1

Figure 10-4: Intrusion Detection Systems (IDSs)

IDSs

Event logging in log files

Analysis of log file data

Alarms

Too many false positives (false alarms)

Too many false negatives (overlooked incidents)

Log files for retrospective analysis by humans

2

Figure 10-4: Intrusion Detection Systems (IDSs)

Elements of an IDS (Figure 10-5)

Event logging

Analysis method

Action

Management

3

Figure 10-5: Elements of a Simple IDS

Management:Configuration,

Tuning

Action:Alarms, Queries, Reports

Analysis:Attack Signatures and Heuristics

Logging (Data Collection):Individual Events are Time-Stamped

Log is Flat File of Events

4

Figure 10-4: Intrusion Detection Systems (IDSs)

Distributed IDSs (Figure 10-6)

Managers

Agents

Distribution of functionality between agents and managers (analysis and action)

5

Figure 10-6: Distributed IDS

Log File

ManagerHost IDS

MainFirewall

Agent

AgentAgent

AgentSite

InternalSwitch-BasedNetwork IDS

Log FileTransfer in

Batch Mode orReal Time

Stand-AloneNetwork IDS

InternetConnection

FW Log

6

Figure 10-4: Intrusion Detection Systems (IDSs)

Distributed IDSs (Figure 10-6)

Batch versus Real-Time Data Transfer

Batch mode: Every few minutes or hours; efficient

Real-time: As events occur or shortly afterward; little or no data loss if attacker eliminates log file on agent’s computer

7

Figure 10-4: Intrusion Detection Systems (IDSs)

Distributed IDSs (Figure 10-6)

Secure manager-agent communication

Vendor’s automatic updates with secure communication

Network IDSs (NIDSs)

Capture packets

Stand-alone NIDS collects data for only its portion of the network

Switch or router NIDSs can collect data on all ports

8

Figure 10-4: Intrusion Detection Systems (IDSs)

Network IDSs (NIDSs)

NIDS placement

Between main firewall and internal or external network for relevant or all attacks

At internal points to detect internal mischief

Weaknesses

Blind spots in network where no NIDS data is collected

Cannot filter encrypted packets