Chapter 13 - Intrusion Detection

Abstract

An intrusion detection system (IDS) is a suite of devices, hardware and software that automates the investigation of odd activity in or around computers. It is generally used as a detective device, highlighting unwanted events after they have occurred. This chapter discusses IDS focusing on IDS configuration, network attacks, and their prevention using IDS. IDS architecture is a typical client/server model, where the probes send data up to management consoles. Users interact with the management console to address data. The primary purposes for an IDS deployment are to reduce risk, identify error, optimize network use, provide insight into threat levels, and change user behavior. Thus, IDS provides more than just detection of intrusion. IDS make a decision whether or not to alarm on a packet. The IDS tuning process is designed to make the decision as accurate as possible. The chapter describes this tuning process. Understanding network attack and intrusion types is essential to interpret IDS data. Five categories that correspond to network attacks include: (1) breakdowns in perimeter of device security, (2) harm to physical security, (3) attacks on application or operating system integrity, (4) effects of human error and omission, and (5) taking advantage of weaknesses in the underlying IP suite. The installation process of IDS is fairly straightforward, and is driven after running an install script from provided installation media. Key parameters are the IP address and routing information, host ID and name, and organization ID and name. The chapter describes the roles of all these parameters focusing on their uses in security.