Intrusion Detection: The third force of Network Security

With the development of network security technology, apart from firewall and anti-virus system protection, intrusion detection technology has become an effective way to defend against hacker attacks. Although the intrusion detection technology is still evolving, the market for intrusion detection products is growing, and the third wave of network security has been set off.

Intrusion detection technology is designed and configured to ensure the security of computer systems. It can detect and report unauthorized or abnormal phenomena in the system in a timely manner, is a technology used to detect violations of security policies in computer networks.

Intrusion detection is considered the second security gate after the firewall. IDS is mainly used to monitor and analyze user and system activities. It can identify activity modes that reflect known attacks and send alerts to relevant people. For abnormal behavior patterns, IDS must perform statistical analysis in the form of reports. The functions provided by the product also evaluate the integrity of important systems and data files.

A successful intrusion detection system not only allows the system administrator to understand the network system at all times, but also provides a basis for formulating network security policies. It should be easy to manage and configure, so that non-professional personnel can easily obtain network security. The scale of intrusion detection should also be changed based on changes in the network scale, system structure, and security requirements. After detecting intrusion, the intrusion detection system responds promptly, including disconnecting the network, recording events, and alerting. IDS classification intrusion detection studies the process and features of intrusion behaviors, so that the security system can respond to intrusion events and intrusion processes in real time.

IDS product category

At present, the IDS products on the market are technically divided into two categories: network-based products and host-based products. Hybrid intrusion detection systems can make up for some one-sided network-based and host-based defects. In addition, file integrity check tools can also be seen as a type of intrusion detection products.

Network-based intrusion detection products are placed in important network segments, and feature analysis is performed on each data packet or suspicious data packet. Commercialized products include: ISS RealSecure Network Sensor, Cisco Secure IDS, CA e-Trust IDS, and Axent NetProwler, as well as China's jinnuo Network Security KIDS, the northern Computing Center NISDetector, the Starling and starry hacker intrusion detection and early warning system, and the chintech network "Skyeye" network intrusion detection system.

Host-Based Intrusion Detection products intelligently analyze and judge the real-time network connections and system audit logs of hosts. Host-Based Intrusion detection systems include: ISS RealSecure OS Sensor, Emerald expert-BSM, and KIDS.

The hybrid intrusion detection system combines two structural features based on the network and host, which can detect attack information in the network and abnormal situations from system logs. Commercial Products include: ISS Server Sensor, NAI CyberCop Monitor, and jinnuo Network Security KIDS.

The file integrity check tool checks the digital summary and other attributes of the file to determine whether the file is modified and detect possible intrusion. The products in this field are semi-open source Tripwire.

IDS product form

The vast majority of intrusion detection products are sold in the form of pure software, but in order to achieve the best performance, it is often necessary to optimize and adjust the installed system. In this way, the product can be made into a "black box" for the purpose, such as Cisco Secure IDS and jinnuo Network Security KIDS.

As intrusion detection products are increasingly used in large enterprises, distributed technologies are also incorporated into intrusion detection products. At the same time, the central console for centralized management of multiple sensors is constantly improved. Currently, most intrusion detection products, especially enterprise-level products, have distributed structures.

Important product indicators

There are several important performance indicators worth noting in intrusion detection products, such as the load capacity of the network intrusion detection system, which consumes a lot of resources, however, few vendors have published their own pps (packet per second) parameters.

The network types supported by the network intrusion detection system should also be considered. Currently, intrusion detection vendors in China only support Ethernet and Fast Ethernet.

What operating system does the network intrusion detection system run on? The operating platform of the network intrusion detection system is generally Unix-based. There are also a few intrusion detection systems that use proprietary devices or Windows platforms.