CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)       9  3.1  Devices            9  3.1.9  IDS (Intrusion Detection System)

3.1.9  IDS (Intrusion Detection System) 1 How Does an IDS Work?

Routers go between subnets. Firewalls are most commonly seen between a company’s internal network and their Internet connection. What about IDS? The answer to this question depends on what you want to protect.

You would position an IDS anywhere on your network that you want to look for suspicious activity – this includes both on the network and on individual hosts that may need more protection. For example, an IDS immediately inside your Internet firewall, but still outside the DMZ area (explained in section 3.3.1.1) will alert you before an attack takes place on your DMZ or internal network. The down side to placing an IDS so close to your Internet gateway is that hosts on the Internet tend to be probed quite a lot, and you may spend a great deal of time dealing with uneventful IDS alerts regarding things like network scans that didn’t result in any further attempts to access to your resources.

In the case of a particularly sensitive business system, the administrators may want to build in as many layers of detection as possible, to enhance security, and IDSs may be located both on the network and on the host itself. The differences between host-based IDS and network-based IDS will be discussed in more detail in section 3.4.

At other times, you might position IDS in the DMZ between your company’s external (Internet-connected) firewall and its internal (internal network-connected) firewall, to detect any unwanted traffic that got through the first firewall, or within the internal network itself, if you’re more concerned about monitoring for intrusions into your internal network.

Think about positioning IDS the way you’d think about positioning burglar alarm sensors. Perhaps you want motion-detectors within your yard, which turn on outside lights when movement is detected. But you’d probably reserve the sensors which actually ring the alarm, for inside your home, near doors and windows lest you be awakened by loud beeping every time a dog runs across your front lawn, or you run down to the kitchen for a snack, in the middle of the night! Then, if you ran a “Bed and Breakfast” in your home and were concerned about security, you might place additional sensors in private areas of your home. Much like a company might run an IDS on their internal network NOT for the purpose of catching those who are outside trying to get in, but to monitor for suspicious activities by in-house personnel.

3.1.9  IDS (Intrusion Detection System) 1 How Does an IDS Work?