Protect your network | Intrusion Detection System(IDS)

Realized that someone has broken into your network is a scary thought for all of us, because is most of the cases you are going to realized when is too late. Lucky of us, when an attacker tries to hack a network, in most of the cases leaves traces behind that can warn us. To be able to detect rapidly those evidences we have a very useful tool, an Intrusion Detection System(IDS).

As the Firewalls, the IDS can be software and hardware and also they can be host-based or network-based. But they are very different from each other and we have to understand their differences. Meanwhile firewalls are designed to block nasty traffic from entering your network a IDS audits the network's activity trying to find any traces of an intrusion. 

In General, IDS are composed by 3 main components:

• Sensors:  Detect events on the network.
• Console: To configure the sensors ad monitor the events
• database: It will record all the events on the network
  

Network-based IDS:

 They are by far the most common implemented systems. The Network based- intrusion detection system or NIDS, are separate devices attached to the networks normally via switch. Most advanced NIDS are even capable to attach  to the network before and after the firewall, giving a extra of security, as they are capable to see what is outside the network and compare it with what is getting inside. 

 

Inside the NIDS we can find two big groups: statistical based IDS  and pattern based IDS. Both of them with different characteristics:

• Statistical: It looks all the time for abnormal behaviour of the data on the network. When a anomalous behaviour is detected the IDS set off  the alarm of intrusion. Its main advantage is that it can detect a intrusion that has not been recorded before. Therefore it can detect new types of attacks. Also there is an important amount of false alarms.
• Pattern based: This type of IDS has a updated database of well known exploits and their attack patterns. If during the scanning finds any packet of data that matches with its database, it triggers the alarm. The advantages of this type of IDS are that it has a quick deploy as just look for patterns. Also, produces less false positive. Its strength is also it weakness as it wouldn't detect any attack that doesn't match with its database, making it a vulnerable to cutting edge threats.
  

 

Nowadays, the trend of the IDS is a combination of both Pattern-based and statistical. Where they emerge equally is on their response. When a IDS detect a intrusion and triggers its alarm, there is a few steps that it follows:

• Logging: All the activity of the intrusion is logged, as this information can be use in futures attacks.
• Notification: When a attack occurs, IDS will send a alert to the network administrators
• Avoidance: After check the notification it could be that is a false positive or the attack just do not affect to your network, so the threat could be ignore. 
  

The NIDS are a very useful tool, but the technology still being quite new, and it has a lot of developing potential. In fact the current industry challenges are to find better ways to combine the IDS technology with the existing firewalls.