IDSes (Intrusion Detection Systems) are quickly becoming an integral part of any organization’s network. For most companies, implementing an IDS is the next logical step after deploying a firewall, as it provides a second layer of security by helping to identify an attack or malicious traffic that makes it through the firewall. As with any technology, several IDS variants are available. Traditionally, two main models have been used: signature systems and anomaly-based systems.
A signature system contains a database of known attack signatures, and it alerts administrators when it identifies traffic on the network that matches one of these signatures. Detractors are quick to point out the faults of these systems, which include the need to keep the signature database updated, the fact that attacks using packet fragmentation go unnoticed, and the sheer inability of some systems to keep up with network bandwidth, dropping packets when they are overloaded with data.
Anomaly-based systems were designed to combat the database signature problems and to be a bit more proactive than signature systems. These systems understand protocols, such as FTP, HTTP, and Telnet. Exploits usually do not follow the standards, or else they are unexpected request; anomaly-based systems look for these events and alert administrators when they occur.
Although anomaly-based systems removed the signature database from the picture, they still do not address two main problems: large numbers of false positives, meaning they raise alerts against valid traffic, and the fact that they are still very reactive solutions. By the time an administrator has received an alert, the attack has usually already occurred.
ForeScout has introduced a new approach to intrusion detection that aims to decrease the number of false positives and be a bit more proactive in its response. ForeScout ActiveScout recognizes network reconnaissance – ping sweeps, port scans, and user-name enumeration – or the tools attackers use to gather information about a given network to launch a targeted attack.
For example, when ActiveScout identifies a port scan, it tags the traffic and sends back an answer to the attacker that appears to be a valid response. In reality, the response is invalid. ActiveScout may return a value for the port scan saying that FTP is open on port 21 when it is not actually open on the server. When the attacker tries to exploit this nonexistent FTP server, ActiveScout knows this is an exploit attempt and sends an alert. Once an alert has been sent, ActiveScout can take several actions: monitor activity, report activity, or block traffic from the source.
IDSes provide value in any organization as long as they can handle the amount of traffic thrown at them and they limit the number of false positives reported to administrators. New developments in IDS technology are working to resolve these issues, with ForeScout’s ActiveScout being the latest addition.
No single type of IDS solution can provide adequate protection. The best approach is a hybrid that combines the best aspects of signature detection, protocol analysis, and network reconnaissance. Once the integration of the Network Ice IDS technology is complete, ISS’s Real Secure product will be a strong signature/protocol analysis hybrid. ActiveScout is adding a small signature database to its product with the addition of some known malicious or suspicious URLs. Expect to see more and more hybrid solutions on the market in the future.
THE BOTTOM LINE
Intrusion Detection Systems
Executive Summary: IDSes can help identify malicious attacks, but problems with false positives may leave administrators chasing their own tails.
Test Center Perspective: New developments in IDS technology help to reduce false positives and to prevent attacks more proactively.