3.4.1 Network Based
(Page 1 of 2)
Network-based intrusion detection systems (NIDS) monitor network traffic, looking for interesting events. When examining traffic, they can detect either patterns in individual packets that indicate suspicious traffic such as known attack signatures (data streams from popular exploit tools), or violations of algorithmic rules that indicate out-of-the-ordinary traffic (often referred to as heuristics, such as more than 100 incoming FTP connections to a single host within 10 seconds). More advanced systems rank different events according to the level of threat they represent, and are able to correlate a variety of suspicious activities in order to determine if a more significant threat is present.
In addition to monitoring the network, some NIDS also monitor SNMP, syslog logging communications and other network-event-reporting mechanisms for interesting network-related events. Some, but not all, NIDSs allow the administrator to create custom rules and algorithms to search for traffic of local interest, which arent part of what the NIDS scans for out of the box. For example, one site has a custom rule that searches the network for SNMP traffic containing the default community strings of public or private338.
For smaller networks, an NIDS may be completely self-contained, running on a single machine and watching the network for activity. However, this is often not sufficient for medium-to-large environments because in order for a NIDS to monitor traffic, it must have access to it which generally means having access to the traffic on any subnet of interest. NIDS for a medium-to-large environment often consists of several components:
338. Saoutine, Greg, et. al., Barbarians at the Gate, http://mcpmag.com/Features/article.asp?EditorialsID=294
339. Memon, Nasir, CS 392 Network Security Module 5 Intrusion Detection, http://isis.poly.edu/courses/cs393/lectures/module-5.pdf
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.