Solved

Intrusion Detection System (IDS)

Posted on 2004-08-13
12
403 Views
Last Modified: 2010-04-11
Hi experts,

I have been doing some research on security.
According to what I found the following can be setup.

Inet-------------Firewall------LAN
             |            |
           IDS         DMZ

They suggest the IDS to be a system listening in promiscuous mode, having no IP so it cannot be reached or detected.

How is this achieved? The way I understand it, to be able to see traffic it should be connected to a hub/switch, hence having a cable and NIC which will have an IP.
But the diagram doesn't show any switch or device where the IDS is connected to.

Can anyone bring some light over this matter please?

Thanks in advanced,
Tech.
0
Comment
Question by:techfreelance
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 22

Expert Comment

by:pjedmond
ID: 11798984
If you are trying to set up an intrusion detection system, it can be configured to run on your firewall if your firewall is a LInux/BSD based system using IDS software such as SNORT:

http://www.snort.org/

There are also commercial applications out there.

At the very basic level, you can put an ethernet card into 'promiscuous' mode so that it listens to every packet on the 'segment' of the net that it is on. On a linux system, the command you need is tcpdump:

http://www.rt.com/man/tcpdump.1.html

This provides a raw dump of the data that can be filtered/manipulated as required depending on the aspect of interest.

A windows version of this also exists called windump:

http://windump.polito.it/

IDS running on the system that might be attacked can normally be more easy to configure, and is better integrated into the OS concerned. Software such as zone alarm, and the various integrated security suites spring to ming for Windows, and snort for linux.

IDS relating to detecting penetration can only be accurately run on the system deemed to be the target. Software such as tripwire:

http://www.tripwire.org/

Creates a hash of directories and files to be protected. If the files are compromised, then the hash will not match and an alarm is produced. Obviously the obove diagram soe s not help for thissituation.

Remember that tcpdump and it's equivalents can be dangerous in the wrong hands. They can sniff out root passwords from the ethernet traffic on the network segment concerned, or even hijack communications between other PCs/Servers. However, the 'promiscuous' ethernet card will always have an identity....this will be a MAC address, and an IP address if the card is enabled (OK, I'm sure that someone could create one without these, but all commercial cards do). Note that the MAC address (unique identifier for the devide from the manufacturer can be faked on many cards). However, the card can appear to be invisible because it is firewalled/configured not to respond to anything.

HTH:)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11799068
techfreelance,
the docs are right: your IDS is plugged into a hub right before your firewall, and it doesn't need an IP 'cause it only listens to what's going on
Keep in mind that it's a hub, if you use a switch you need to plug your IDS in to the monitor port (which needs to monitor *all* other ports at once)

I slightly disagree with pjedmond, I'd not install the IDS on the firewall (except you plan to use an IDS/IPS).
If you really want to spend money and time for looking what happens, then there should be an IDS before, and one after the firewall, and probably a 3'rd one in your LAN. All these IDS connected via a admin-LAN to monitor them and compare results.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11800782
IDS are layer 2 devices, so don't need IP addresses.  However, they do need to see all the packets that need looking at, so need to be connected to a SPAN port or hub or network tap in order to see what's going on.
Think of it as just plugging a hub or switch into your network.  They don't need IP addresses for the same reason as IDS devices don't.  :)
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 11801449
Sorry - ahoffmann - I'm a cheapskate, and don't like spending money....you're absolutely right - ideally a firewall should be just that - the more stuff you add to it the more chance of it being breached!

Having said that many commercial products stick the IDS on the firewall - in order to add perceived value?

0
 

Author Comment

by:techfreelance
ID: 11801580
tim holman>> IDS are layer 2 devices, so don't need IP addresses.

So, should I understand IDS are hardware devices (that plug into a hub) or a PC with software installed listening through a NIC (with no IP???)?

:-/

0
 
LVL 22

Expert Comment

by:pjedmond
ID: 11801620
The dedicated ones are specialist hardware devices that you just plug into a network. The ones I've seen actually then connect to a PC via a serial port for further analysis. However the PC was configured with a Rocket Port (32 serial ports card)...and could connect to 32 of these things.  Alternatively, you can use a PC with the software running on it. If it's the PC version, then ethernet cards just happen to come with MAC addresses and get allocated an ip address in order to work.
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 
LVL 79

Expert Comment

by:lrmoore
ID: 11802919
IDS's need 2 interfaces. One that is promiscous and does not have an IP address, and another interface for the management/monitoring software to be able to address the device. Else, how can you see the alerts/alarms? Think Snort/ACID, Cisco IDS, and several others..

My opinion, for what it's worth:
It is a given fact that every nut job on the planet is knocking on your front door. What good is an IDS sitting in front of your firewall? All you're doing is confirming that fact and you get so many positives that you can't possibly get meaningful information. Unless your IDS and router work hand-in-hand to automatically adjust the inbound access-list restrictions to put temporary blocks on those networks that are the source of the alarms, it does not do much good.
My preference is to place the IDS on the INSIDE of my firewall. Your firewall's job is to automatically block all those bad guys anyway, but I want to know what's going on INSIDE my network. The IDS can pickup worm/virus behavior, as well as possible intruders that get through the firewall. THIS is much more meaningful information.
Of course, the ideal situation would be to have both inside and outside with the screening router, IDS's and firewall all working as a single team...
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 11803585
Agreed.

Also, remember IDS is only ever any good for forensics.  To use it as a live detection-blocking solution and answer-to-everything-that-firewalls-cannot-do is the wrong way to go.

>So, should I understand IDS are hardware devices (that plug into a hub) or a PC with software installed listening through a >NIC (with no IP???)?

Either.  PCs can run their network adaptors in a special L2 mode called 'promiscuous mode'.  They will just soak up all the traffic silently and analyse.

To get you started, why not download the Windows version of Snort from www.snort.org.  This requires an additional driver to get things working, called WinPCap, which is a generic L2 capturing driver which fits over most network cards, and will give you an idea of what IDS is and how it works, all for free.

You will also see the HUGE amount of data IDS systems will generate.  They need a hell of a lot of tuning to reduce false positives, plus 24x7 event management to be effective.  If it's just you as a network administrator in the company, then you simply will not have time to sift through everything.  In this situation, you would look at an IPS (Intrusion Prevention System), which will actively block attacks without you having to 24x7 manage the thing.  Take a look at www.toplayer.com, for example...  ;)

IDS has it's uses - but don't go spending too much on it, or focus on this without looking at your holistic security solution - which should include firewalling, IPS, anti-virus, patch management, network IDS, host IDS, security event management etc etc.

Also look at what Gartner have to say - basically, IDS is Dead, long live IPS...

http://www.esecurityplanet.com/views/article.php/2228631


0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11804895
hmm, all comments repeating mine http:#11799068
Think we got it all now ;-))
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 11805093
...of which many were repeating mine ;)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11805124
>  .. ethernet card will always have an identity....this will be a MAC address, and an IP address
pjedmond, this is wrong :-|
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 11805165
..oh - OK then - Commercial cards always have a MAC address even if they don't exibit it to the outside world, and IP addresses if they are actively being used to communicate on an IP based communications system....and yes I know it's possible to erase or alter that identity. I know that I might be simplifying things a little, and I also accept that my experience may not be as broad as yours.

I also appreciate that cards as part of the DHCP and other protocols broadcast requests for being given an identity, but they still identify themselves using the MAC address as far as I'm aware. If I'm still missing something in the above, I obviously need to learn (me AT cb DOT ws)

Many thanks:)
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now