Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition

Intrusion Detection Systems and Network Security

Chapter 13
©
2012

Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition

Objectives
• Apply the appropriate network tools to facilitate network security.
• Determine the appropriate use of tools to facilitate network security.
• Apply host-based security applications.

©
2012

Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition

Key Terms

©
2012

Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition

Network Security: A Layered Approach
• As need for security increases, layers of security should be added.
– Layers could include passwords, firewalls, access lists, file permissions, and intrusion detection systems

• Intrusion detection systems are one of the more complex layers.
– Detects inappropriate or malicious activity on a computer or network.

©
2012

Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition

History of Intrusion Detection
Systems

• Research continued.
• Dorothy Denning and Peter Neumann publish
“The Intrusion Detection Expert System (IDES)”:
– Introduces concept of a real-time, rule-based IDS

• In 1987 Denning publishes “An IntrusionDetection Model”:
– Laid out the model on which most modern IDSs are based ©
2012

Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition

History of Intrusion Detection
Systems (continued)
• Government commissioned numerous projects based on Denning’s model.
– Discovery, Haystack, Multics Intrusion Detection and Alerting
System (MIDAS), and Network Audit Director and Intrusion
Reporter (NADIR)

• Haystack Labs released first commercial IDS in 1989 under the name Stalker.
– Host-based and worked by comparing audit data to known patterns of suspicious activity
– Not widely implemented outside of government
©
2012

Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition

History of Intrusion Detection
Systems
• Mid-1990s IDS gain popularity commercially.
• WheelGroup develops first network-based IDS under the name NetRanger.
• Internet Security Systems’ Realsecure released in 1996.
• By 1998 IDS was considered a vital part of network security.

©
2012

Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition

History of the Internet and IDS

©
2012

Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition

IDS Components
•
•
•
•

©
2012

Traffic collector / sensor
Analysis engine
Signature database
User interface and reporting

Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition

IDS Components (continued)

©
2012

Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition

Types of IDS
• Host-based IDS (HIDS)
• Network-based IDS (NIDS)
• Distinguished by detection method:
– Signature-based IDS - Relies heavily on a predefined set of attack and traffic patterns called signatures.
– Anomaly-based (heuristic) IDS - Monitors activity and attempts to classify it as either “normal” or “anomalous.”

©
2012

Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition

Network IDS Components

©
2012

Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition

• Advantages of NIDS
– Providing IDS coverage requires fewer systems.
– Deployment, maintenance, and upgrade costs are usually lower.
– A NIDS has visibility into all network traffic and can correlate attacks among multiple systems.

• Disadvantages of NIDS
–
–
–
–

©
2012

It is ineffective when traffic is encrypted.
It can’t see traffic that does not cross it.
It must be able to handle high volumes of traffic.
It doesn’t know about activity on the hosts themselves. Principles of Computer Security: