As a useful complement to the firewall and, IDS (Intrusion Detection System) to help network quickly find the occurrence of cyber attacks, expands the ability of the security management system administrator ... ...
With the continuous improvement of network security risk factor, once the most important security measures as firewalls can no longer meet the demand for network security.As a useful complement to the firewall and, IDS (Intrusion Detection System) can help quickly detect network attacks from occurring, extends the system administrator's security management capabilities (including security auditing, monitoring, attack recognition and response), increasedthe integrity of the information security infrastructure.
IDS is considered to be the firewall after the second security gate, it does not affect the network performance in the case of monitoring the network, which provides internal attacks and external attacks and misuse in real-time protection.
With the computer network technology and the rapid development of Internet, network attacks and intrusions increasing, especially in the past two years, government departments, military agencies, financial institutions, corporate computer networks frequently attacked by hackers.An attacker could easily secure the protection of those who do not network attacks and intrusions, such as denial of service attacks, in non-authorized access, wanton theft and tampering with important data, install back doors in order to keep the listener access to inside information and spreading computervirus, destroy the host and so on.Attacks and the invasion of these agencies and enterprises to huge economic losses and damage to the image, and even a direct threat to national security.
First, the problems
Why can an attacker to carry out attacks and intrusions on the network it?The reason is that there is a computer network can be exploited by an attacker vulnerability, vulnerability and insecurity of the allocation, mainly in operating systems, network services, TCP / IP protocol, applications (such as databases, browsers, etc.), network equipment and other aspects.It is these weaknesses, vulnerability and insecurity set to the attacker an opportunity to exploit.In addition, because most of the lack of early warning network protection mechanisms, even if the attacker has penetrated to the internal network and host intrusion into the critical, and engaged in illegal operations, and our staff are also difficult to detect the network.In this way, the attacker has enough time to do anything they want.
So how do we prevent and avoid attacks and invasion of it?First of all there is to identify network security weaknesses, vulnerabilities and insecure configurations; then use the appropriate measures to plug these vulnerabilities, exploits, correction of unsafe configuration, the maximum to avoid being attack and invasion; the same time, network activityreal-time monitoring, once detected attacks or illegal operations, able to respond in a timely manner, including logging, alarm or even block the illegal connections.
The emergence of IDS, to solve the above problem.Setting the hardware firewall, can improve network capacity and block attacks in general; and intrusion prevention system with IDS, you can cross the firewall from internal network attacks, and illegal operations monitoring and response.
Second, IDS increasingly important
Now, with the IDS technology matures, the entire security deployment in the important role of being recognized and accepted by the majority of users.In order to ensure network security, we must establish a set of security protection system, the multi-level means of detection and protection.IDS is a security protection system, an important part, it can promptly identify network intrusions occur in real time to the police.IDS is the second "firewall", "Information encryption" after the traditional method of a new generation of security protection security technology.It monitors the computer system or network events, and analyze them to find compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of the invasion.IDS is the automatic implementation of such monitoring and analysis of security products.
The main advantage of IDS monitor network traffic, will not affect network performance.While in theory, IDS user is not required, but it does reduce the presence of network threats.With IDS, as installed in a building, like the monitor can monitor the entire building, the user feel very at ease with the IDS for the user is worth it.
Intrusion detection system as a proactive security tools, provides internal attacks and external attacks and misuse of the real-time protection, computer networks and systems at risk before the warning, interception and response.It has the following main functions: detection and recording through network security violations, punish cyber-crime, to prevent network intrusion incidents; detection of other security measures failed to prevent attacks or security breaches; detect attacks before hackers detect behaviorin advance to alert an administrator; reporting computer system or network security threats that exist; provide attack information to help administrators diagnose security vulnerabilities exist in the network, which will help it to repair; in large, complex computer network layoutintrusion detection systems, can significantly improve the quality of network security management.
With the deepening of understanding of user IDS, IDS security architecture in the whole is improving the status, is becoming an essential security products in actual use, is playing an increasingly larger role, astraffic lights, camera, as the attacker played a role as a deterrent, to the invasion, especially the invasion was a good routine monitoring of network security has some protective effect.
Third, IDS is what
In essence, the intrusion detection system is a typical "spy equipment."It does not span multiple physical network segments (usually only one monitor port), do not forward any traffic, but only passively on the network, no noise, collect messages of concern to it.IDS data collection process is divided into phases, stages of data processing and filtering, intrusion analysis and detection phase, the report and to respond to stage four stages.Data collection phase is the data review phase.Intrusion detection system to collect the target system in the engine package and a host of data communications systems and so on.Data processing and filtering stage is to convert the collected data can identify whether the invasion stage.Stage of analysis and intrusion detection by analyzing data provided by the previous phase to determine whether the invasion.This stage is the core of the whole stage intrusion detection system, the system is used for the purpose of detecting abnormalities or to detect the use of the system or application vulnerabilities to be invaded for the purpose of BUG, can be divided into abnormal behavior and misuse detection.Report and the response phase of the previous stage for the judge to respond.If it is judged as the invasion, the system will take the appropriate response to their measures, or notify the manager of the invasion, in order to facilitate action.Recently, people on the intrusion detection and response to increasing demands, particularly the requirements of its increasingly strong tracking capabilities.
Currently, IDS stage of analysis and intrusion detection techniques through the following general analysis: signature matching, based on statistical analysis and integrity analysis.Which the first two methods for real-time intrusion detection, and integrity analysis is used after the analysis.
Signature matching is to collect information and known network intrusions and system misuse model to compare database, which found to have violated the security policy of the act.The process can be simple (such as through a simple string matching to find the entry or instructions), can also be very complex (such as the use of formal mathematical expression to indicate security status changes).In general, an offensive mode can use a process (such as executing an instruction) or an output (such as access permissions) said.
One major advantage of this method is simply a collection of related data collection, significantly reduce system overhead and technology is quite mature.It used the same way as the virus firewall, detection accuracy and efficiency are high.However, the weakness of this method is the need to tackle the escalating hacker attacks emerging practices, can not detect hacker attacks never occurred means.
Statistical analysis method first to the information objects (such as users, connections, files, directories, and equipment, etc.) to create a statistical description and statistical measurement of the normal use of some properties (such as number of visits, and a failure frequency and delay, etc.).Measuring the average property will be used with the network, to compare the behavior of the system, any deviation outside the normal observations, it considers the invasion.For example, statistical analysis may identify an abnormal behavior, because it found a late eight to six did not log the account early but two in the morning trying to log in, or for a particular site, such as abnormal increase of data traffic.The advantage is to detect unknown intrusion and the invasion of more complex, the disadvantage is false positive, false negative rate, and not suited to the user's sudden change in normal behavior.
Integrity analysis focuses on whether a file or object is changed, including the contents of files and directories and property, which was changed in the discovery, was of special network applications Iraq particularly effective.Integrity analysis using a strong encryption mechanism, called the message digest function (eg MD5), can identify tiny changes.The advantage is that no matter pattern matching and statistical analysis methods can find the invasion, led a successful attack as long as the document or other object of any change, it can find.The disadvantage is generally achieved in batch mode, not used for real-time response.