3 - Network- & Transport-Layer Security (Intrusion Detection) Flashcards
What are IDS and how the work?
Intrusion Detection Systems are used to detect if someone has got or is trying to get inside your network. They do this by matching network activity to rules that describe suspicious activity.
What are the three types of IDS? Explain.
- Signature-based: The IDS knows intrusion-related signatures and searches for them in the network traffic
- Anomaly-based: The IDS knows the usual network activity and detects changes (such as a significant increase of ICMP packets)
- Protocol-based: The IDS knows protocols (such as TCP) and searches for misbehavior
Which are the 4 aspects that should be consider for a good IDS?
Accuracy: low false positive and low false negative detection rates.
Performance: Processing of packets must be very efficient to be able to keep up with traffic at network entry points (can be optimized by running multiple IDS in parallel).
Fault Tolerance: should not be vulnerable to attacks (sniffing the network only).
Timeliness: time between intrusion and detection should be as short as possible.
Where should the IDS be placed?
Router: for external attacks
Switches: for internal attacks. Some switches allow replicating all ports traffic on one port for applications like intrusion detection.
Which are the IDS limitations?
- Signature-based IDS only detect known attacks (patterns).
- The higher the signature DB, the higher the processing time.
- Good attackers are familiar with IDS and their weakness (e.g.: scans stretched over longer period of time with different sources IP addresses).
- Attacker could fragment its packets.
- DoS on IDS: flood network with (possibly invalid) fragments.
