This content is part of the Security School: CISSP Domain 7: Security operations
Get started Bring yourself up to speed with our introductory content.

Network intrusion detection systems ID threats

The following video is an excerpt from the Official (ISC)² CISSP OnDemand Training.

Just as a healthy diet and regular exercise helps the body ward off many infections and viruses, preventing their digital equivalents from infecting enterprise assets requires sustained use of technology such as firewalls and network intrusion detection systems.

In this video, expert Adam Gordon, lead editor of the Official (ISC)² Guide to the CBK, Fourth Edition, describes some of the proven infosec techniques and tools for identifying and preventing attackers from penetrating enterprise systems.

CISSP® is a registered mark of (ISC)²

The following is a full transcript of Adam Gordon's video.

View All Videos

Transcript - Network intrusion detection systems ID threats

Operation and maintenance of preventative measures, what do they mean, how do we engage in those activities? We'll take a look at firewalls, intrusion detection and intrusion prevention systems, including network intrusion detection systems, intrusion response and, of course, IDS management.

Firewalls and filtering

Let's begin by talking about firewalls. A firewall, generically, is a device that's going to operate as a basic filtering system. We're going to pass traffic through it looking at a set of rules. Understanding the logic of the rules helps us to understand the flow of traffic, in the sense that we will walk through the rules, comparing the traffic to the rules as we go. When we find a rule that matches, traffic is then going to be processed through and by that rule. Whether it allows or denies traffic is really just a question of the function of the rule. But at the end of the day, the firewall is just a big filtering engine that allows us to match traffic to rules. Rules are predetermined expectations for behavior. If we see no match at the end of that comparison process, we usually have a default catch-all rule that will either allow or block traffic, and then based, on that traffic goes to the device or is dropped and redirected, and somehow either not delivered, or delivered through an alternate channel, whatever the firewall may decide to do with it. But normally allowed or denied is really the simplistic way of thinking about it. 

So these are devices that are designed to examine and filter traffic based on a set of rules and tell us whether we will or will not be allowed to do something. They operate the network layer, they operate the application layer. They are the standard or one of the standard devices that we will often deploy and use for network information management in terms of border gateway security, and they are probably to most of you, if not all of you, well-known. We have firewalls on our local machines traditionally. If you run a Windows operating system, you have a local built-in firewall. If you are running a server operating system, you typically have a firewall built in there. Linux installations have firewalls built into them, traditionally, as well, as do virtualized environments, as well as the operating systems that maintain them. VMware, for instance, has a firewall built right into its ESXi operating systems. So firewalls are pretty standard today. It would be very difficult to find a reason not to deploy a system with one or more firewalls as part of the architecture

Types of intrusion detection systems

When we think about network architecture and think about intrusion detection, intrusion prevention, we want to think about IDS intrusion detection systems, and understand that from a network perspective, when we deploy network-based IDSes, or what we call NIDS, we are putting the IDS out into the network, and we're then moving all the traffic through that chokepoint, that, in effect, monitoring station where the network intrusion detection systems can monitor any and all traffic flows coming through that particular area can then interact with the information, in the case of the IDS, can passively monitor it, record traffic, understand what the nature of it is and then perhaps tell us, alert us that something is there that we should take a look at. 

When we think about the idea of a host-based intrusion detection system, or a HID, we are thinking about some sort of an IDS that is running on a specific host, a targeted endpoint. We are then going to have some sort of an agent software that runs on that host. That agent is then going to allow the IDS capability to be able to be deployed there. Similar to network intrusion detection systems, any and all traffic moving through that host is monitored, and then we can inform and monitor and interact with that traffic, but on that particular host as opposed to at the network or on the network in large. 

So a HID, a host-based IDS, is the implementation of an IDS, basically at the host level. The most significant difference between host-based IDS and network intrusion detection systems, as we know, is that all the related processes are limited to the boundaries of the single host system. Instead of looking at broad traffic across the entire network, we're looking at individual traffic flows within that particular host. 

When we think about the IDS analysis engine, we think about several methods that can be deployed to do analysis on the IDS -- either host-based or network intrusion detection systems. We have to think about different ways to do this. Pattern-matching and anomaly detection are the two general categories that come to mind. Pattern-matching at a high level involves some sort of match to a symmetry file or some sort of predetermined behavior, and then anomaly detection is then going to allow us to understand that if behavior deviates from some sort of baseline or norm, whatever "norm" means, then that would be the thing that we flag and then we look for and we pivot around. And so anomaly detection in host-based or network intrusion detection systems may include things like multiple failed logon attempts, users logging in or off in strange hours, unexplained changes to clocks and timing mechanisms and systems, attempts to access restricted files, unexplained system startups or shutdowns, and of course unusual error messages. Any or all of these things may be indications of anomaly or indications of strange behavior, and we can then pivot on and focus on a monitor around these behaviors and look for them and, when they occur, flag them, and then alert about them and, as a result of that, perhaps be told that we need to pay attention to something and perhaps uncover some bad actions or unusual behavior. 

How intrusion detection systems work

Intrusion detection can either be stateful, or it can be statistical anomaly-based. In terms of intrusion detection, stateful matching allows us to scan for attack signatures, and look for certain kinds of behavior based on that particular signature, and if that behavior occurs, we then classify that as some sort of attack or some sort of anomalous behavior we want to look at. 


Statistical anomaly-based intrusion detection. We attempt to analyze behavior elements and look for suspicion in the behavior elements. We look for people logging in at strange hours. We look for people accessing files they don't belong seeing, whatever those things may be. And then if they deviate the patterns due from the norm, we flag them and understand there may be an issue there. 

Protocol anomaly-based intrusion detection and traffic anomaly-based are additional mechanisms to be used. We identify any unacceptable deviation from expected behavior based on either known network protocols are based on actual traffic structure, and as a result of that, anything that is unusual we flag, and then we then mark as some sort of a problem for further follow-up or further investigation. 

When we think about intrusion response in host-based or network intrusion detection systems, we have to think about the fact that an IDS, a passive monitoring engine does not have the capability to respond in and of itself, but rather can alert us and passively monitor traffic, asking us to come look and intervene, whereas an IPS can interact with and actually take on not just passive monitoring capabilities, but then actually interact with and react to the traffic flows it finds, and as a result of that can actually then take steps to defend the network and change the way in which the system works, can block traffic, collaborate with other IDS devices, can do a variety of things to drive the response mechanism, whatever that may be. 

Alarms and signals are very important as an element of the overall monitoring the IDSes and IPSes provide. We want to make sure we understand how they work. They're made up of essentially three constituent parts or components that make up the alarm. The idea of the sensor, the control of communication and what's known as the annunciator. The sensor is the protection mechanism, whatever is actually used to identify the event that produces the appropriate notification. The control and communication function is the mechanism that handles the actual alert information, processes it, and makes it available to us, and the mechanism that may be used to communicate that and make that available and send it out, and then the annunciators essentially a relay system that allows us to signify I want this information to be sent over here, I may then want to alert this system over here, but to do so separately 5 or 10 minutes later. So it's going to handle relaying and management of information flow, and this is what the annunciator portion of the system provides. 

When we think about IDS management overall, whether it’s related to host-based or network intrusion detection systems, remember IDSes are designed effectively as passive solutions that monitor. They are designed to detect and deform the nature and the function and the elements of an attack, provided the attack matches the criteria they're told to look for. But remember that ultimately they're passive. They can't do anything other than simply record that knowledge or perhaps alert us to the fact that something is taking place. So they do require regular updates, they require a technically knowledgeable person to run, manage and maintain. They are very specialized devices. They are very valuable devices for the security professional to think about deploying. But they do have certain limitations in comparison to and in association with an intrusion prevention system. 

IPS, IDS solutions, overall, when we think about using them, utilizing them, combining them in, or interacting around them, we want to think about tactics that make them not only more focused and therefore more valuable to us, but also things that are lateral to them that could be used with great effect as we partner with these other systems and technologies. Whitelisting and blacklisting of applications, of addresses, of ports as technology tactics to use either with an IDS, with an IPS, or in some combination either directly in line with them or as a result of configuring them can be very valuable. Whitelisting allows things, blacklisting blocks those things. Spam filtering using a sandbox to virtualize areas for analysis of suspicious malware and things like that can be valuable. 

Complementary techniques and technologies

Honeypots and or honeynets are where we create fake systems that are used to effectively bait and draw people in, having them attack the fake system, allowing us to analyze the attack vector and the information from the attack to then further understand the nature of what that system is in terms of vulnerabilities, and threats and risks that it may pose. antimalware products and third-party services that can be paired with either cloud-based or just consumed directly via the cloud or via some sort of deployment mechanism as boxed software and boxed products. Third-party services that can be augmenting IPS and IDS tactics such as real-time intelligence gathering and real-time intelligence monitoring services that will look at information flows not just in our network, but across a geography, and report back on what's happening to us and to others within that geography in real time. This may be valuable as additional add-on to IPS and IDS solutions today.

When we wrap up or think about wrapping up conversations about IPS and IDS solutions and host-based and network intrusion detection systems, intrusion prevention overall, no good conversation would be complete without us reminding ourselves and stopping and pausing and thinking about for a moment the fact that this is just one of several tactics that we should be deploying, thinking about putting this into perspective or around the idea of defense in depth, and the architecture elements we need to use to support a defense-and-depth solution is a very valuable thought process for the CISSP to have in regards to this conversation, adding these protection and monitoring capabilities to firewalls as we've already talked about them in relation to adding them to general board or gateway device, management, proxies, and understanding the nature and the flow of traffic, and the monitoring of traffic which proxies can help us to provide and do. Understanding the use of port scanning and vulnerability assessment technologies to understand what kind of traffic is running inside of our systems and running between and among them. Understanding how to use things such as whitelisting and blacklisting helps us to better understand how to deploy software and interact with it. 

How CISSPs add value

Any and all of these technologies added together singularly or cumulatively within a defense and depth posture, strengthens and enhances the overall security and the overall functionality of the security architecture within the network and within the enterprise. It's up to the CISSP to ensure that these tactics, these techniques, these technologies are well understood and that they are deployed judiciously, but with purpose and with focus to the greatest effect in terms of combining them together into a defense and depth posture that speaks to the requirements of the organization, focuses you and focuses the organization on securing the information necessary to conduct business, create confidentiality, integrity, and availability as you go, but also to exclude areas to exclude information that is not worthy of protection and focus so we can really marshal and focus our resources on areas that we need to use them in, and eliminate waste, eliminate distraction, eliminate concern for areas that may not be proving to be as valuable.

This is the job of the CISSP. This is the role that we take on in this area. We are the voice of reason, as I've said before, and we focus the attention and the resources of the organization around these activities to the betterment of not only the security posture of the organization, but to the broadening ultimately and the hardening of the security architecture so that it is focused on indicating how we can extract value and ultimately create alignment with the business requirements that have been, in our mind, dictated to us and explained to us by the business, and then mutually reinforcing those requirements with an up-to-date defense in depth posture is ultimately the outcome of this particular conversation.

+ Show Transcript