Advantages of Network IDSs
One of the main advantages of a network IDS is simple implementation. Unlike system-level intrusion detection, which requires a monitor to be running on every system, network IDSs require one monitor per subnet. Reduced cost is one consequence of this feature. Installing a single network IDS should be cheaper than installing client system level monitors on each node. In some cases, you might want to run a network IDS monitor on each of several nodes in your environment. Most network IDS architectures support this configuration today.
Now you could get really picky and claim that system-level IDSs could gather the data from each system and then forward it to a central analyzer. However, the real issue is that system-level monitoring requires you to gather information from each system by running some type of sensor or monitor on each system. A network IDS gathers information by actively monitoring network traffic without requiring a separate sensor on each system. Of course, network IDSs cannot detect some of the intrusions and misuses that system IDSs can, and vice versa. You’ll see the limitations in the next section.
Another advantage of network IDSs is that the data which they gather comes essentially for free. Computers are emitting network traffic as part of the normal routine of communicating between each other. The network IDS needs only to attach to the network and sniff this information as it appears. A network IDS is noninvasive because it does not alter in any way the systems you want to monitor. None of the system calls in the kernel are modified or replaced on any systems in the network (with the possible exception of the network IDS node itself). Nor does a network IDS require you to introduce a new data source, such as audit logs or syslog. System-level IDSs, may require you to turn on auditing or syslog in order to capture activities on the system. If you already are running the audit subsystem to track system activities, this practice should not bother you. However, if auditing and syslog are not running on your systems today, a network IDS is appealing.
Perimeter security is what the network IDS is primarily designed to monitor. As more companies connect into cyberspace, increasing threats from intruders are inevitable. Network IDSs aim to simplify the task of monitoring network traffic for security violations and intrusions. Because the amount of network traffic generated by an enterprise can be tremendous, having a system that automatically looks for problems and responds to events is necessary. Note that this type of IDS is a logical extension of network performance monitoring with automated responses.
Many system-level IDSs do not have ample data to detect network intrusions or misuses. Neither the audit logs nor syslog give detailed information about network packets. To get at the content of the packets themselves, the IDS needs to do the following:
- Run as part of the OS and analyze every packet that arrives or leaves the node
- Run on a separate node that monitors network traffic for all nodes
The latter approach seems to be the most scalable today. Limitations of separate node network IDSs may force administrators to run a network IDS on each node in the future.
Network IDSs usually are equipped with some form of response or countermeasure feature. NetRanger can send commands to the router to block packets from a particular source IP address when attacks originate from that address. RealSecure and other stand-alone monitors can send block address commands to popular firewalls, too. One already mentioned danger of these countermeasures is that frequently the hacker is using forged addresses. You could end up blocking your biggest Web site customer if suddenly a hacker forges a SYN Flood attack from that customer’s IP address.
Possibly related posts: (automatically generated)
Advantages of Network IDSs
- Which Product Has the Best Nose?
- The Network IDS Is Not the Destination Node
- Network IDS Attack Recognition
- Getting around the Encryption Problem
- Will Intrusion Detection Be Enough?
- How Network IDSs Work
- Preparation before you're hit & Detection or discovery of the incident continue...
- Security of File Servers Consideration
- Attacks Detected by Stalker
- Why You're Not Finished Yet
- February 20th
Whether you’re an independent Web consultant or a large hosting firm, Network Solutions has a range of easy, priced solutions to register and manage your customers’ domain names. … Domain Name
Some sites also host “special events” such as Halloween or Christmas parties, and even provide news and current events related to the site’s “world.” Makin a social networking site fun to use is one of the best methods of ensuring regular use by users. … Becoming Best Friends Once Again
This online training coursed is designed to prepare the student to pass the Certified Internet Webmaster (CIW) Security 1D0 470 exam. … Regular Classroom
Mobile technology (transfer your movies, music & photos to iPod, PSP or Cell Phone), up software and many more new and improved applications. … Mobile Managers
Spyware is software that is intended to gather data about a user without their permission and transmit it over the Internet to the person(s) who wrote the spyware. … Symantec Software