INTRUSION DETECTION AND PREVENTION SYSTEMS -white paper
Intrusion detection and prevention systems (IDPSs) are composed of software that helps organizations to monitor and analyze events occurring in their information systems and networks, and to identify and stop potentially harmful incidents. With the growing dependence of organizations on information systems to carry out essential activities and with the increasingly frequent and intense attacks on systems, IDPSs have become an essential component of the security infrastructure of nearly every organization. The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) recently updated its recommendations to organizations about the use of intrusion detection and prevention systems. Intrusion detection and prevention systems (IDPSs) are composed of software that helps organizations to monitor and analyze events occurring in their information systems and networks, and to identify and stop potentially harmful incidents. With the growing dependence of organizations on information systems to carry out essential activities and with the increasingly frequent and intense attacks on systems, IDPSs have become an essential component of the security infrastructure of nearly every organization. The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) recently updated its recommendations to organizations about the use of intrusion detection and prevention systems. NIST Special Publication (SP) 800- 94, Guide to Intrusion Detection and Prevention Systems (IDPS) NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS), Recommendations of the National Institute of Standards and Technology, was published in February 2007. The publication explains how intrusion detection and prevention systems can help organizations strengthen the security of their information systems, and recommends ways that organizations can design, implement, configure, secure, monitor, and maintain intrusion detection and prevention systems. Written by Karen Scarfone and Peter Mell, the publication replaces NIST Special Publication 800-31, Intrusion Detection Systems. NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS), Recommendations of the National Institute of Standards and Technology, was published in February 2007. The publication explains how intrusion detection and prevention systems can help organizations strengthen the security of their information systems, and recommends ways that organizations can design, implement, configure, secure, monitor, and maintain intrusion detection and prevention systems. Written by Karen Scarfone and Peter Mell, the publication replaces NIST Special Publication 800-31, Intrusion Detection Systems. NIST SP 800-94 explains the basic concepts of intrusion detection and prevention. It provides an overview of IDPS technologies, including typical components, general detection methodologies, and implementation and operation assistance. Four classes of IDPS products network-based, wireless, network behavior analysis, and host-based systems are presented to help users compare them and to determine the appropriate type or types of IDPS needed for their environments. Also included are descriptions of other technologies that can detect intrusions, such as security information and event management software and network forensic analysis tools. The publication focuses on helping organizations that are implementing enterprise-wide IDPS solutions, but most of the information is also applicable to standalone and small-scale IDPS deployments.
Functions of Intrusion Detection and Prevention Systems Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Incidents have many causes, such as malware (e.g., worms, spyware), attackers gaining unauthorized access to systems from the Internet, and authorized users of systems who misuse their privileges or attempt to gain additional privileges for which they are not authorized. Although many incidents are malicious in nature, many others are not; for example, a user could enter an incorrect address of a system and accidentally attempt to connect to a different system without authorization. An intrusion detection system (IDS) is software that automates the intrusion detection process. An intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) have many of the same capabilities, so for brevity this publication refers to them collectively as intrusion detection and prevention systems (IDPS). Intrusion detection and prevention systems identify possible incidents, log information about them, attempt to stop them, and produce reports for security administrators. The systems also assist organizations in identifying problems with security policies, documenting threats, and deterring individuals from violating security policies. Four Types of IDPSs NIST SP 800-94 discusses four types of IDPSs, which are based on the type of events that they monitor and the ways in which they are deployed: Network-Based systems monitor network traffic for particular network segments or devices and analyze the network and application protocol activity to identify suspicious activity. This type of system can identify many different types of events of interest, and is most commonly deployed at a boundary between networks, such as in proximity to border firewalls or routers, virtual private network (VPN) servers, remote access servers, and wireless networks. Wireless systems monitor wireless network traffic and analyze it to identify suspicious activity involving the wireless networking protocols themselves. This type of system cannot identify suspicious activity in the application or higher-layer network protocols (e.g., TCP, UDP) that the wireless network traffic is transferring. It is most commonly deployed within range of an organization’s wireless network to monitor it, but it can also be deployed to locations where unauthorized wireless networking could be occurring. Network Behavior Analysis (NBA) systems examine network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations (e.g., a client system providing network services to other systems). NBA systems are most often deployed to monitor flows on an organization’s internal networks, and are sometimes deployed where they can monitor flows between an organization’s networks and external networks. Host-Based systems monitor the characteristics of a single host and the events occurring within that host for suspicious activity. The types of characteristics that a host-based IDPS might monitor are network traffic for that host, system logs, running processes, application activity, file access and modification, and system and application configuration changes. Host-based IDPSs are most commonly deployed on critical hosts such as publicly accessible servers and servers containing sensitive information. Components, Architecture, Security Capabilities, and Management Issues NIST SP 800-94 explains in detail the components and architecture, security capabilities, and management issues related to each of the types of IDPSs. The typical components of an IDPS are sensors or agents, management servers, database servers, and consoles. Sensors and agents monitor and analyze activity; sensors are used to monitor networks and agents are used to monitor hosts. Management servers handle information from sensors or agents and manage them. Database servers are repositories for event information recorded by the sensors or agents and by management servers. Consoles are programs that provide interfaces for IDPS users and administrators. These components can be connected to each other through an organization’s standard networks or through a separate network that is designed for security software management. A management network helps to protect the IDPS from attack and to ensure it has adequate bandwidth under adverse conditions. A virtual management network can be created using a virtual local area network (VLAN) to provide protection for IDPS communications. Most IDPSs can provide a wide variety of security capabilities. Some products offer information-gathering capabilities, such as collecting information on hosts or networks from observed activity. IDPSs can perform extensive logging of data related to detected events. This data can be used to confirm the validity of alerts, investigate incidents, and correlate events between the IDPS and other logging sources. Logs of collected information should be stored both locally and centrally to support the integrity and availability of the data. IDPSs offer extensive, broad capabilities to detect events, but may require at least some tuning and customization to improve their detection accuracy, usability, and effectiveness. Most IDPSs offer multiple prevention capabilities; the specific capabilities vary by IDPS technology type. IDPSs usually allow administrators to specify the prevention capability configuration for each type of alert. This includes enabling or disabling prevention, as well as specifying which type of prevention capability should be used.
Free download research paper
CSE PROJECTS