An intrusion detection system (IDS) monitors network traffic and monitors for suspicious activity and alerts the system or network administrator. In some cases the IDS may also respond to anomalous or malicious traffic by taking action such as blocking the user or source IP address from accessing the network.
IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. There are IDS that detect based on looking for specific signatures of known threats- similar to the way antivirus software typically detects and protects against malware- and there are IDS that detect based on comparing traffic patterns against a baseline and looking for anomalies. There are IDS that simply monitor and alert and there are IDS that perform an action or actions in response to a detected threat.
TYPES OF IDS:
NIDS (Network Intrusion Detection System)
Network Intrusion Detection Systems are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. Ideally you would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network.
HIDS (Host based Interusion dtection system)
Host Intrusion Detection Systems are run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator of suspicious activity is detected. For eg. Symantec antivirus.
A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to your IDS. During that lag time your IDS would be unable to detect the new threat.
An IDS which is anomaly based will monitor network traffic and compare it against an established baseline. The baseline will identify what is “normal” for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline.
A passive IDS simply detects and alerts. When suspicious or malicious traffic is detected an alert is generated and sent to the administrator or user and it is up to them to take action to block the activity or respond in some way.
A reactive IDS will not only detect suspicious or malicious traffic and alert the administrator, but will take pre-defined proactive actions to respond to the threat. Typically this means blocking any further network traffic from the source IP address or user.
One of the most well known and widely used intrusion detection systems is the open source, freely available Snort. It is available for a number of platforms and operating systems including both Linux and Windows. Snort has a large and loyal following and there are many resources available on the Internet where you can acquire signatures to implement to detect the latest threats.
The Cisco Intrusion Detection System (IDS) team constantly develops new signatures. As new signatures are released, you can choose to be notified to take proactive steps to update the signature files.
To receive notification when new Cisco IDS signatures are released (and other IDS/IPS related product news), subscribe to Cisco IPS Threat Defense Bulletins. The bulletin also includes notifications of updated system software and service packs.
Also, RSS feeds are available for the IPS Threat Defense Bulletins:
Hi, I am having an issue with my ESA. Message Tracking logs says that message was delivered to recipient but recipient did not receive the email. I don't know why the email doesn't get delivered to recipients mailbox. Do i need to change something on...
Hi,we have 2 routers connected to each other via an IPSec tunnel. Both routers are on private networks so there is no natting going on.The IPSec tunnel is fine and traffic is flowing between the local networks (crypto map/access lists are fine) via the tu...
I noticed one of the policies on the FMC is out of date i.e not updated/deployed on the Firewall.I am not aware what changes were done on the policy and I want to avoid going through each and every rule to find that out.Is there way I can rollback changes...
Not sure if there is a solution out there yet. We recently purchased 2110 for VPN S2S and RA. We don't have ISE as it is out of our budget to house this. We are trying to see how we can control the RA computers that access our VPN. Has anyone found a work...