Intrusion detection systems - only something for large networks?

Jul 03, 2022

An intrusion detection system (IDS) is designed to protect a network from hacker attacks. It detects attacks and harmful actions based on unusual activities and warns those responsible, for example, by e-mail or SMS.

Intrusion detection systems (IDS) are designed to detect intrusions and malicious actions in a network. In contrast to virus scanners and firewall systems, an IDS can also send warnings to responsible persons in the event of defined actions. However, installing an intrusion detection system requires some knowledge. It may be necessary to purchase special hardware. In addition, an IDS only makes sense if someone in the company can react promptly to possible alarms. Therefore, the question arises whether an intrusion detection system is something for comparatively small network infrastructures of SMEs. We would like to provide a few facts to help you decide.

What exactly is an intrusion detection system?

According to the guidelines of the Federal Office for Information Security, an IDS should ideally consist of the following components:

1. network sensors: Used to monitor network traffic.

Host sensors: Shall monitor activities from the operating system, applications or network traffic of individual computers.

3. database components: These are for logging detected activities.

4. management station: Intended to configure the entire IDS.

5. evaluation station: This is a computer used for analysing detected activities.

The sensors record specified actions. These can be, for example, the amount of network traffic or file accesses on a system. It is also possible to monitor logs on hosts or servers. Individual rules must be defined in the intrusion detection system for the collected values. These depend on what is considered normal activity in the network. If, for example, large amounts of data are regularly sent out to external locations, this must be incorporated into the rules so as not to provoke unnecessary false alarms. If a certain threshold is exceeded, the IDS triggers an alarm and sends an e-mail notification or SMS to the administrator, for example.

Possible suspicious activities are:

  • Unusual number of write accesses to different files at a storage location.
  • Systematic polling of ports on a server
  • Large amount of outgoing data
  • Critical entries in log logs, such as failed login attempts
  • Network activity at unusual times

In addition, signatures can be used that contain known patterns of malicious actions. This is comparable to virus signatures in corresponding virus scanner software. In some cases, an IDS is supplemented by so-called honeypots. These are vulnerable elements that are intentionally placed in the network. In the event of an attack, it can be assumed that they will be compromised relatively soon. In this case, an alarm is also triggered.
After receiving the alert, the administrator can check whether there is a harmless reason for the anomalies or whether there is actually evidence of a cyber attack.

From intrusion detection to intrusion prevention

An intrusion detection system only passes on warnings to responsible persons. Reactions must then be carried out manually. This is disadvantageous if there is no team of administrators who can guarantee permanent accessibility. An intrusion prevention system (IPS), on the other hand, carries out measures independently after detecting an action that has been defined as suspicious. This can be, for example, the interruption of network traffic. Blocking certain ports are also conceivable reactions. It should be noted, however, that this can also cause blockages in the case of false alarms, which can lead to the company's servers being temporarily inaccessible, for example.

What types of intrusion detection systems are there?

It is not absolutely necessary to operate a complete solution consisting of several sensors and separate analysis and management computers. An IDS can also be limited to monitoring individual servers or hosts. Likewise, the entire network traffic does not have to be checked. Due to the effort and ongoing costs, a careful risk assessment and cost-benefit analysis will be necessary here.

Possible implementations can be:

  • The most cost-intensive variant is certainly a complete solution consisting of hardware and software components from premium providers such as Cisco, Trend Micro, Check Point, Mc Afee and others. Here, service providers can carry out a complete installation and commissioning. Another advantage is that sensors are guaranteed to be sufficient for a certain data volume.

  • Firewall with integrated IDS: Manufacturers of professional hardware firewalls such as Barracuda often also offer an integrated intrusion detection system. The systems monitor incoming and outgoing network traffic anyway and supplement this protection with the detection of possible system intrusions. If there are no other IDS components in the network, this can be a sensible compromise. It is also conceivable to add host-based components on central computers within the network.

  • Open source solution with dedicated hardware: Here, the open source software Snort should be mentioned, which has already become a quasi-standard among non-commercial solutions. Snort is known from the Linux world and can be used in conjunction with the operating system, which is also free of charge, to create inexpensive IDS components. However, quite advanced IT knowledge is required for installation and configuration. Alternatively, this can of course also be done by paid service providers.

  • Individual software solutions: Many security suites include components of intrusion detection, such as the monitoring of running processes of a system or access to specified storage locations. There are also special "stand-alone solutions" for individual tasks, such as the permanent monitoring of the Windows registry for changes that have been made.

Useful addition: Intrusion detection system in the network

Neither firewalls nor virus scanners are able to ward off one hundred percent of all unauthorised access or malicious software. Not even an intrusion detection system can do that. The different approaches to protection complement each other in many cases and thus increase the security of your network. In a small network that could be quickly restored from existing backups in the event of an attack, a commercial IDS complete system would certainly be overkill. However, individual elements, such as monitoring folders for changes, are also recommendable in such a case. Of course, the more the functioning or even the existence of a company depends on the functioning of the IT infrastructure, a powerful IDS makes sense without a doubt. If you already have an intrusion detection system, we would be happy to put it to the test within the framework of a penetration test.

Blog

9 months ago

How can Adey Meselesh contribute to the UN SDGs?

Adey Meselesh's integration of ESG principles into its ERP system demonstrates its commitment to responsible business practices and sustainable development.

a year ago

Supply Chain Act - a use case for smart contract and blockchain

The Supply Chain Act comes into force at the beginning of 2023 and obliges large companies to document their production chains. Smart contracts and blockchain technology are one way to implement it.

2 years ago

Network Security - The 10-point plan for your IT

Any weak point in your own IT infrastructure can become a point of attack for a cyber attack with unforeseeable consequences. We therefore offer our Network Security Assessment especially for SMEs without their own IT security department.