http://personal-firewall-software-review.toptenreviews.com/