2. IDS reports attacks against a monitored systems/networks:
Firewalls are the perimeter defense that keeps most of the malicious traffic out
Ex. Lock on your house
IDS is the passive alarm system that only alerts you if an unwanted action occurs.
Mature Technology
However many organizations do not implement them in a mature manner
Requires monitoring, alerting, and reaction
Issues arise when there are alerts but no one is monitoring them in real time
3. Not a replacement for firewalls, strong policies, system hardening, timely
patching, and other defense-in-depth techniques
Not a low maintenance tool
Not an inexpensive tool
Not a silver bullet
4. Alerts are generated from Events of Interest(EOI)
Ex.
Someone breaking a glass window Making an outside connection from a server
Someone opening a door or window Uploading Data to a server
Someone just walking in your house Application surviving a reboot
An analyst must understand four types of events from the IDS:
True positive and false positive
True negative and false negative
Both false positives and false negatives must be balanced
5. Deployed as a passive sniffer/sensor at network aggregation points
Captures traffic
Plugged into a span port
Detects EOI on the network
Utilizes one of the following techniques for detection:
Signature: Pattern matching, similar to antivirus
Anomaly: Baseline normal traffic on the network and flag anomalous traffic
Application/protocol analysis: Understands logic of applications and protocols
6. Two different mechanisms for examining packets on the network.
Shallow Packet Inspection:
Fast, but only inspects layers 3 and 4
Examines header and limited payload data
Deep Packet Inspection:
S L O W, requires stateful tracking of data
Inspects all fields, including variable length fields
Looks for every signature, low performance
In practice, both are used together
7. Provides much of the functionality of a NIDS to a host
Can be more granular than NIDS, analyzing activity on host
File integrity monitoring
Tripwire
Uses signature and anomaly analysis with unauthorized change monitoring, log
monitoring, and network monitoring.
Local processing/alerting may be done, but data is generally sent to a central
location for parsing.