Welcome » IT Booklets » Information Security » Security Monitoring » Activity Monitoring » Network Intrusion Detection Systems
Network intrusion detection systems (nIDS) combine the detection and logging of potential attacks with pre-defined response actions. These systems use one of two detection methodologies, signature and anomaly detection. For response, the nIDS can perform one of several actions according to its configuration. A passive nIDS could be configured to notify institution personnel, log the attack identification, and log packets related to the possible attack. A reactive IDS adds the capability to interact with the firewall to block communications from the user or IP address associated with the potential attack. Conceptually, the reactive IDS is very similar to an intrusion prevention system (IPS), discussed in the "Access Control" section of this booklet.
To use a nIDS effectively, an institution should have a sound understanding of the detection capability and the effect of placement, tuning, and other network defenses on the detection capability.
The signature-based detection methodology reads network packets and compares the content of the packets against signatures, or unique characteristics, of known attacks. When a match is recognized between current readings and a signature, the nIDS generates an alert.
Signatures may take several forms. The simplest form is the URL submitted to a Web server, where certain references, such as cmd.exe, are indicators of an attack. The nature of traffic to and from a server can also serve as a signature. An example is the length of a session and amount of traffic passed.
A weakness in the signature-based detection method is that a signature must exist for an alert to be generated. Signatures are written to either capture known exploits, or access to suspected vulnerabilities. Vulnerability-based detection is generally broader based, alerting on many exploits for the same vulnerability and potentially alerting on exploits that are not yet known. Exploit-based signatures, however, are based on specific exploits and may not alert when a new or previously unknown exploit is attempted.
Attacks that generate different signatures from what the institution includes in its nIDS will not be detected. This problem can be particularly acute if the institution does not continually update its signatures to reflect lessons learned from attacks on itself and others, as well as developments in attack tool technologies. It can also pose problems when the signatures only address known attacks. Another weakness is in the capacity of the nIDS to read traffic. If the nIDS falls behind in reading network traffic, traffic may be allowed to bypass the nIDS.IDS units that have a traffic rating, such as gigabit IDS, may allow traffic to bypass when traffic reaches a fraction of their rating. That traffic may contain attacks that would otherwise cause the nIDS to issue an alert.
The anomaly-based detection method generally detects deviations from a baseline. The baseline can be either protocol-based, or behavior-based. The protocol-based baseline detects differences between the detected packets for a given protocol and the Internet's RFCs (Requests for Comment) pertaining to that protocol. For example, a header field could exceed the RFC-established expected size.
The behavior-based anomaly detection method creates a statistical profile of normal activity on the host or network. Normal activity generally is measured based on the volume of traffic, protocols in use, and connection patterns between various devices. Boundaries for activity are established based on that profile. When current activity exceeds the boundaries, an alert is generated. Weaknesses in this system involve the ability of the system to accurately model activity, the relationship between valid activity in the period being modeled and valid activity in future periods, and the potential for malicious activity to take place while the modeling is performed. This method is best employed in environments with predictable, stable activity.
Anomaly detection can be an effective supplement to signature-based methods by signaling attacks for which no signature yet exists. Proper placement of nIDS sensorsThe sensor gathers information for analysis by the detection engine. is a strategic decision determined by the information the institution is trying to obtain. Placement outside the firewall will deliver IDS alarms related to all attacks, even those that are blocked by the firewall. With this information, an institution can develop a picture of potential adversaries and their expertise based on the probes they issue against the network.
Because the placement is meant to gain intelligence on attackers rather than to alert on attacks, tuning generally makes the nIDS less sensitive than if it is placed inside the firewall. A nIDS outside the firewall will generally alert on the greatest number of unsuccessful attacks. nIDS monitoring behind the firewall is meant to detect and alert on hostile intrusions. Multiple nIDS units can be used, with placement determined by the expected attack paths to sensitive data. Generally speaking, the closer the nIDS is to sensitive data, the more important the tuning, monitoring, and response to nIDS alerts. The National Institute of Standards and Technology (NIST) recommends network intrusion detection systems "at any location where network traffic from external entities is allowed to enter controlled or private networks."NIST Special Publication 800-41
"Tuning" refers to the creation of signatures and alert filters that can distinguish between normal network traffic and potentially malicious traffic. Tuning also involves creating and implementing different alerting and logging actions based on the severity of the perceived attack. Proper tuning is essential to both reliable detection of attacks and the enabling of a priority-based response. Tuning of some signature-based units for any particular network may take an extended period of time and involve extensive analysis of expected traffic. If a nIDS is not properly tuned, the volume of alerts it generates may degrade the intrusion identification and response capability.
Switched networks pose a problem for network IDS. Switches ordinarily do not broadcast traffic to all ports, and a nIDS may need to see all traffic to be effective. When switches do not have a port that receives all traffic, the financial institution may have to alter their network to include a hub or other device to allow the IDS to monitor traffic.
Encryption poses a potential limitation for a nIDS. If traffic is encrypted, the nIDS's effectiveness may be limited to anomaly detection based on unencrypted header information. This limitation can by overcome by decrypting packets within the IDS at rates commensurate with the flow of traffic. Decryption is a device-specific feature that is not incorporated into all nIDS units.
All nIDS detection methods result in false positives (alerts where no attack exists) and false negatives (no alert when an attack does take place). While false negatives are obviously a concern, false positives can also hinder detection. When security personnel are overwhelmed with the number of false positives, they may look at the nIDS reports with less vigor, allowing real attacks to be reported by the nIDS but not researched or acted upon. Additionally, they may tune the nIDS to reduce the number of false positives, which may increase the number of false negatives. Risk-based testing is necessary to ensure the detection capability is adequate.