| Previous | Table of Contents | Next |
One of the main advantages of a network IDS is simple implementation. Unlike system-level intrusion detection, which requires a monitor to be running on every system, network IDSs require one monitor per subnet. Reduced cost is one consequence of this feature. Installing a single network IDS should be cheaper than installing client system level monitors on each node. In some cases, you might want to run a network IDS monitor on each of several nodes in your environment. Most network IDS architectures support this configuration today.
Now you could get really picky and claim that system-level IDSs could gather the data from each system and then forward it to a central analyzer. However, the real issue is that system-level monitoring requires you to gather information from each system by running some type of sensor or monitor on each system. A network IDS gathers information by actively monitoring network traffic without requiring a separate sensor on each system. Of course, network IDSs cannot detect some of the intrusions and misuses that system IDSs can, and vice versa. You’ll see the limitations in the next section.
Another advantage of network IDSs is that the data which they gather comes essentially for free. Computers are emitting network traffic as part of the normal routine of communicating between each other. The network IDS needs only to attach to the network and sniff this information as it appears. A network IDS is noninvasive because it does not alter in any way the systems you want to monitor. None of the system calls in the kernel are modified or replaced on any systems in the network (with the possible exception of the network IDS node itself). Nor does a network IDS require you to introduce a new data source, such as audit logs or syslog. System-level IDSs, as noted in Chapter 6, “Detecting Intruders on Your System Is Fun and Easy,” may require you to turn on auditing or syslog in order to capture activities on the system. If you already are running the audit subsystem to track system activities, this practice should not bother you. However, if auditing and syslog are not running on your systems today, a network IDS is appealing.
Perimeter security is what the network IDS is primarily designed to monitor. As more companies connect into cyberspace, increasing threats from intruders are inevitable. Network IDSs aim to simplify the task of monitoring network traffic for security violations and intrusions. Because the amount of network traffic generated by an enterprise can be tremendous, having a system that automatically looks for problems and responds to events is necessary. Note that this type of IDS is a logical extension of network performance monitoring with automated responses.
Many system-level IDSs do not have ample data to detect network intrusions or misuses. Neither the audit logs nor syslog give detailed information about network packets. To get at the content of the packets themselves, the IDS needs to do the following:
The latter approach seems to be the most scalable today. Limitations of separate node network IDSs may force administrators to run a network IDS on each node in the future.
Network IDSs usually are equipped with some form of response or countermeasure feature. NetRanger can send commands to the router to block packets from a particular source IP address when attacks originate from that address. RealSecure and other stand-alone monitors can send block address commands to popular firewalls, too. One already mentioned danger of these countermeasures is that frequently the hacker is using forged addresses. You could end up blocking your biggest Web site customer if suddenly a hacker forges a SYN Flood attack from that customer’s IP address.
Although network IDSs are an essential weapon in the security officer’s arsenal, it’s important to understand their limitations. The following sections identify problems with network IDSs so that you can understand what to expect from them when in use at your site.
| Previous | Table of Contents | Next |