Honeypots, IDSs, and Firewalls 375
A network IDS (NIDS) is a packet sniffer at its very core. The difference
between a packet sniffer and an NIDS is that an NIDS includes a rules
engine, which compares traffic against a set of rules that determine the
difference between legitimate and malicious traffic and activities.The Four Types of Intrusion Detection Systems
In practice there are four types of IDSs, each offering unique capabilities that the others
do not. We’ll first discuss the types available and where each fits in; then we’ll delve deeper
into each.
■ The first type, and one of the most common, is the NIDS. The NIDS is designed to
inspect every packet entering the network for the presence of malicious or damaging
behavior and, when malicious activity is detected, throw an alert. The NIDS is able to
monitor traffic from the router to the host itself. Much like a packet sniffer, an NIDS
operates similar to a network card in promiscuous mode. In practice this type of IDS
can take the form of a dedicated computer or the more common black box design
(which is a dedicated device altogether).■ The next major kind of IDS is the host-based intrusion detection system (HIDS),
which is installed on a server or computer. An HIDS is responsible for monitoring
activities on a system. It is adept at detecting misuse of a system, including insider
abuses. Its location on a host puts the HIDS in close proximity to the activities that
occur on a host as well as in a perfect position to deal with threats on that host. HIDSs
are commonly available on the Windows platform but are found on Linux and Unix
systems as well.■ Log file monitors (LFMs) monitor log files created by network services. The LFM IDS
searches through the logs and identifies malicious events. Like NIDSs, these systems
look for patterns in the log files that suggest an intrusion. A typical example would be
parsers for HTTP server log files that look for intruders who try well-known security
holes, such as the phf attack. An example of a log file monitoring program is swatch.■ File integrity checking mechanisms, such as Tripwire, check for Trojan horses or files
that have otherwise been modified, indicating an intruder has already been there.Another form of protective mechanism is known as a system integrity
verifier (also known as a file integrity checker), which looks for changes to
files that may be suggestive of an intruder. They may also monitor other
objects such as the Registry.The Inner Workings of an IDS
The main purpose of an IDS is to detect and alert an administrator about an attack. The
administrator can then determine, based on the information received from the IDS, what
action to take.