3 Intrusion detection system (IDS)

Figure 7

Show description|Hide description

This is a close-up image of some toy soldiers.

Figure 7

So what happens when there’s an attack on a computer network? Chances are that you’ve seen a movie or TV programme where the administrators rush to their keyboards and frantically begin typing, lights flash, sirens sound – it’s all very exciting – but does anything like this happen in real life?

As you might suspect, the answer is, no, not really. Computer networks are regularly attacked, but the response is rarely as exciting as filmmakers would like you to believe.

Intrusion detection systems (IDS) may be a dedicated device or software and are typically divided into two types depending on their responsibilities:

• Network Intrusion Detection System (NIDS), which is responsible for monitoring data passing over a network.
• Host Intrusion Detection System (HIDS), which is responsible for monitoring data to and from a computer.

An IDS can support a network firewall. Ideally the firewall should be closed to all traffic apart from that which is known to be needed by the organisation (such as web traffic, email and FTP). An IDS can then be used to scan any traffic passing through the firewall for potential attacks using a NIDS, as well as being able to detect those coming from within – such as from a personal computer infected with malware – using a HIDS.

Intrusion detection may be considered passive; it identifies that an intrusion is taking place and informs an administrator who must take appropriate action. However, they can also be reactive – as well as informing the administrator, the IDS can actively attempt to stop the intrusion, in most cases by blocking any further data packets sent by the source IP address. These systems are also referred to as an Intrusion Prevention or Protection System (IPS).