I. Interpretation of Intrusion Detection System (IDS)
IDS is a network security system. When an enemy or malicious user attempts to enter the network or even computer system over the Internet, IDS can detect and trigger an alarm, notify the network to take the response.
In essence, the intrusion detection system is a typical "Snoop device ". It does not connect to multiple physical network segments (usually only one listening port) and does not need to forward any traffic. Instead, it only needs to passively and silently collect packets it cares about on the network. The intrusion detection/response process 1 is shown.
Figure 1: Intrusion Detection/response Flowchart
At present, IDS analysis and intrusion detection are generally analyzed through the following technical means: feature library matching, statistical-based analysis, and integrity analysis. The first two methods are used for real-time intrusion detection, while the integrity analysis is used for post-event analysis.
Ii. Issues with IDS
1. High False/false negative rate
Common Detection Methods of IDS include feature detection, exception detection, status detection, and protocol analysis. These detection methods have defects. For example, exception detection usually uses a statistical method for detection, and the threshold value in the statistical method is difficult to determine effectively. A too small value will generate a large number of false positives, and a large value will generate a large number of false negatives. In Protocol Analysis Detection, generally, IDS only processes commonly used protocols, such as HTTP, FTP, and SMTP. A large number of other protocol packets may cause IDS to be missed, if you consider supporting as many protocol types as possible, the cost of the network will be unbearable.
2. No active defense capability
IDS technology uses a pre-setup and Feature Analysis working principle, so the update of detection rules always lags behind the update of attack methods.
3. Lack of accurate positioning and processing mechanisms
IDS can only identify IP addresses, but cannot locate IP addresses and cannot identify data sources. When detecting an attack event, the IDS system can only close a few ports, such as the network egress and server. However, disabling this function affects the use of other normal users. Therefore, it lacks a more effective response processing mechanism.
4. Insufficient Performance
Most of the IDS products on the market now use feature detection technology, which is no longer able to adapt to the development of exchange technology and high bandwidth environments, in the case of large traffic impact and multi-IP fragmentation, IDS may be paralyzed or lost, forming a DoS attack.
Iii. Development of IDS technology
Although IDS has some defects, we can see that hackers and viruses related to network security depend on the network platform, if hackers and viruses can be cut off on the network platform, the security can be better guaranteed. In this way, the interaction between network devices and IDS devices has emerged.
IDS is associated with network switching devices. When a switch or firewall is running, information about various data streams is reported to a security device. The IDS system can detect data streams based on the reported information, when Detecting Network Security Events, perform targeted actions and send these actions to the switch or firewall, A vswitch or firewall is used to disable or disconnect a precise port, which leads to the concept of an Intrusion Prevention System (IPS.
Simply put, we can think that IPS is the firewall and intrusion detection system. The IPS technology adds an active response function to IDS monitoring, and strives to respond immediately and actively disconnect the connection once an attack is detected. Unlike IDS in a parallel network, IDS is connected to the network in series. Its function is shown in figure 2.
Figure 2: IPS
In addition to IPS, some vendors have also proposed IMS (intrusion management system ). IMS is a process in which you need to consider the vulnerabilities in the network before a behavior occurs, and determine what attack behaviors may be formed and the risks of intrusion. When a behavior occurs or is about to happen, in addition to detecting intrusion behaviors, we must also take the initiative to block and terminate the intrusion behavior. After the intrusion happens, we also need to analyze the intrusion behavior in depth, through association analysis, to determine whether the next attack will occur.
Iv. Development Direction of Network Security
1. Detection and access control technologies will coexist
The detection technology represented by IDS and access control technology represented by firewalls are fundamentally two different technical actions.
(1) firewalls are gateways that require high performance and high reliability. Therefore, the firewall focuses on throughput, latency, HA, and other requirements. The main feature of the firewall should be the communication and disconnection functions, so its transmission requirements are very high.
(2) IDS is a technical behavior characterized by detection and discovery. It pursues a reduction in false negative rate and false positive rate. Its pursuit of performance mainly lies in: packet capture and analysis, rather than fast results in microseconds. Because of its high technical features, IDS has a very high computing complexity.
In this sense, detection and access control technologies will pay more attention to their own characteristics in a long period of time, improving their respective performance and reliability, and neither one party will replace the other, it will not simply form an integrated technology.
2. Collaboration between detection and access control is an inevitable trend
Although there are some differences between the detection and access control technologies, the collaboration and integration of the two technologies are an urgent requirement and an inevitable trend.
The integration, collaboration, and centralized management of security products are the development direction of network security. Large enterprises need integrated security solutions and require detailed security control measures. Small and medium-sized enterprises (SMEs) may not invest too much in information security while hoping to obtain effective security protection. From the early active response to the intrusion detection system to the interaction between the intrusion detection system and the firewall, to IPS and IMS, a process has been formed to continuously improve security requirements.
3. How to Integrate Technologies
The idea of "centralized detection and distribution control" is very important for us to look at the trend of detection and access control technologies. An IDS with an accuracy that is not completely satisfactory can be accurately analyzed manually. Similarly, after large-scale centralized Analysis of IDS deployment and association analysis with other detection technologies, more accurate results can be obtained. In this way, local event detection is evolving towards global event detection. Global response and control can be performed based on global detection results.
Global detection can effectively solve the detection accuracy problem, but it also brings about the problem that the detection process is getting longer and the local speed is not fast enough. Therefore, in the face of some local events and problems that can be accurately identified, blocking has a relatively small negative effect. When detecting the problems quickly, IPS is a better solution.
4. People are still the deciding factors of network security management
It is undeniable that the human factor is still the deciding factor of network security management. The Weakest Link of network security is not a system vulnerability, but a human vulnerability. The core issue of security is human problems. Because all insecure factors come from people (or some people ). Therefore, our struggle against the threat of information network security is actually a struggle against people (or some people). Such a struggle is self-defeating and destined for its complexity, complexity, and durability.
Therefore, it is unrealistic and unwise to rely solely on security technologies and software and hardware products to solve network security problems, and to improve enterprises' awareness of network security, increase the overall capability to prevent network intrusions and attacks, and form a high-quality network security management team on this basis to promptly and accurately respond to all kinds of network security events, in order to fundamentally solve the threats and troubles we face.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
