Intrusion Detection
There are several methods for protecting one's network from malicious connections from the outside world. The one that is most common and well known is through the use of Firewalls to separate private and public networks. But how do you protect your publicly accessible machines? How do you know if your Firewall has been breached? One way to find this out is through the deployment of an Intrusion Detection System.
What is an Intrusion Detection System? Well there are several different layers of Intrusion Detection. The first level of defense is a Network Intrusion Detection System.
A Network IDS is essentially a specially designed and configured network sniffer. A network sniffer is a piece of software that capture and analyzes all packets that pass near the network interface. It works by setting the Ethernet card into what is known as "Promiscuous Mode". In promiscuous mode, the NIC will capture any and all packets that pass through the local network. If the sniffer is put on a switch it will pick up all traffic that comes and goes through the switch. This is how the FBI's Carnivore, which has garnered so much recent press, works.
What the IDS does is go through all of the packets that pass through the network and search for patterns. Using a set of "signature" libraries, the IDS compares signatures of known attacks to strings of characters within the packet itself. In this sense, it works very much like most Virus Detection software packages. Like virus software the signatures for the product are updated as new attacks and new scanning tools are discovered or introduced.
The next portion of an Intrusion Detection System would be a Host Based IDS. The host based IDS monitors logs, files, and processes looking for any unusual activity on a particular machine. The IDS will watch log files and can send out automated alerts based on the log entries. In addition it can monitor the integrity of the file system and alert you if particular binaries have been modified or if someone has been added to the passwd file. Also some Host IDS solutions can monitor the processes running on a machine and alert you if an unauthorized process has been started. This is useful if the machine has been compromised and someone is attempting to install a "root kit" on the machine in order to install backdoors to insure future access to the machine.
To gain the maximum effectiveness out of an Intrusion Detection System you would want to use a combination of Network and Host based solutions. This will provide you with the maximum in protection. The bottom line is that you want to know what kind of activity is taking place on your network and on your machines. Without this kind of knowledge you are essentially blind until you wake up one day and find that your web page has been vandalized or that someone has pilfered credit card information from your database. An IDS can provide both real time warnings of attacks on your network as well as provide you with valuable forensic information in the case of an actual break in. No software solution will ever 100% protect your machine from compromise, but good security and monitoring systems will reduce your risks substantially.