Articles
Writers

Network Intrusion Detection & Prevention Systems

LAN & Internet Network Security Monitoring with NIDS/NIPS Software

© Yuen Kit Mun

Sep 23, 2009
Network IDS/IPS are Used to Secure LANs, jadey919 (stock.xchng)
How Network IDS/IPS work. NIDS/NIPS advantages, limitations and network deployment issues.

Network-based Intrusion Detection Systems and Intrusion Prevention Systems (NIDS or Network IDS, Network IPS or NIPS) are used by IT professionals to monitor and protect Local Area Networks (LANs) against viruses, hackers and other IT security threats.

Deploying a NIDS/NIPS isn't easy. Sensor locations and rule configuration issues need to be understood. A NIDS/NIPS is therefore not suitable for personal domestic home networks.

A classic NIDS/NIPS is the open source Snort software. Snort will be used as a reference NIDS/NIPS in this article.

Other NIDS/NIPS solutions are available. Many consist of management layers built over Snort (graphical interface, log analyzer, rule manager). Some security companies sell NIDS/NIPS network security appliance solutions that bundle Snort into an easy-to-use standalone box.

Unlike a Host IDS/IPS which must work with the operating system being protected, the operating system used by an NIDS/NIPS isn't important. The NIDS/NIPS just plugs into the network. A Linux NIDS/NIPS can be used on a LAN that contains only Microsoft Windows desktop PCs and servers.

IP or Ethernet, Layer 2 or Layer 3 Network Intrusion Protection

Most NIDS/NIPS (including Snort) work on the TCP/IP levels, or network layers 3 and above (see Snort FAQ below).

Layer 2 (Ethernet) NIDS such as Arpwatch, are available but are beyond the scope of this article.

Most Internet viruses work over TCP/IP. However an internal hacker with direct access to the LAN can launch layer 2 attacks such as ARP cache poisoning.

A layer 3 NIDS can detect the usage of unauthorized local IP addresses, but not unauthorized Ethernet card MAC addresses (this requires layer 2 monitoring).

How a Network IDS and IPS Works

A Host IDS detects threats in a very different way from a Host IPS. However a NIDS and a NIPS are very similar. The main difference is that a NIDS only detects threats. A NIPS detects threats in a similar way, but can also block the offending network connection.

To block the connection, a NIPS is often deployed in an "inline configuration" together with a firewall. Snort links up with the iptables firewall to work as a NIPS.

A NIDS can be deployed at or near an Internet firewall to detect threats from the Internet. More than one NIDS can also be deployed, to monitor different parts of the LAN, to detect internal hacker activity.

Most corporate LANs use Ethernet switches, not hubs. To monitor a switch, the NIDS needs to be connected to a port that mirrors and aggregates network traffic from other Ethernet ports (a SPAN port in Cisco terminology).

A NIDS/NIPS uses rules to detect security threats. Rules are:

  • Pattern or signature based. These work like the virus signatures used by antivirus software. Most network administrators will use a standard set of constantly updated rules from the NIDS/NIPS vendor, covering known viruses and vulnerability exploits. New or unknown viruses will escape detection.
  • Traffic flow based. These rules are customized for each network. For example, a rule can be written to trigger an alert if incoming connections to other than port 80 and 443 are made to a web server, or if any outgoing connections are made from the web server. This allows new or unknown "day zero" viruses to be detected.

Network IDS Versus Network IPS

NIDS/NIPS can trigger false positives, that is, false alarms.

This means that it is possible for a NIPS to block a perfectly legitimate network connection, disrupting the organization's daily operations. A NIPS should therefore be deployed with caution, and with careful monitoring in the first few days.

A NIDS is passive and should not affect anything. The only drawback with a NIDS is having to analyze alerts, with time wasted on identifying false positives.

Encryption and NIDS/NIPS Limitations

Aside from false positives, encrypted network connections are a major issue.

Unless changes are made to the network architecture (such as simulating a "man in the middle" attack, with the NIDS/NIPS being the "man"), a NIDS/NIPS cannot scan encrypted network connections for attack signatures (see Snort FAQ below).

Deploying a Network IDS or IPS

Like a firewall or antivirus solution, deploying a NIDS is now informally considered a standard IT security best practice, necessary to show due diligence effort in securing a network.

As with a Host IDS, deploying a NIDS is a low-risk operation. After gaining some experience with a NIDS, a NIPS can be deployed for better security: stopping attacks in real time.

No IT security solution is perfect. Most complement each other, covering gaps in the capabilities of other systems. Host IDS and Host IPS systems should also be considered.

The Snort Users Guide provides a good overview of Snort, as does this Snort FAQ.


The copyright of the article Network Intrusion Detection & Prevention Systems in Security/Antivirus Software is owned by Yuen Kit Mun. Permission to republish Network Intrusion Detection & Prevention Systems in print or online must be granted by the author in writing.


Network IDS/IPS are Used to Secure LANs, jadey919 (stock.xchng)
        


Post this Article to facebook Add this Article to del.icio.us! Digg this Article furl this Article Add this Article to Reddit Add this Article to Technorati Add this Article to Newsvine Add this Article to Windows Live Add this Article to Yahoo Add this Article to StumbleUpon Add this Article to BlinkLists Add this Article to Spurl Add this Article to Google Add this Article to Ask Add this Article to Squidoo




about us Limelight Blog freelance writing jobs careers press room Site Map Terms & Conditions Privacy Policy