Intrusion detection involves detecting hackers after they have penetrated a firewall. Effective intrusion detection practice requires that you create an intrusion detection system, which is commonly referred to as an IDS. You can install IDS software directly on the Web server, then manage it remotely.
This particular form of intrusion detection is called a host-based IDS. A second type of intrusion detection system uses software that scans an entire subnet for problems. This type of IDS is called a network-based IDS.
An IDS can also help you track down illicit activity conducted by company employees.
Detecting and responding to network attacks and malicious code is one of the principal responsibilities of information security professionals. Formal techniques and procedures have been developed by expert practitioners in the field to provide a structured approach to this difficult problem. This chapter discusses these techniques as well as the different types of attacks and response mechanisms .
Malicious code is intended to harm, disrupt, or circumvent computer and network functions. This code can be mobile, such as Java applets or code in the Active X environment. It can also attach itself to legitimate code and propagate; it can lurk in
useful applications or replicate itself across the Internet. The following sections describe these different types of malware.
A virus is code that attaches to a host program and propagates when the infected program is executed. Thus, a virus is self-replicating and self-executing. Viruses are transmitted in a variety of ways, including as part of files downloaded from the Internet or as e-mail attachments.
Network Security Essentials
Review of Common Attacks
Attacks against network resources are common in today's Internet-dependent world. Attacks are launched for a variety of reasons, including monetary gain, maliciousness (as a challenge), fraud, warfare, and to gain an economic advantage.
Attacks are directed at compromising the confidentiality, integrity, and availability of networks and their resources and fall into the following four general categories:
- Modification attack: Unauthorized alteration of information
- Repudiation attack: Denial that an event or transaction ever occurred
- Denial-of-service attack: Actions resulting in the unavailability of network resources and services, when required
- Access attack: Unauthorized access to network resources and information Specific instantiations of these types of attacks are discussed in the following sections.
Intrusion Detection Prevention System
In addition, organizations use Intrusion Detection Prevention Systems for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies.
Intrusion Detection Protocols have become a necessary addition to the security infrastructure of nearly every organization.
Intrusion Detection Prevention System typically record information related to observed events, notify security administrators of important observed events and produce reports.
Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding.
They use several response techniques, which involve
- the IDPS stopping the attack itself,
- changing the security environment or
- changing the content of the attack.