Watch the video
Intrusion intrusion detection systemsDetection System) is a collection of software and / or hardware that serves to detect the facts of unauthorized access to a computer / computer network, as well as to prevent unauthorized management of them.
What is IDS?
Simply put, IDS is a system thatIt ensures the security of the user's activity, protecting it from various kinds of intrusions and network attacks, which in the age of information technology simply can not be considered. In addition, IDS is the ability to receive forecasts about future attacks and prevent them, as well as to learn about information about "attackers", which can be useful for correcting factors that allowed unauthorized access.
Why are IDS needed?
Recently, the use of usersIntrusion detection systems are actively gaining popularity. IDS is the most important element of information security required by every far-sighted user. Intrusion detection system will not only detect the computer attack and block it, but also perform it in a convenient graphical interface - the user will not need special knowledge about network protocols and possible vulnerabilities.
By analogy with antivirus programs, intrusion detection systems are used for the basic method of detecting unauthorized activity:
- based on the signature. In this case, the analysis is conducted on the basis of a certain set of events that uniquely characterize a particular attack. This technique is quite effective and in the main methods of searching for danger.
- based on anomalies. This type of work is characterized by the detection of attacks by identifying unusual behavior of the network, server or application. Systems operating under this mechanism can effectively track attacks, but their main problem is the mass of false positives.
Any IDS includes:
- a sensor subsystem that constantly monitors events related to the security of the system;
- an analysis subsystem that selects from all events,selected by the sensor, suspicious. IDS with an active analysis subsystem in case of detection of suspicious activity may take response actions to
for example, break the network connection on its own. Passive IDS will only inform the administrator about a suspicious action, and pay attention to it or not, the user must decide.
- Storage, accumulating primary events and analysis results;
- control panel, enabling the user to monitor the system.
In most simple IDS, all of the abovecomponents are implemented as a single device. Depending on sensor parameters and analysis methods, intrusion detection systems provide a different level of attack detection.
IDS, protecting the network segment
This type of system is very reliable, becauseThe deployment takes place on a dedicated server where other applications can not work. In this case, the server can be made invisible to the attacker. For particularly high-quality protection
The IDS defect that protects the network segment isthe difficulty of recognizing an attack at a time of high network load. In addition, such an IDS can only report an attack, but do not analyze the degree of penetration.
IDS, which protects a single server
These systems collect and analyzeinformation about suspicious processes that occur on a particular server. Such IDS has a rather narrow task, and therefore can perform highly detailed analysis, as well as identify a specific user who performs unauthorized actions.
Some IDSs that protect the server havethe ability to manage a group of servers at once, drawing up general reports on a possible network attack. Unlike IDS, protecting the network segment, these systems can work even on a network that uses encryption, in the event that information on the server is kept in clear form before it is transmitted.
The main disadvantage of IDS, controlling the server (s), -the inability to monitor the entire network. For them only the packets received by the protected server are visible. In addition, system performance is reduced when the server uses compute resources.
IDS, protecting applications
These security systems monitor events,occurring within the same application. As you probably already guessed, this system allows you to create a report with the highest possible degree of detail, since it works with an even narrower task than the previous type system.
IDS, which protects the application, uses knowledge about the application, as well as data analysis of its system log for analysis. The system interacts with the application through the API.
The drawback of IDS, protecting applications is obvious - too narrow profile. Of course, if it is important for a user to ensure the security of a particular application, this is an acceptable option.
IDS - reliable protection?
Intrusion Detection System - effectivea tool to protect the user from various kinds of unauthorized attacks, but do not forget that if we are talking about full-fledged security, IDS is just an element of this system. Full-fledged security is:
- Intranet security policy;
- system of protection of hosts;
- network audit;
- protection based on routers;
- intrusion detection system;
- policy response to detected attacks.
Only by correctly combining all of the above types of protection, the user can be absolutely calm for the security of storing and transferring important data.