 |
|
|
|
|
 |
CertiGuide to Security+ 9 Chapter 3: Infrastructure Security (Domain 3.0; 20%) 9 3.4 Intrusion Detection |
|
3.4.1 Network Based
(Page 1 of 2)
Network-based intrusion detection systems (NIDS) monitor network traffic, looking for “interesting” events. When examining traffic, they can detect either patterns in individual packets that indicate suspicious traffic such as known attack signatures (data streams from popular exploit tools), or violations of algorithmic rules that indicate out-of-the-ordinary traffic (often referred to as “heuristics”, such as more than 100 incoming FTP connections to a single host within 10 seconds). More advanced systems rank different events according to the level of threat they represent, and are able to correlate a variety of suspicious activities in order to determine if a more significant threat is present.
In addition to monitoring the network, some NIDS also monitor SNMP, syslog logging communications and other network-event-reporting mechanisms for interesting network-related events. Some, but not all, NIDSs allow the administrator to create custom rules and algorithms to search for traffic of local interest, which aren’t part of what the NIDS scans for “out of the box.” For example, one site has a custom rule that searches the network for SNMP traffic containing the default community strings of ‘public’ or ‘private’338.
|
NIDSFor smaller networks, an NIDS may be completely self-contained, running on a single machine and watching the network for activity. However, this is often not sufficient for medium-to-large environments because in order for a NIDS to monitor traffic, it must have access to it – which generally means having access to the traffic on any subnet of interest. NIDS for a medium-to-large environment often consists of several components:
- Agents deployed on hosts around the network
to collect information and forward relevant information to the Director
- A Director, which combines information
from agents and analyzes it to find potential threats
- A Notifier, which handles responding to threats identified by the Director339
|
Quick navigation to subsections and regular topics in this section |
__________________
338. Saoutine, Greg, et. al., “Barbarians at the Gate”, http://mcpmag.com/Features/article.asp?EditorialsID=294
339. Memon, Nasir, “CS 392 Network Security – Module 5 Intrusion Detection”, http://isis.poly.edu/courses/cs393/lectures/module-5.pdf
|
| |||||||||||||||||||
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.