‘Perimeter security’ is placing defenses around an organization’s perimeter thereby ensuring that an organization’s chances of being compromised are minimal. Some of the components that are used to ensure perimeter security are routers, VPN, IDS, IPS, firewalls and so on. We will see one type of perimeter security device the ‘IDS’ or ‘Intrusion Detection system’ in this post.
Not a day goes without us getting bombarded with security incidents. If it is one data breach today, it is another type of attack that is creating ripples and waves across the world. But how do we know if our organization did get compromised in any attack? While attacks like ‘ransomware’ are obvious to detect, there are many other types of attack that might be difficult to detect. How do we know, for example, if our server is used to launch attacks on other systems or some files have been tampered with?
This is where ‘Intrusion detection systems’ come into play. By means of ‘IDS’ , we can detect anomalies in traffic thereby even detecting DDoS attacks(DDoS – Distributed denial of service attack – In a DDoS, instead of one attacker or a few attackers trying to overwhelm a system there are multiple computers taking part to overwhelm the system and bring it down) or we can observe network signatures and compare them to ‘attack signatures’ and generate alerts. Almost all intrusion detection systems have sensors, analyzers and administrative interfaces.
Types of IDS:
There are different types of IDS.
- Network based IDS(NIDS)
NIDS as the name suggests refers to detecting intrusions on the network.This can be done by observing traffic on the network and looking for suspicious activity and generating an alert. Network based IDS can be software based or as an appliance. It can be placed at various points in a network to observe the traffic and generate alerts. Snort is one example of open source NIDS solution.
- Host based IDS(HIDS)
HIDS on the other hand detects malicious activity on the host or any single system. Host based IDS are installed on servers or critical work stations. While a NIDS cannot look inside the network traffic, a HIDS is designed to make sure that activities that take place are synchronized with the organization’s security policy. It can detect unauthorized changes to files and other alterations and send out alerts. ‘Tripwire’ is an example of HIDS.
Network based IDS and Host based IDS can be further divided into:
a. Signature based
“Signature” again as the name suggests consists of collating previous malicious signatures and comparing them against current new traffic. If the same malicious signature is detected in the new traffic, an alert is generated. The disadvantage of signature based IDS is that the signatures have to be constantly updated as new attacks are devised everyday.
b. Anomaly based
There are different types of anomaly based IDS. They are statistical anomaly based, protocol anomaly based systems and traffic anomaly based systems. In an anomaly based IDS, the IDS is first put in “learning mode” to learn the normal activities of a system. Once the IDS has completed its learning, it can now detect different types of packets that are entering the system. It compares the entering traffic against the “normal system” and if there is a difference it can detect any attack.
We have seen ‘Intrusion detection systems’ and how they play a role in preventing cyber attacks. Join me as I uncover more of Information security concepts to keep you safe!