 |
|
|
|
|
 |
CertiGuide to Security+ 9 Chapter 3: Infrastructure Security (Domain 3.0; 20%) 9 3.4 Intrusion Detection |
|
3.4.1 Network Based
(Page 2 of 2)
NIDS Considerations, Pros and Cons
Because NIDSs generally run in real time (in other words, they notice events as they happen, not after the fact), they are likely to detect potential attacks more quickly than many host based IDSs. Additionally, NIDSs are not limited to looking at only the traffic to or from the host they are running on – they can inspect any packets traveling across the network.
Another benefit of NIDSs over host based IDSs is that some attacks, such as a DoS or Teardrop attack, can only be detected by looking at the packet headers.
When selecting and deploying a NIDS, be aware of a few key points:
- A NIDS can only monitor what it can see. If
switches or routers prevent the NIDS from seeing traffic, it can’t
review that traffic for potential problems, so use span ports on switches
or place the NIDS agent on a machine off a hub on the uplink port of
the switch. Then TEST your configuration to make sure that the NIDS
really is seeing the traffic you want it to see.
- If you use a VPN or other traffic encrypting
technology, such as SSL for web transactions, on your network, the IDS
may not be able to look inside those packets for potential threats,
and will miss any attacks that occur through those channels.
- Most malicious attacks on a network occur on
the internal network (given the increasing presence of third parties
like vendor field engineers and consultants, on internal networks),
and internal networks are full of well-meaning users who every so often
open an email containing a virus, so consider using a NIDS to monitor
the internal network as well as your DMZ.
- Some NIDS do not process fast enough to examine
all traffic on gigabit networks, and may let traffic through without
scanning it, if overwhelmed, so if you have (or plan to soon have) a
gigabit network installed, make sure that your vendor certifies that
the software and hardware you select for your NIDS can keep up with
it.
- Make sure that the vendor regularly updates their
rule database in response to new threats, and then make sure that someone
in your organization is tasked with keeping the NIDS rule base up-to-date,
by promptly installing vendor updates. If a signature-based NIDS doesn’t
know about a suspicious pattern, it can’t look for it and alert
you to its presence.
- NIDS which focus on detection of statistical
behavioral anomalies (unusual patterns of network activity, as compared
with normal network traffic) via “heuristics” can often detect
attacks unanticipated by a simpler pattern-matching system that looks
for known threat signatures. The downside to the statistical approach
is that benign but unusual traffic patterns often trigger the NIDS into
action, resulting in a higher degree of “false positives”
than with the pattern-matching approach, and thus require more administrative
attention in exchange for a (possible) increase in detection ability.
- Tools such as “Stick”, popular in black
hat circles for flooding a NIDS with traffic and causing it to drop
packets, can also be used for NIDS evaluation, to stress-test an NIDS
before purchasing it.
- Not all NIDSs reassemble fragmented packets before comparing packets with signatures; those that do not, may miss detecting attacks if the attackers obfuscate them via excessive fragmentation.
|
NDIS LimitationsFor more information on NIDS, check the “Barbarians at the Gate” article referenced earlier in this subsection.
|
Quick navigation to subsections and regular topics in this section |
|
| |||||||||||||||||||
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.