Issue dated - 29th September 2003

-

Previous Issues
CURRENT ISSUE
INDIA NEWS
SECURITY SPECIAL
NEWS ANALYSIS
COLUMNS
TECH FORUM

THE C# COLUMN
BETWEEN THE BYTES
TECHNOLOGY
SPECIALS <NEW>
Symantec Report
Security Headquarters
JobsDB
MINDPRINTS
HMA BANKBIZ
EC SERVICES
ARCHIVES/SEARCH
IT APPOINTMENTS
WRITE TO US
SUBSCRIBE/RENEW
CUSTOMER SERVICE
ADVERTISE
ABOUT US
 Network Sites
  IT People
  Network Magazine
  Business Traveller
  Exp. Hotelier & Caterer
  Exp. Travel & Tourism
  Exp. Pharma Pulse
  Exp. Healthcare Mgmt.
  Express Textile
 Group Sites
  ExpressIndia
  Indian Express
  Financial Express

 
Front Page > Security > Story Print this Page|  Email this page

Security Special: IDS

Choosing the right intrusion detection system

Picking any intrusion detection system available on the market is not the right answer to your security needs. What you need to do is pick the one that’s the best fit for your enterprise. DHAWAL THAKKER provides some guidelines and also some scenarios for IDS deployments

No technology comes without its inherent risks—in spite of the many controls that may be built into the security programme of an organisation, security breaches do occur. And when they occur they must be detected. Hence, efficient detective measures like intrusion detection systems (IDS) and analysis of server logs are extremely important elements of any security infrastructure. The earlier a breach is detected, the lower the quantum of damage arising out of it.

Due to the complexities involved in the selection, deployment and maintenance of IDS, this component is not being used to its fullest in the Indian scenario. This was clearly seen in the PricewaterhouseCoopers-Confederation of Indian Industry (PwC-CII) Security Survey (2002-2003), which brought forth the following statistics for detecting breaches:

  • 36 percent of breaches are detected through actual data damages.
  • 34 percent of breaches are reported by employees.
  • 19 percent of breaches are known because of customer alerts.
  • 34 percent of breaches are identified by analysis of server logs.
  • Only 16 percent of breaches are identified by proactive measurement tools like IDS, firewalls, etc.

Looking at these statistics you can be certain that either the wrong IDS technology has been chosen by many firms or there has been faulty deployment, or monitoring of deployments have been poor. The last problem is more of a policy issue and hence we won’t get into that here. The objective of this article is to identify key criteria, which should be considered while evaluating an IDS and some possible deployment scenarios for IDS.

Criteria for evaluating an IDS

The most basic evaluation tests should consist of availability of a vendor’s local presence in India, general installation issues, ease of management and configuration, presentation of events, help on interpreting those events and reporting facilities.

Moving a little further from the basics, the following should be considered:

Installation, configuration and management

  • Ease of installation.
  • Quality of the user interface.
  • Scalability
  • Updating capabilities, update automation.
  • Customisation ( policies, signatures)
  • Help/support.

Intrusion response, reporting and forensic analysis

  • Countermeasures.
  • Reporting and event presentation.
  • Event co-relation, aid at analysing events.

Detection technology

  • Methods of attack detection and breadth of attack detection.
  • Performance (i.e. speed, dropping no packets).
  • Accuracy (i.e. few ‘false positives’ and even fewer ‘false negatives’).

Security

  • Method of authentication and communication between the various IDS components.
  • Resistance against attacks that are aimed at the IDS itself, e.g., flooding, denial of service (DoS) and others.
  • Stealth, i.e. providing potential hackers with as little information as possible

Network architecture and scalability

Every solution worked upon should be scalable for an enterprise-wide deployment, and to enable that a multi-tiered architecture that at least comprises three tiers is necessary—sensor tier, proxy tier and management tier. The system should be modular and flexible from the start itself, so that the administrator is able to decide in which direction connections are initiated. This will also help if in future one is considering outsourcing IDS management to a managed security provider (MSP).

It should be further taken into account that the impact of vulnerabilities due to product specific weaknesses (e.g. software bugs) can be lessened by deployment of complementary systems that employ a different technology and/or originate from a different provider/vendor.

Therefore, combined deployment of a company-wide, scalable, easy-to-manage product with another product that comes at a cheaper price can also be considered. For the complementary solution, an open source variant is not a bad choice, especially in a non-critical LAN segment.

In case you plan to go for a combination of IDS products for your enterprise network, ensure that the centralised management that you select is able to handle the variants of IDS you are planning for your network. Otherwise, pulling of alerts from various IDS would become a major issue and deployments will fall flat.

Types of deployment, depending upon different scenarios

Scenario 1

Deployment of a network IDS (NIDS) outside the perimeter-firewall as an attack detector (early warning system). [See Figure below]

Deployment of a NIDS inside the perimeter-firewall for detecting attacks that pass the firewall (i.e. for the main purpose of any IDS-detecting intrusions). [See Figure 2]

Deployment of Host IDS (HIDS) agents on DMZ servers and on servers with highest security demands, e.g. e-commerce back-ends. [See Figure below]

Similarly, usage of IDS can be extended to more complex scenarios.

Scenario 2

  • NIDS surveillance of all other points where data leaves or enter the borders of the corporate sovereign territory, i.e. where subsidiaries and parts of the corporate LAN are connected via leased lines or where dial-up services provide remote access (e.g. RAS).
  • NIDS and HIDS deployment on internal servers with high security demands, e.g. Enterprise Resource Planning (ERP) systems and other important servers.

Scenario 3

  • HIDS/NNIDS agents on all server systems that are vital for corporate communication and access to corporate data, e.g. MS Exchange servers, domain controllers, file servers and data-warehouses.
  • NIDS surveillance at core switches for maximum coverage at reasonable cost. In this case, monitoring will be an area of concern, as too many logs will be generated (outsourcing for monitoring of logs could be considered).

Last but not the least, IDS is just one of the components in enterprise security, and as someone has rightly pointed out, "security is as strong as the weakest link." So, along with the perimeter security, also very important is the creation of an enterprise security architecture system through strong policy and procedural implementations.

The author is with the Operation & System Risk Management practice of Pricewaterhouse-Coopers. He can be contacted at dhawal.thakker@in.pwc.com
<Back to top>


© Copyright 2003: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in
Mumbai by The Business Publications Division of the Indian Express Group of Newspapers.
Please contact our Webmaster for any queries on this site.