Intrusion Detection Strategies

Intrusion Detection Strategies

Post by arigano.sp » Fri, 25 Jul 2008 23:03:24

Intrusion Detection Strategies
Until now, wee primarily discussed monitoring in how it relates to
intrusion detection, but there more to an overall intrusion
detection installation than monitoring alone. Monitoring can help you
spot problems in your network, as well as identify performance
problems, but watching every second of traffic that passes through
your network, manually searching for attacks, would be impossible.This
is why we need specialized network intrusion detection software.This
software inspects all network traffic, looking for potential attacks
and intrusions by comparing it to a predefined list of attack strings,
known as signatures. In this section, we will look at different
intrusion detection strategies and the role monitoring plays.Wel
learn about different strategies designed for wireless networks, which
must take into account the nature of the attacks unique to the
medium.These include a lack of centralized control, lack of a defined
perimeter, the susceptibility to hijacking and spoofing, the use of
rogue APs, and a number of other features that intrusion detection
systems were not designed to accommodate. Only a combination of
factors wee discussed earlier, such as good initial design and
monitoring, can be combined with traditional intrusion detection
software to provide an overall effective package.

Integrated Security Monitoring
As discussed earlier, having monitoring built in to your network will
help the security process evolve seamlessly.Take advantage of built-in
logging-on network devices such as firewalls, DHCP servers, routers,
and even certain wireless APs. Information gathered from these sources
can help make sense of alerts generated from other intrusion detection
sources, and will help augment data collected for incidents.
Additionally, these logs should help you to manually spot unauthorized
traffic and MAC addresses on your network.

Beware of the Auto-responding Tools!
When designing your intrusion detection system, you will likely come
across a breed of tools, sometimes known as Intrusion Prevention
Systems. These systems are designed to automatically respond to
incidents. One popular package is called PortSentry. It will, upon
detection of a port scan, launch a script to react. Common reactions
include dropping the route to the host that has scanned you, or adding
firewall rules to block it. While this does provide instant protection
from the host that scanning you, and might seem like a great idea at
first, it creates a very dangerous denial of service potential. Using
a technique known as IP spoofing, an attacker who realizes PortSentry
is being used can send bogus packets that appear to be valid port
scans to your host. Your host will, of course, see the scan and react,
thinking the address that its coming from is something important to
you, such as your DNS server, or your upstream router. Now, network
connectivity to your host is seriously limited. If you do decide to
use autoresponsive tools, make sure you are careful to set them up in
ways that can be used against you.


1. Intrusion Detection Strategies

2. Intrusion detection and intrusion prevention


Microsoft claims that ISA server 2004 has Intrusion detection and intrusion
prevention features.

Is there any subscription available to update the IDS and IPS rule database
in ISA server 2004? or it is static set of rules?

Such subscription is available for Symantec security appliance.

Thank you,


3. Status of chassis intrusion detection sensor

4. Intrusion Detection