IDs and IPs

The company has become a Symantec senior partner, I will be responsible for Symantec and Kaspersky Pre-Sales Technology and after-sale support, a preliminary understanding of the 7100 series and the SxS of the new Sysmantec mode, think it is very good, Especially ids/ips on the solution, deeply admired. Self-sensing IDs differs from IPs in that one is a color congenial, one is a watchdog, one can see can not catch, a two can do, or even active, the 7100 series is this

Intrusion detection System (IDS) because the market of intrusion detection system has developed rapidly in recent years, many companies have come into this field. Companies such as Internet Security System (ISS), Cisco and Symantec have launched their own products.

System composition: The IETF divides an intrusion detection system into four components: event generators, Event Analyzer (analyzers), Response Unit (Response units), event database (events databases ）。 The purpose of the event generator is to obtain events from the entire computing environment and to provide this event to other parts of the system. The event Analyzer analyzes the data obtained and produces the analysis results. The response unit is the functional unit that responds to the analysis result, it can make a strong reaction such as cutting off the connection, changing the file attributes, or simply alarming. Event database is a general term for storing all kinds of intermediate and final data, it can be a complex database, or it can be a simple text file.

System classification

According to the different detection objects, intrusion detection system can be divided into host type and network type.

host-based monitoring. The main model intrusion detection system is based on the system log, application log, etc. as the data source, of course, can also through other means (such as monitoring system calls) from the host to collect information for analysis. The main model intrusion detection system is generally protected by the system. Such systems are often run on monitored systems to monitor the legality of processes running on the system. A recently occurring ID (Intrusion detection): Located in the kernel of the operating system and monitoring the underlying behavior of the system. All these systems have recently been able to be used on a variety of platforms.

Network intrusion detection. Its data source is a packet on the network. Often the network card of a machine is located in the promiscuous mode (Promisc modes), and the information is collected and judged on all the packets in the network segment. The general network intrusion Detection system is tasked with protecting the whole network segment.

System Communication Protocol

There is a need for communication between the components within the IDS system, and communication is required between the IDs systems of different vendors. Therefore, it is necessary to define a unified agreement. Currently, the IETF currently has a dedicated team intrusion detection Working Group (IDWG), which is responsible for defining this communication format, called Intrusion Detection Exchange format, but there is no uniform standard. The following are the issues to be considered when designing a communication protocol: 1. The information transmitted between the system and the control system is very important, so the authenticity and integrity of the data must be maintained. There must be a mechanism for both authentication and secure transmission of both sides of the communication (while preventing both active and passive attacks). 2. Both sides of the communication are likely to cause communication disruption due to exceptional circumstances, and the IDs system must have additional measures to ensure that the system is working properly.

Intrusion detection Technology

It is the core function of intrusion detection system to analyze various events and find out the behavior of violating security policy. In terms of technology, intrusion detection is divided into two categories: one based on logo (signature-based) and the other based on anomaly (anomaly-based).

For identity based detection techniques, first define the characteristics of events that violate security policies, such as some header information for a network packet. Detection is primarily to determine whether such features are present in the collected data. This method is very similar to antivirus software.

The anomaly based detection technology is the first to define a set of systems "normal" the number of cases, such as CPU utilization, memory utilization, file checksums, etc. (this type of data can be defined artificially, by observing the system, and by statistical means), and then comparing the value of the system runtime to the defined "normal" situation. To see if there were any signs of attack. The core of this approach is how to define the so-called "normal" situation. There are very big differences between the two methods of detection technique and the conclusions drawn. The core of anomaly based detection technology is to maintain a knowledge base. For known attacks, it can report the types of attacks in detail and accurately, but with limited impact on unknown attacks, and the knowledge base must be constantly updated. The detection technique based on anomaly can not discriminate the attacking tactics accurately, but it could (at least theoretically) discriminate the more widespread and even undetected attacks.