Security Issues with IDS
We hinted about one of the potential IDS security issues above. Most IDSs produce a large number of false positives, that is, events that are flagged as intrusion attempts, that arent really or which, when investigated, end up being random, isolated script kiddie network probes that do not result in further activities. Going through all of these event reports, looking for the ones that the IT department needs to be concerned about, can be a time-consuming activity which takes the administrators efforts away from actual security issues. Therefore, important skills to develop when your environment includes an IDS, are configuration of the IDS in a way that reduces the number of false positives (without missing any actual intrusions) and the ability to efficiently identify the events that are worth of further investigation.
Additionally, depending on the technology used by the IDS, attackers have found ways to avoid detection by performing stupid low-level packet tricks. For example, if an IDS looks for a certain sequence of packets as a signature of a specific attack, the intruder may try to avoid this by fragmenting their communication into a series of smaller packets that dont match what the IDS expects to see. Each of the fragments is separately examined by the IDS, and judged harmless. However, once the target system has received the fragmented packets, it puts them back together into their original form and the attack can continue, undetected by the IDS. Part of this is aided by the open source nature of much IDS software, because an attacker can examine the source code, looking for potential ways to fool the IDS.
This is not the last youll be hearing about IDSs, which show up again in more detail, later in this major section. For more information, do check out Robert Grahams excellent FAQ on this subject, including questions to ask an IDS vendor, further resources on the subject, and ways attackers attempt to avoid detection by IDSs.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.