| Get this Security+ CertiGuide for your own computer. |
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31) |
|
| Also available: 300-question Security+ practice test! |
| Get It Here! |
|
|
Security Issues with IDS
We hinted about one of the potential
IDS security issues above. Most IDS’s produce a large number
of “false positives”, that is, events that are flagged as
intrusion attempts, that aren’t really – or which, when
investigated, end up being random, isolated “script kiddie”
network probes that do not result in further activities. Going through
all of these event reports, looking for the ones that the IT department
needs to be concerned about, can be a time-consuming activity which
takes the administrator’s efforts away from actual security issues.
Therefore, important skills to develop when your environment includes
an IDS, are configuration of the IDS in a way that reduces the number
of false positives (without missing any actual intrusions) and the ability
to efficiently identify the events that are worth of further investigation.
Additionally, depending on the technology
used by the IDS, attackers have found ways to avoid detection by
performing “stupid low-level packet tricks.” For example,
if an IDS looks for a certain sequence of packets as a signature of
a specific attack, the intruder may try to avoid this by fragmenting
their communication into a series of smaller packets that don’t
match what the IDS expects to see. Each of the fragments is separately
examined by the IDS, and judged harmless. However, once the target
system has received the fragmented packets, it puts them back together
into their original form… and the attack can continue, undetected
by the IDS. Part of this is aided by the open source nature of much
IDS software, because an attacker can examine the source code, looking
for potential ways to “fool” the IDS.
 IDS Issues
Security issues with IDS include the large number of “false positive” alerts that can distract an administrator from real issues, and the fact that altering low-level packet characteristics can sometimes enable an attacker to avoid detection.
A false positive is a potential intrusion that is detected and acted upon by the IDS, which ends up not being a true intrusion at all. As noted above, false positives can consume much administrator time and attention.
|
This is not the last you’ll
be hearing about IDS’s, which show up again in more detail, later
in this major section. For more information, do check out Robert Graham’s
excellent FAQ on this subject, including questions to ask an IDS vendor,
further resources on the subject, and ways attackers attempt to avoid
detection by IDS’s.
| If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support! |
|
|
Home -
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.
|
