[转载]Intrusion Detection For Dummies

[转载]Intrusion Detection For Dummies

文章作者:Kevin Townsend

What is IDS?
IDS is an acronym for Intrusion Detection System. An intrusion detection system detects intruders; that is, unexpected, unwanted or unauthorized people or programs on my computer network.

Why do I need IDS? A network firewall will keep the bad guys off my network, right? And my anti-virus will recognize and get rid of any virus I might catch, right? And my password-protected access control will stop the office cleaner trawling through my network after I've gone home, right? So that's it - I'm fully protected, right?


A firewall has got holes to let things through: without it, you wouldn't be able to access the Internet or send or receive emails. Anti-virus systems are only good at detecting viruses they already know about. And passwords can be hacked, stolen or left lying about on post-its.

That's the problem. You can have all this security, and all you've really got is a false sense of security. If anything or anyone does get through these defenses, through the legitimate holes, it or they can live on your network, doing whatever they want for as long as they want. And then there's a whole raft of little known vulnerabilities, known to the criminals, who can exploit them and gain access for fun, profit or malevolence. A hacker will quietly change your system and leave a back door so that he can come and go undetected whenever he wants. A Trojan might be designed to hide itself, silently gather sensitive information and secretly mail it back to source. And you won't even know it's happening - worse, you'll believe it can't be happening because you've got a firewall, anti-virus and access control.

Unless, that is, you also have an intrusion detection system. While those other defenses are there to stop bad things getting onto your network, an intrusion detection system is there to find and defeat anything that might just slip through and already be on your system. And in today's world, you really must assume that things will slip through - because they most certainly will. From the outside, you will be threatened by indiscriminate virus storms; from hackers doing it for fun (or training); and more worryingly from organized criminals specifically targeting you for extortion, blackmail or saleable trade secrets.

From the inside, you will have walk-in criminals using social engineering skills to obtain passwords to, or even use of, your own PCs; from curious staff who simply want to see what their colleagues are earning; and from malcontents with a grievance.

What you really mustn't assume is that this is fanciful, or that you don't have anything worth stealing. According to experts in the field even something as basic as stored HR data on your employees is worth $10 per person on the black market. Search for 'FBI' on this site, and see the variety of attacks and dangers that exist; and how often there is a degree of success despite firewalls and anti-virus and access control. You still need all of those defenses - but you also need an intrusion detection system.

What do I need in IDS?
Intrusion detection describes the intention - not the methodology. There are several different ways by which this can be achieved; so anything that detects intrusions is an IDS. Which method you choose really depends upon what you need: and if you don't already have in-house security expertise, it would be worth employing a consultant to help reach your decision.

Note that IDS is no longer a new technology - it's a mature technology. Since the term is no longer new, it no longer has that 'buzz' required by marketing managers. This has been aggravated by analyst firm the Gartner Group proclaiming that IDS is dead and replaced by IPS. This is wrong. Ignore it. IPS is different to IDS. Vend ors and security experts know this, but the result is that manufacturers are tempted to find new terms - and one of these is Network Behavior Analysis. This is a good and useful approach; but one of the primary purposes of NBA is to detect intrusions – in other words, IDS.

Remember, too, that good security is the right level of security for you. You need to strike the right balance between the cost of the security and the value of your goods - there's no point in spending more on security than the value of what you're protecting. Risk management principles using a thorough risk analysis will help you decide how much to spend.

Armed with this information, you can look for features such as:

attack halting (stops the attack, whether it is a program or a hacker)
attack blocking (closes the loop-hole through which the attacker gained access)
attack alerting (either pop-up to an online admin, or email or SMS to a remote admin)
information collecting (on what is done by the attack to the network, and from where the attack came - helps gather forensic evidence should a prosecution become necessary or possible)
full reporting (so that you can learn from your mistakes, and prevent future problems)
fail-safe features (such as encrypted messages and VPN tunneling within the IDS to hide its presence from, and inhibit interference by, any hacker).
If you've got a large network, or particularly valuable information, you may like to look out for the extras offered with some intrusion detection systems:

honeypot or padded cell (a fake network or area designed specifically to attract and contain attacks, so that you can analyze them and learn from their behavior)
vulnerability analysis (so that you can check your network for all known vulnerabilities in order to pre-empt rather than just detect intrusions)
file integrity checker (a mathematical way of knowing if a file has been altered in any way, and therefore potentially compromised by an intruder)
One other point - don't think that you're so small you don't need or can't find an IDS. IDS as described above is available for large enterprises on down. But even if you just have a couple of PCs, you can still get, and still need, an intrusion detection system. It's just that for a single desktop system it goes by different names and has less automated features: it's a personal firewall and an anti-spyware program. The purpose is the same - to detect and stop intrusions - it's just that here you have to manually keep it up to date and manually conduct regular scans and it isn’t as intelligent or sophisticated.

Where do I get IDS?
Here are a few suppliers to get you started - but keep checking back to this resource center, because we'll be adding more companies and more products all the time:

Arbor Networks
It will also be worth looking at Unified Threat Management. This is often a physical device, an appliance, and it just means that you get more than one security feature in a single box. Unified Threat Management will frequently include an IDS.

How can I evaluate IDS?
The first thing you need to do is to make sure that you know what you need, and what you can afford. Then you need to know what's available. Only then can you decide what to get. So first check the Buyer's Guide in this resource centre to see what you can get. Conduct a risk analysis exercise - use a consultant if you need to. And then, knowing what is available and what you need, consult our Comparison Guide and see what product comes closest to that need. And if you have specific queries, problems or worries - get some free help and advice from Ask the Experts .