Introduction
Firewalls, security scanners... it seems that there is an overwhelming number of security tools in the marketplace today. So which tools do you really need? According to some vendors you need them all and that's just the beginning. One of the latest tools designed to catch hackers in the act, is the use of an IDS or Intrusion Detection System.

Definitions:

Intrusion
Where a person or program breaks into or maliciously uses a computer system.

Intrusion Detection System (IDS)
A computer program for detecting intrusions.

Network Intrusion Detection System (NIDS)
A computer program that analyses packets on a network and determines if the packets are malicious or sent by a hacker.

System Integrity Verifiers (SIV)
A computer program that monitors files to determine whether they have been changed.

Log File Monitors (LFM)
A computer program that monitors log files for any hacker or malicious activity.

What is an IDS and Where does it fit in to a Network?
An intrusion detection system is an application designed to detect unauthorised access to a computer system or network.
Many organisations have firewalls to protect their Internet connection, but what happens if an intruder penetrates your firewall? There are no more defenses left!

How do you know that an intruder has penetrated your firewall? In most cases you don't know until it's too late. Alternatively, what if an employee is attempting to break into your file server. According to the 1998 FBI/CSI Computer Crime Survey 44% of companies surveyed reported unauthorized access by employees.
An IDS attempts to detect hackers after they have broken into your network.

Why Use an Intrusion Detection System?

Advantages
An IDS functions like a full-time security guard on your computer system or network. Regardless of whether your network is under attack from inside, or outside an IDS will record the attack and/or take action against it.
Popular responses are as follows:

• Reconfigure the firewall
• Beep
• Generate an SNMP Trap
• Generate an NT Event
• Write to the syslog
• Send an e-mail message
• Send a pager message
• Log the attack
• Launch a program
• Terminate the connection

Some of these features are invaluable in assisting companies in gathering evidence to prosecute a hacker.

Disadvantages

Must be Regularly Updated
Similar to anti-virus products and security scanners, an IDS has to be updated or programmed with the latest hacker techniques. Unfortunately, many vendors do not update their products very often and consequently their IDS cannot detect the latest hacker techniques.

Hackers go Undetected
Many IDS programs look for attack signatures or malicious traffic. Hackers are aware of these programs and can hide themselves in regular network traffic. For example, a hacker would not necessarily scan ports 0-200 in sequence. Such a hacker might conduct the scan at random or target a specific port. This type of traffic can go undetected by some IDS.

Hackers can appear as a Trusted Host
By using a proxy server, hackers can masquerade themselves as a trusted host on the network. Therefore their network traffic might be exempt from monitoring or reporting. Hackers could also make it look as if they are coming from another network by using a proxy server.

Hackers can Hide in the Network Traffic
Hackers have been known to generate a lot of legitimate traffic in order to hide a particular malicious or suspicious task. Depending on the configuration the IDS will see the task as legitimate or not pick up the task at all.

No Protection against IP Spoofing
Hackers can spoof their IP address on the network and look as if they are coming from a trusted source. This method is widely used to defeat an IDS.

Your own Firewall can Lock you Out
Some IDS can reconfigure the firewall to block malicious activity. This is a great feature but can lead to disaster. For example, what if a hacker spoofed his/her IP address as a trusted host and then started to attack the network? An IDS might respond by reconfiguring the Firewall to block access from an entire network segment.

Your IDS will see What a Hacker wants it to See
There are a number of hacker tools, that can retransmit TCP sequence numbers. This can prevent an IDS from detecting the network traffic generated by a hacker.

Sniffers go Undetected by IDS
IDS do not detect Ethernet sniffers on a network. Therefore, hackers can still sniff the network traffic to obtain User ID's and Passwords.