One fine day, an active bank was operating as per its daily schedule when suddenly the banking database was found to be showing all the wrong records after which the security management task force was immediately alerted. The organization was making use of firewalls that did not survey the inbound traffic’s malicious data that prolonged the process of tracking the virus and alerting the network. Instead, IDS would have effectively saved the network from damage owing to its ability to scan not only the outbound traffic as well as the inbound traffic in a network.

What is IDS IDS acts like a burglar alarm for the network. Intrusion detection is the process of monitoring the events occurring in an IT system and analyzing them for signs of intrusions. Next, it alerts the network users about the attack detected and immediately logs the users off the network to protect the terminals from further damage, also sometimes managing to trace the hacker down using technologies like protocol anomaly detection and signature-based detection.

Sophisticated viruses like Code Red, Nimda, Code Red II have managed to crack networks and hamper valuable database information. The sectors that have undergone these experiences have primarily been banking sectors and corporate houses with large database. The story has always been that a virus suddenly hits the network and by the time the company security software has tracked it, the damage intended by the hacker is already and very successfully done. Thus arose a need for more sophisticated technology that would be able to track the virus on the network spontaneously after an attack and also promptly trace the hacker down to evade further attacks. For several years now, there have been various changes being incorporated in the network security infrastructure with implementation ranging from firewalls and their upgrade versions, router security techniques, host system security, auditing, incident response plan and intrusion detection systems (IDS).

Though all these technologies have their own complexities and loopholes, IDS deployment has been more successful as a technology for securing information in corporate sectors. The sole purpose and advantage of using IDS is its ability to track the inbound traffic and alert the network users against hacker attacks which is not possible with a firewall that sniffs only the outbound traffic. IDS acts like a burglar alarm for the network. Intrusion detection is the process of monitoring the events occurring in an IT system and analyzing them for signs of intrusions. These intrusions are defined as attempts to compromise confidentiality, integrity, or availability, or to bypass the security mechanisms of an IT system. These intrusions are caused by attackers accessing systems from the Internet, authorized users of the systems who attempt to gain additional privileges for which they are not authorized, and authorized users who misuse the privileges given them. The IDS obtains event information from one or more information sources, performs a pre-configured analysis of the event data, and then generates specified responses, ranging from reports to active intervention when intrusions are detected.

The goal for deploying IDS is to detect, identify, and monitor unauthorized use, misuse, and abuse of IT systems by both internal network users and external attackers. These intrusions can be broken down into two main types. Misuse intrusions, well-defined attacks on known weak points of an IT system, can be detected by signature analysis or watching for certain actions being performed on certain objects. Anomaly intrusions, based on observations of deviations from normal IT system usage patterns, can be detected by pattern analysis or building up a profile of the IT system being monitored, and noting significant deviations from this profile. Two states –passive system and active system are the states where the IDS technologies are deployed. In the passive state or system, the IDS detects a potential security breach, immediately logs the required information and signals an alert. In a reactive system, the IDS reacts to any suspicious activity by disconnecting the user from the network or by reprogramming the firewall to block network traffic from the suspected malicious source. In that sense, they are the first line of defense for the computer network. In its basic philosophy, IDS inspects all inbound and outbound network activity to identify suspicious patterns in the traffic and catch the intruder at any of the seven layers of the network. Though Symantec uses honeypots like Manhunt to be able to track the hackers intruding their systems, Network Associates believes that honeypots are an unrequired feature for IDS as long as they are defending the customer's systems from virus attacks and also providing patches to it successfully. 

"We do not use honeypots as we consider it a diversification to business, instead we have a learning engine with a sophisticated algorithm that logs files immediately in case of unprecedented attacks and also alerts the network", says Viren Mantri, Regional Technical Manager, NAI.

Trap at the application layer
Most of the IDS' are structured around a large signature database system that attempts to compare every packet to every signature in the database. Though this system is effective to a huge extent, it suffers drawbacks when network speeds increase and the resources that the IDS sensor uses to track packets decreases, causing some packets to be discarded and therefore have relevant attacks undetected. Most IDS sensors can only operate effectively up to about 60 MB per second. Many companies today fully utilize 10/100 on up to 1 GB per second on their network backbone, where most of their mission critical servers reside. In the signature-based systems it is the time it takes for the IDS vendor to identify new attacks, create a signature, and then release an update. A more successful methodology as mentioned hitherto is the ‘protocol anomaly detection’ technology that is performed at the application protocol layer. Its efficiency lies in the fact that it focuses on the structure and content of the communications occurring in a network. When protocol rules are modeled directly in the sensors it is easier to identify traffic that violates the rules such as unexpected data and extra or invalid characters. As soon as the IDS distinguishes it as a violation of the protocol, it alerts the system administrator.

Will it last forever?
Though IDS in general talks about a detection system using technology, it is practically a converged solution handling process in a system involving not only technology but also people deploying it. Says Raghu Raman, Head- Information Security, Mahindra Consulting, "Lot of products put in place are not going to work for a simple reason that an alert has to be looked at by somebody."

There have been several issues where the technology of IDS has functioned effectively and yet not contributed significantly in saving a network from an attack owing to the lack of spontaneity from the manual workforce detecting the attack. Says Raghu Raman "We have faced circumstances where our IDS deployed managed to strike an alarm about an invading virus at the right time, however which failed to be effective owing to the disinterest and delay in taking a spontaneous action by the task force allotted for network security and maintenance."

For IDS to work productively, it is a dire necessity that the people in maintenance who detect the alarm set by the intrusion detection system act on the same with immediate effect, also signaling everyone else connected to the network. Joy Ghosh, country manager, Symantec says, "Companies need to recognize the urgency of their security upgrade. There are companies with technology officers who are least bothered about the security of their company’s data, it is only the COOs who showed concern as they are at the risk of losing their jobs with any unprecedented breach of their security infrastructure."

Standardizing technology seems almost impossible with the ever evolving and the growing strength and sophistication of hacker skills. Even IDS in its latest technique of deployment cannot guarantee any optimum level of security. Claims Sachin More, manager-IT security and projects, Mahindra & Mahindra "Although the number of false positives have reduced with IDS, they have not completely been eliminated and it still involves a lengthy process in identifying and reacting to a critical and authentic attack." All in all, IDS has definitely leveraged network security, however users need to constantly guard against new unpredictable breaches by professional attackers.

TEAM DQ