Network-Based

Network-Based Intrusion Detection System Name Class Date Professor

Network-Based

Network-Based Intrusion Detection System In the Information Age it is essential to be able to ensure that the network systems of the organization are properly secured. In order to ensure any threats are detected organization employ a network-based ID system. The network-based ID system captures all traffic that crosses through the network in order to detect any potential threats to the organization. Information passes through the network in packets, these packets will pass by a senor that will in order to detect potential intrusion patterns. Without a network-based ID system threats can pass into the network and cause damage to multiple devices. The sensor can be in one of two types of modes, inline and passive. The inline sensor is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor (Stallings, 2007). In other words packets of information will pass through the sensor in real time and be scammed for any harmful content. The NIDS sensor logic will be paired with another device such as a LAN switch or a firewall and then when threats enter into the System they will be successfully blocked. The blocked code will not be able to cause damage in the system and they reduce the systems vulnerability to outside attack. A passive sensor does not detect the threat in the original copy but instead monitors a copy of network traffic. No actual goes through the device. If a threat is detected it will block in the original copy. The traffic flow that creates a threat to the device is detected before it enters the sensor reducing the amount of traffic flowing through the sensor; the more traffic that flows through the sensor the greater the likelihood a threat will enter the system. When the packet enters the sensor in the NIDS it will become alerted to a particular signature that is considered a threat. The signatures that can be detected include string signatures, port

Network-Based

signatures, and header condition signatures. String signatures look for text that has malicious code and rejects the entire packet of information. An example string signature for UNIX might be "cat "+ +" > /rhosts/ which if successful, might cause a UNIX system to become extremely vulnerable to network attack (Northcutt, 2010). When this string of information is identified it will be prevented from causing damage. If the string signature is too broad there can be a high number of false positives meaning needed information never actually reaches the network. In order to reduce these false positives the signature will need to be more refined. The second signature is the port signature. The port signature basically guards the ports of the network and prevents malicious code from entering. When suspicious packets of data have a signature that is detected by the port it will reject the data in order to prevent the attack or the intrusion. In this signature the chances of the information being rejected being legitimate is slim making it one of the more effective ways to detect threats. Lastly the header condition signature looks for information that is illogical. If the signature does not make sense then it is probably a threat. The illogical information in the signature is actually a dangerous network threat. The network-based ID system also applies an anomaly system to detecting threats to the network. One technique that is used to enter the system is the denial of service attacks. In this attack packet traffic will be increased in order to bypass detection measures. The goal is to overwhelm the system in order to sneak in a threat. Scanning is used when the offender send all different types of packets in order to avoid detection. The worm is another method that allows the harmful signature to be spread throughout the entire network system. All of these threats are block through the NIDS.

Network-Based

Once a threat has been detected by the network-based ID system CEO Deese from the Nitro Hardware Company will be informed of this threat. Alerts and logs will be sent to the system and will inform Deese of the attempted attack. The information provided on the log will include a time stamp, type of attack, rating of threat, source and IP destination, source, number of bytes transmitted, decoded payload data, and user name if threat was internal. Through the networkbased ID system CEO Deese will be able to better protect the companys network systems.

References Northcutt, S. (2010).Intrusion Detection FAQ: What is network based intrusion detection? Retrieved May 16, 2013 from http://www.sans.org/security-resources/idfaq/network_based Stallings, W. (2007). Introduction to Network-Based Intrusion Detection Systems. Retrieved May 16, 2013 from http://www.informit.com/articles/article.aspx?p=782118