Network-based intrusion detection systems offer a different approach. “These
systems collect information from the network itself,” rather than from each separate
host. They operate essentially based on a “wiretapping concept,” information is collected
from the network traffic stream, as data travels on the network segment . The
intrusion detection system checks for attacks or irregular behavior by inspecting the
contents and header information of all the packets moving across the network. The
network sensors come equipped with “attack signatures” that are rules on what will
constitute an attack and most network-based systems allow advanced users to
define their own signatures. This offers a way to customize the sensors based on an
individual network’s needs and types of usage. The sensors then compare these
signatures to the traffic that they capture, this method is also known as packet sniffing and allows the sensor to identify hostile traffic.
Network-based systems are also extremely portable. They only monitor traffic over a specific network segment, and are independent of the operating systems that they are installed on. “Deployed network-based intrusion detection sensors will listen for all attacks, regardless of the destination operating system type”. This offers more options for businesses that run specialized software or software they have developed inhouse, which will become increasingly attractive as the newer UNIX-based operating systems continue to increase in popularity. Adding to their convenience, network-based sensors can be inserted easily on part of a network and data can be collected with minimal work. In many cases, all that is required to collect information for analysis is the configuration of a network card . This is beneficial in situations where network topology changes or where system resources have been moved, the intrusion detection system monitors can be moved and used as needed.
However, network-based solutions have their share of problems. As discussed earlier, the sensors spot attacks based on their attack signatures. These signatures are written based on data collected from known and previous attacks, and this unfortunately ensures that these signatures “will always be a step behind the latest underground exploits”.
The second major issue with network-based intrusion detection approaches is scalability. Network monitors must inspect every packet that is passed through the segment they are placed on. It has been demonstrated that network-based systems have difficulty keeping up on 100 Mbps environments , they simply can’t handle it.
Encryption and switching represent two further limitations of network-based approaches. First, if network traffic is encrypted, an agent cannot scan the protocols or the content of these packets . Second, the nature of switches makes network monitoring extremely difficult.
Network-based systems are also extremely portable. They only monitor traffic over a specific network segment, and are independent of the operating systems that they are installed on. “Deployed network-based intrusion detection sensors will listen for all attacks, regardless of the destination operating system type”. This offers more options for businesses that run specialized software or software they have developed inhouse, which will become increasingly attractive as the newer UNIX-based operating systems continue to increase in popularity. Adding to their convenience, network-based sensors can be inserted easily on part of a network and data can be collected with minimal work. In many cases, all that is required to collect information for analysis is the configuration of a network card . This is beneficial in situations where network topology changes or where system resources have been moved, the intrusion detection system monitors can be moved and used as needed.
However, network-based solutions have their share of problems. As discussed earlier, the sensors spot attacks based on their attack signatures. These signatures are written based on data collected from known and previous attacks, and this unfortunately ensures that these signatures “will always be a step behind the latest underground exploits”.
The second major issue with network-based intrusion detection approaches is scalability. Network monitors must inspect every packet that is passed through the segment they are placed on. It has been demonstrated that network-based systems have difficulty keeping up on 100 Mbps environments , they simply can’t handle it.
Encryption and switching represent two further limitations of network-based approaches. First, if network traffic is encrypted, an agent cannot scan the protocols or the content of these packets . Second, the nature of switches makes network monitoring extremely difficult.
No comments:
Post a Comment