No Trespassing

Increased complexity of networks, access to the Internet, and computer literacy have necessitated that network security vendors offer users a technology for detecting network breaches. Begun in the 1980s as a series of government projects, intrusion detection software quickly matured and crossed over to the commercial market. By February 2000 there were numerous commercial IDS offered as part of a layered security approach.

Intrusion detection systems monitor, detect and respond to unauthorized network activity. In order to do this, IDS use policies to define certain events that will trigger an alert if detected. While some IDS only issue an alert, there are systems that respond automatically by logging off the perpetrator, disabling the user account, or launching scripts. IDS tools act as a complement to firewalls. They allow for the complete supervision of networks and ensure that there will be information available to help determine the nature of the security incident and its source.

According to GFI CEO Nick Galea, "As part of an organization's security practices and policies, it is important for companies to be aware, in real time, of unauthorized access and/or any attempts of this, be it from internal or external sources. It is essential for administrators to have a product in place that immediately notifies them in cases of critical network events as they occur, as this enables them to take immediate action."

Types of Attacks
There are three types of network attacks. In a reconnaissance attack or scan, the intruder will find out as much about the system as possible. In an exploits attack, the intruder takes advantage of bugs or vulnerabilities in order to gain access to the system. In a denial of service (DoS) attack, the intruder vandalizes the system so that it becomes unavailable to legitimate users.

Many network incidents inside the network occur by error, attempts of authorized users to go beyond their authorization, and disgruntled employees. However, attacks do come from outside the network. These attacks generally take the form of denial-of-service attacks.

While IDS can be used in conjunction with firewalls, a firewall regulates and controls the flow of information into and out of a network and attempts to prevent an intruder from entering a network. Prevention is also what an intrusion prevention system provides, since instead of just reporting incidents while or after they occur, an IPS has software that attempts to prevent the incident from occurring.

Five years ago, there were many IDS vendors and products, and the market flourished. Now, due to spin-offs, mergers and acquisitions, there are fewer IDS vendors. The growing trend is migration toward the more sophisticated intrusion prevention systems, which provide prevention as well as detection in one system or device.

The increased popularity of IPShas raised some controversy regarding whether IDS are still important. Robert Geiger, senior director of products development for Network Security Solutions at Symantec, said, "Symantec recommends that IDS be part of a total security architecture. Enterprises want to block (or protect against) many threats but still will want to record and report on threats they do not block automatically. Thus, there will always be a place for IDS."

Attendees at the 2004 InfoSecurity Conference & Exhibits in New York City supported this statement. According to a senior vice president at JPMorgan Chase, "The demise of IDS has been exaggerated. Right now, changing over to IPS is unfeasible, inefficient and not very cost-effective for many companies that already have IDS and other security products."

An IT director at New York University Medical Center agreed, saying, "If a company has already invested time and money in an IDS that works well and is integrated with their other security products, they'll want to keep the existing IDS because it's part of the security system that they've already cost-justified and implemented. Even with the increasing security awareness, it's hard to cost justify getting rid of existing security that works and replacing it with a better mousetrap, especially in a tight economy."

Input from all over the world confirms the importance and prominence of IDS. From New Zealand, Gene Soudlenkov, senior developer and team leader at Qbik, said, "Intrusion detection systems have become a very important part of any protected perimeter due to the increased complexity of attacks and increased bandwidth, which allows the attackers to easily mount various denial-of-service attacks. We recommend using an IDS in a layered approach to security because it allows for greater flexibility and a higher level of protection."

There are a few types of IDS from which to choose, and each has unique strengths.

Host-Based IDS
The first type of IDS to be developed and implemented, the host-based IDS, collects and analyzes data that originates on a computer that hosts a service. After the data is aggregated for the computer it can be analyzed locally or sent to a separate analysis machine. HIDS are most effective at detecting unauthorized insider activity and unauthorized file modification. But HIDS may be inefficient or ineffective in collecting and aggregating information for each machine when dealing with several thousand endpoints. Additionally, disabling the data collection on any given computer will render the IDS on that machine useless due to lack of a backup.

Network-Based IDS
Network-based IDS (NIDS) monitors data packets on the network to discover if a hacker is trying to break in or cause a denial-of-service attack. Packets are examined to determine if they are malicious or benign. Network-based IDS are more distributed than HIDS. Their software or appliance hardware resides in one or more systems connected to the network. The network-based IDS uses techniques like packet-sniffing to pull data from TCP/IP and other protocol packets traveling the network. These systems are particularly good at detecting access attempts from outside the trusted network and bandwidth theft/DoS attacks because they continually monitor the connections between computers and the packets that carry these attacks.

HIDS and NIDS Combined
While HIDS and NIDS differ significantly from each other, they can be used together. HIDS has software residing on each of the hosts that will be governed in the system. More efficient HIDS can monitor and collect system audit trails in real time as well as on a scheduled basis, providing a flexible means of security administration. If an NIDS is also used, it can filter alerts and notifications in a manner identical to that of the HIDS portion of the system, controlled from the same central location. Using the two types of systems together provides a convenient means of managing and reacting to misuse.

Some Available IDS
Symantec ( has offered both NIDS and HIDS for more than four years. When the company merged with Axent, it acquired NetProwler and Intruder Alert IDS technology. It still offers Intruder Alert, but replaced NetProwler with ManHunt, a multi-gigabit IDS solution, when it acquired Recourse Technologies in 2002. Additionally, the company offers Symantec Host IDS. The Symantec Network Security 7100 series runs in either IDS or IPS mode, while the software runs only in IDS mode.

When Cisco ( bought Wheel Group, it began marketing the NetRanger technology as the Cisco Intrusion Detection System. The company now offers the Cisco Intrusion Detection Systems 4200 network security appliances, an IDS Catalyst 6000 security module, and an IDS host-based sensor.

Network ICE was acquired by Internet Security Solutions ( and still offers BlackICE, which checks for both misuse and anomalies. It offers explicit alerts for any event that occurs. The company also provides RealSecure Network 10/100 software, a real-time attack recognition and response system that identifies misuse attacks. By analyzing packets of information as they travel across the network and understanding the vulnerabilities of the network, RealSecure can interpret hostile attacks. Whenever vulnerability is exploited or an intrusion recognized, e-mail or pager alerts the network administrator. All events and their sequence can be recorded and saved to a file for evidence, audit and investigation purposes.

Enterasys ( offers Dragon Intrusion Detection System, an integrated detection solution using hybrid detection methods and a Windows management console. The system uses multiple virtual sensors to correlate event data from across the network and compare it to collected data on the network's vulnerability posture.

Sentivist IDS, marketed by NFR (, provides highly accurate attack detection with low false positives. The vendor claims that NFR is the most sophisticated attack detection engine available today.

NetDetector 2005 by Niksun ( is an appliance for network security surveillance, detector analytics and forensics. NetDetector 2005 acts as a security camera and motion detector, continuously capturing and warehousing network trouble, providing complete real-time surveillance, and alerting on specific signatures and traffic patterns.

Sourcefire ( delivers an NIDS based on Snort, the de facto standard of intrusion detection. Snort was created by Sourcefire's founder and CTO, Martin Roesch. The Sourcefire NIDS is a plug-and-protect appliance that can be easily installed and managed. Sourcefire intrusion sensors use a Snort rules-based detection engine, combining the benefits of signature protocol and anomaly-based inspection methods. The intrusion sensors are available on IBM, Nortel and Sun platforms as well as on Sourcefire branded appliances.

An internal research project at Qbik ( turned into a popular stand-alone commercial NIDS known as NetPatrol. According to the company, part of NetPatrol's popularity is due to its seamless installation. Initial installation requires only one set of data to be entered.

In 2002, GFI ( launched GFI LANguard Security Event Log Monitor, an HIDS that performs event log-based intrusion detection. The system allows administrators to monitor for critical security events network-wide; receive alerts about events on Exchange, ISA, SQL, and IIS Servers; back up and clear event logs network-wide; and archive to a central database.

Since 2001, Top Layer ( has been shipping their IDS Balancer, which is an "optimizer system used to save money for large IDS deployments by reducing the number of IDS sensors needed to get complete coverage." Designed specifically to be used with NIDS, the IDS Balancer is compatible with IDS products from Cisco, Sourcefire, ISS, Enterasys, Snort, NFR, Symantec and Niksun.

The Future of IDS
Because IDS have been around for a long time, most security officers are knowledgeable about what they can provide. As with any IT solution, updating the IDS is necessary in order to achieve maximum benefits. According to Sourcefire's Michele Perry, "Failure to update their products has led to a number of potential misconceptions about the effectiveness and manageability of today's leading IDS."

Gene Soudlenkov from Qbik said that IDS is growing "because network security has become an integral part of any network where an intrusion can be vital for the business. However, without significant advances in the IDS theory it would be hard to deflect new types of attacks without properly dissecting them first."

Symantec's Robert Geiger added, "Symantec believes that you cannot prevent an attack without first detecting it. Intrusion detection technology is now being driven by the intrusion prevention needs, and will continue to evolve and get better in order to meet customer needs. IDS is the foundation for intrusion prevention, and intrusion prevention is a critical component of network security today."

Because the IPS market is still immature, IDS is still very much alive and in widespread use. The acceptance of IDS into IPS will depend not only on the evolution of technology but also on the economic feasibility of change.

D.E. Levine, CISSP, CFE, FBCI, CPS, is a contributing editor to ST&D and co-author of several security books. She can be can be reached by e-mail at dlevine@techwriteusa.

This article was published in the March 2005 issue of ST&D magazine.