RangerIDS - Intrusion Detection System (IDS)

Which Technology is the Best

Problems with IDS

Detection Methods

Pattern Matching

Stateful Pattern Matching

Protocol Decode

Heuristic Analysis

Anomaly Analysis

Which Detection Method is Best

Monitor-Evaluate-Modify: The Security Cycle

Which Technology Is The Best?

Unfortunately for the potential purchaser of security products, there is no one answer to this question.

The first myth to quash is the one which states that if you have an IDS you do not need a firewall - or vice versa. For those with a reasonable security budget, we would recommend purchasing both a firewall and at least one product from each of the aforementioned IDS categories (note that we still include IPS products in the more generic IDS group, since in order to protect, they first have to detect). The firewall guards your perimeter, While the IDS’ monitor what is happening on your network, guarding against slip-ups by the firewall as well as internal mischief-makers.

IDS devices can also be installed outside a firewall in order to detect the “doorknob rattlers”, attempted scans and other probes and attacks that are normally dealt with by your firewall and thus would not be detected by an internal IDS. This is purely a management issue, and depends on the human resources available to scan the resulting log files – those from an IDS installed outside a firewall are likely to be voluminous to say the least.

Both host-based and network-based IDS are worth investing in, since they each have their own strengths. Network-based IDS will monitor the wire for suspect packets and are adept at spotting Denial of Service type attacks and unwelcome probes – usually from outside the network. Host-based systems, on the other hand, are watching the “crown jewels” – the actual data on the file servers, monitoring for inappropriate logins or changes to critical files from unauthorised sources.

Although network-based products seem to get most of the publicity at the moment, the host-based system can sometimes be more valuable in determining the after-effects of an attack. We would still recommend deploying both technologies wherever possible.

Intrusion Prevention products are also well worth considering, of course, whether host- or network-based. If the budget will stretch to their acquisition and the signature set can be carefully tuned to avoid false positives, they are a valuable addition to the armoury.