Idses Best Practices the Dependence

IDSes Best Practices

The dependence on information and communications technology in almost all aspects of today's modern living is apparent with the various applications thereto in our personal lives, business, industries and other milieus. The Internet particularly provided for a better means of communications and several innovations in what used to be time consuming, labor intensive and resource exhaustive conventional systems and processes. Hence, the benefits of contemporary and emerging technologies are numerous and therefore there should be controls and mechanisms in place to ensure continued operations and resilience. The primary reason being is that threats and vulnerabilities abound and these pose risks to the confidentiality, integrity, and availability of information systems assets and resources. To ascertain that risks are managed properly and mitigation measures are in place, various controls and mechanisms are implemented. One of these systems is by utilizing intrusion detection systems or IDSes.

IDSes are part of the unified threat management (UTM) system employed to protect information systems assets and resources. These software and/or hardware-based systems work alongside other security controls and mechanisms to minimize the risks to critical information resources. IDSes are "installed software or physical appliances that monitor network traffic in order to detect unwanted activity and events such as illegal and malicious traffic, traffic that violates security policy, and traffic that violates acceptable use policies (IATAC, 2009)." Generally, IDSes analyze the packets passing through the network traffic and determine if there are anomalies therein. Aside from this, IDSes constantly monitors and analyzes user and system activities to determine if there are suspicious behaviors manifested. The system also performs audits on system configurations and reports on wrong configurations and vulnerabilities. The actions of IDSes are dependent though on how they are configured and if they are updated on a regular basis in order for them to be able to perform the analysis and mitigation required of them; this ability is only possible if the IDSes have the latest known attack patterns.

There are various types or flavors of IDSes and the determination as to which one suits an organization is dependent on the outcomes of the risk analysis. Before getting into the specific types, IDSes can be categorized as either passive or active. A passive IDS is one that analyzes and detects problems and anomalies and simply reports these in the network management system for further action by systems or network administrators. An active IDS not only analyzes and detects but also counters or mitigates whatever abnormal behavior encountered; again, this is only possible if correct rulesets have been configured in the active IDS.

In terms of types, IDSes can be network based, wireless, network behavior anomaly detection, host based and hybrid. Network Intrusion Detection Systems (NIDS) analyzes network traffic at all layers of the Open Systems Interconnection (OSI) model and makes decisions about the purpose of the traffic, analyzing for suspicious activity (IATAC, 2009). Wireless intrusion detection systems, as the term implies, are deployed to analyze wireless network traffic and functions similar to that of the NIDS. Network behavior anomaly detection (NBAD) views traffic on network segments to determine if anomalies exist in the amount or type of traffic (IATAC, 2009). Unlike NIDS and WIDS that can be deployed readily on their own, NBAD requires sensors deployed throughout the network and these sensors provide the input to the NBAD in order for the system to be able to perform its functions.

Host-based intrusion detection systems (HIDS) analyze network traffic and system-specific settings such as software calls, local security policy, local log audits, and more (IATAC, 2009). HIDS are not deployed in the network but rather within the machine or system needed protection. Thus, configuration of HIDS is dependent on the device they are installed on and different devices require different configurations and rulesets. Hybrid IDSes are a combination of two or more IDS components and provides one of the highest levels of protection ion information systems assets and resources. However, this kind of deployment mean more resources need to be allocated to ensure optimum functioning of hybrid IDSes.

From the various IDS components available, IDSes can also be differentiated by their detection types. These detection types can be signature-based, anomaly-based and stateful protocol inspection. The following are the differences in the detection types of IDSes (Scarfone & Mell, 2007):

A signature is a pattern that corresponds to a known threat. Signature-based detection is the process of comparing signatures against observed events to identify possible incidents.

Anomaly-based detection is the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations. An IDPS using anomaly-based detection has profiles that represent the normal behavior of such things as users, hosts, network connections, or applications.

Stateful protocol analysis is the process of comparing predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations.

In the same manner as hybrid intrusion detection systems can be deployed, the same goes true for detection types. Depending upon the security needs and requirements that come up after the risk analysis, IDSes deployed throughout the network can be a combination of two or all of the various detection types. With the variety of threats and vulnerabilities that abound, hybrid deployments are always the best possible implementation because of the wider and more detailed coverage they accord the information systems assets and resources.