Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.1  Devices
           9  3.1.9  IDS (Intrusion Detection System)

Previous Topic/Section
Which One Should I Get?
Previous Page
Pages in Current Topic/Section
1
Next Page
3.1.10  Network Monitoring / Diagnostics
Next Topic/Section

Security Issues with IDS

We hinted about one of the potential IDS security issues above. Most IDS’s produce a large number of “false positives”, that is, events that are flagged as intrusion attempts, that aren’t really – or which, when investigated, end up being random, isolated “script kiddie” network probes that do not result in further activities. Going through all of these event reports, looking for the ones that the IT department needs to be concerned about, can be a time-consuming activity which takes the administrator’s efforts away from actual security issues. Therefore, important skills to develop when your environment includes an IDS, are configuration of the IDS in a way that reduces the number of false positives (without missing any actual intrusions) and the ability to efficiently identify the events that are worth of further investigation.

Additionally, depending on the technology used by the IDS, attackers have found ways to avoid detection by performing “stupid low-level packet tricks.” For example, if an IDS looks for a certain sequence of packets as a signature of a specific attack, the intruder may try to avoid this by fragmenting their communication into a series of smaller packets that don’t match what the IDS expects to see. Each of the fragments is separately examined by the IDS, and judged harmless. However, once the target system has received the fragmented packets, it puts them back together into their original form… and the attack can continue, undetected by the IDS. Part of this is aided by the open source nature of much IDS software, because an attacker can examine the source code, looking for potential ways to “fool” the IDS.

IDS Issues

Security issues with IDS include the large number of “false positive” alerts that can distract an administrator from real issues, and the fact that altering low-level packet characteristics can sometimes enable an attacker to avoid detection.

A false positive is a potential intrusion that is detected and acted upon by the IDS, which ends up not being a true intrusion at all. As noted above, false positives can consume much administrator time and attention.


This is not the last you’ll be hearing about IDS’s, which show up again in more detail, later in this major section. For more information, do check out Robert Graham’s excellent FAQ on this subject, including questions to ask an IDS vendor, further resources on the subject, and ways attackers attempt to avoid detection by IDS’s.


Previous Topic/Section
Which One Should I Get?
Previous Page
Pages in Current Topic/Section
1
Next Page
3.1.10  Network Monitoring / Diagnostics
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.