Comprehensive network security

Taking into consideration the different existing types of IDSs, also their implementation may vary from system to system and from network to network. It is known that a Signature-based IDS focuses on the signature of well-known attacks and vulnerabilities, taking advantage of a large database to compile its rules and detect an intrusion. However, such implementation may not be suitable for the network we are administrating. Here, the first step is understanding the needs of protection of the network and systems, identifying their major priorities and targets.

On the other hand, Anomaly-Based IDS takes advantage of the normal working state of the network and systems, to properly identify abnormal behaviours and conclude if it is indeed caused by an intrusion or is it still a normal behaviour of the network. Once again, a prior plan is needed, where the system and network must be documented and configured into the IDS system, so it can recognise the behavioural patterns.

It is also common, nowadays, to find IDSs working with machine learning. Here, once again it is necessary to collect information about the normal function of the network and its systems, so it is possible to teach the machine about the correct and normal working states, prior to its final use.

Like the implementation of a firewall, also the implementation of an IDS may vary and may be included on the border or within the network.

The most common implementation of an IDS is to place it at the border between the private and public networks. Being this one of the major critical points of the network, its monitoring and analysis is crucial to keep a good security level and prevent unauthorised access to the internal network and systems (Figure 13). Placing the IDS at this location, all incoming and outgoing traffic is monitored and controlled, however, this also demands a higher processing power and capability to deal with a large a mount of traffic. Because it controls the access to the public network, a low performance of the IDS will result also on a low performance of the communications with the external networks, commonly the Internet.

 

Figure 13 - Installation of an IDS in between the internal and external networks

 

It is also possible to find different IDS systems implemented on the boarder of network segments or LANs, monitoring, and analysing the traffic between them. This implementation is normally found when there are connections between corporative and critical system networks, where each segment may have its dedicated and specific IDS server (Figure 14).

 

Figure 14 – Installation of an IDS at the boarder of LAN segments

 

When approaching the host-based IDS, it focuses the protection of a single host. This type of implementation architecture is suitable for the protection of specific servers or computers that are an easy target to attacks. Being host-based, the installation of the IDS agent is done on the server or computer itself, where there is a need for it to possess a good processing and memory power. This architecture is not suitable for all devices, since not all of them are capable of deal with the analysis of a large network traffic amount and should be implemented for singular servers and critical computers only. Moreover, the use of a host-based architecture demands the existence of dedicated IDS server to communicate with each one of the existing IDS agents. Depending on the number of hosts being monitored, also the network traffic data will increase and may flood the network with IDS communications, reducing its performance.

The implementation of a network-based IDS brings a more efficient analysis and monitoring, when the network includes a larger number of hosts and when we focus on critical infrastructures with lower processing power devices. Based on the network traffic analysis itself, a network-based architecture doesn’t need the use of IDS agents implemented on the hosts, and, consequently, also there is no IDS communication traffic generated on the network. This type of architecture uses one or more dedicated servers, installed inside the network, to collect and analyse the network traffic data, identifying its abnormal behaviour or abnormal patterns on the traffic to detect an intrusion from unauthorised agents.

Thought there are three major IDS implementation architectures, the majority of the scholars and researchers in this area state that the best IDS solution lays on the combination of the previous three architectures. Using different types and implementation architectures brings a higher intrusion detection rate and, consequently, a higher security level.

Moreover, the combination of a HIDS and a NIDS, makes it possible to monitor the entire network, while giving special focus to critical servers or computers that store or provide important data and services do the network users.