Communications managers and agents
Learn how to network in your selection of products, managers and agents need to clear communication. Most of the IDS program manager ask you first of all and communication, and managers will check agency.
Typically, managers and agents to communicate using a public key encryption. For example, Axent's products use 400 long-Diffie-Helman encryption. Standard 128-bit SSL session encryption. Comparing these two standards, you can find most of the IDS vendors are using secure communications.
Some of the old mainframe-class products through the use of explicit or very weak in encrypted session. This feature is an irony, as expressly transmission vulnerable to hijacking and Man-in-the-middle attack, this will seriously damage your monitor and protect network security.
Some managers and other managers can communicate. This communication between managers can save bandwidth and reduce your management burden. Through the use of organizational structure may be to avoid such communications. For example, Axent Intruder Alert (99vA) used to be called the domain hierarchy to organize the agents.
Audit manager and agent communication
As auditor, you should verify the user name and password, and not to retain the default settings. At the same time, you have to ensure that the communication should be encrypted and as secure as possible.
Hybrid Intrusion Detection
Network-based intrusion detection products and host-based intrusion detection products are inadequate, simply use a class of products will result in active defense system is not comprehensive. However, their defects are complementary. If these two types of products can integrate seamlessly deployed in the network will become a complete three-dimensional structure of active defense system, integrates two kinds of Web-based and host-based intrusion detection system structural characteristics, can discover network attacks Information can also be found from the system log exceptions.
Rule
As application firewall, you must establish rules for the IDS. Most of the IDS program has a pre-defined rules. You'd better edit the existing rules and add new rules to provide the best protection for the network. Usual rules established two categories: network anomaly and network misuse. Enterprise-class IDS are usually hundreds of rules can be implemented.
Different manufacturers use some different terminology audit. For example, eTrust Intrusion Detection with the "rules" to discuss the security audit rules, and Intruder Alert are using the "policies". Intruder Alert you will learn to use "policies" means when more far-reaching, it allows you to set up rules for individual strategies. Therefore, to understand each vendor's product, do not be fooled by the term.
Network anomaly monitoring
IDS program will report an agreement-level anomalies. If configured correctly, it prompts you about NetBus, Teardrop or Smurf attack. For example, if there is too many SYN connections, IDS program will alert you.
Network Abuse Monitoring
Network misuse of non-work purposes, including Web browsing, unauthorized installation of services (such as WAR FTP services), and play games (like Doom or Quake). You can carry out its logging, blocking traffic or take the initiative to stop. For example, you can use the program implementation of the counter or set "dummy" system or network induction.
Internet misuse is a physical, operating system or the result of long-range attacks. Physical attacks including theft of a hard disk or physical manipulation of the machine to obtain information. Proven operating system attacks that attempt to gain root user access. Means the attacker remote attacker to attack the network equipment.
Common detection methods
Intrusion Detection System detection methods commonly used feature detection, statistical testing and expert systems. According to Ministry of Public Security of Computer Information System Security Product Quality Supervision and Inspection Center of the report, domestic censorship of intrusion detection products are used in 95% of the template pattern matching intrusion detection products characteristics, other 5% of probability and statistics using the statistical test products and Knowledge-based expert system log products.
Feature Detection
Feature detection of known attack or invasion deterministic manner described, the formation of the corresponding event model. When audit events and the known invasion pattern matching, that is alarming. Similar principle with the expert system. The detection method and detection of computer viruses similar way. Based on the characterization of the current package is widely used pattern matching. Prediction of the high accuracy of detection, but no empirical knowledge of the invasion and the attack could do nothing.
Statistical testing
Statistical anomaly detection model used in the statistical model commonly used measurement parameters include: the number of audit events, interval, resource consumption and so on. 5 commonly used statistical models intrusion detection are:
1, the operation model, the model assumes that exceptions can be measured and compared by a number of fixed targets, stationary targets can experience the value or period of time the average statistics, for example, in a short time of several failed login most likely try to attack the password;
2, Variance, the variance calculation parameters, setting the confidence interval, when the measured value exceeds the confidence interval range that may be abnormal;
3, multi-model, operating model is extended by analysis of multiple parameters simultaneously to achieve detection;
4, Markov process model, Jiang each type of event is defined as the system state, with state transition matrix to represent the state of change, when an event Fasheng O'clock, or the state matrix of the low probability of transfer of abnormal events are likely to be;
5、时间序列分析,将事件计数与资源耗用根据时间排成序列,如果一个新事件在该时间发生的概率较低,则该事件可能是入侵。
统计方法的最大优点是它可以“学习”用户的使用习惯,从而具有较高检出率与可用性。但是它的“学习”能力也给入侵者以机会通过逐步“训练”使入侵事件符合正常操作的统计规律,从而透过入侵检测系统。