IDS Configuration

Applies to Product: USM Appliance™ AlienVault OSSIM®

An Intrusion detection system (IDS) monitors networks and hosts in searching for malicious activities or policy violations, such as compromise of confidentiality, of system security, or of integrity. Some IDS systems may be capable of stopping an intrusion attempt but this is neither required nor expected of an IDS system. IDS systems primarily focus on identifying possible intrusions, logging information about them, and reporting attempts, which security analysts can further analyze.

Classic network firewalls analyze network and transport layer headers, such as source and destination IP address, protocol, and source and destination ports. However, attackers today do not only aim at network and transport layers any more, since network firewalls protect them well; instead, they focus on exploiting vulnerabilities in operating systems, applications, and protocols. Network firewalls cannot detect such attacks. Therefore, you need additional security systems, such as IDS, in order to detect them. Other examples of attacks that IDS can detect but firewall cannot include:

  • Attacks that use tunneling, also known as "port forwarding", inside legitimate traffic or encryption
  • Attacks within internal networks

IDS systems generally fall into two categories:

  • Network IDS (NIDS)—Placed at strategic points in a network to monitors traffic between devices and hosts within the network.
  • Host-Based IDS (HIDS)— Runs on individual host systems and monitors traffic from and to the host system as well as activities on the system itself.

USM Appliance provides both network and host-based intrusion detection capabilities.

Network Intrusion Detection System (NIDS)

You typically place a Network Intrusion Detection System (NIDS) on the inside of a network firewall, where it can monitor traffic from and to all devices. This way, the NIDS detects malicious activities that fall through the network firewall. A NIDS usually works in promiscuous mode, by monitoring a copy of the network traffic. It analyzes the traffic by comparing it against a database of known attacks, also known as signatures, or by detecting anomalies in traffic patterns. When identified, a NIDS event is generated and reported to the management station.

You can use the following devices to forward network traffic to a NIDS:

  • Network hubs
  • Network switches with mirrored or spanned ports

Advantages of NIDS:

  • It monitors the entire network's traffic if placed correctly in a network.
  • It has no impact on network performance and throughput since it only analyzes the copy of the network traffic.
  • It has no impact on network availability since it does not stand inline with network traffic.

Limitations of NIDS:

  • It cannot analyze encrypted information.
  • It requires continued signature updates.
  • It requires specific network configuration to receive a copy of the traffic.
  • It cannot block the attacks.

Host Intrusion Detection System (HIDS)

A Host-base Intrusion Detection System (HIDS) monitors the behavior and state of a computer system, as well as network packets that the system sends and receives. A HIDS runs as an agent on a system, which sends detected events to a management station. The HIDS agent usually monitors which programs access which resources and determines if an application made an unauthorized change in memory, a file, or a database. A HIDS can also look at the state of a system and monitor system-specific logs in order to detect any significant changes on the system.

While a NIDS detects attacks sent over a network that the NIDS monitors, a HIDS detects those against the hosts on the network. NIDS cannot detect events in packet flows that use encryption, but HIDS can after the host decrypts the traffic. Ideally, a HIDS should work side-by-side with a NIDS. You can correlate events detected by both systems to determine if an attack was successful. For example, a detected network attack followed by the creation of an administrator account on a server could mean that the attack was successful.

Advantages of HIDS:

  • It can detect if an attack was successful or not.
  • It monitors system activities.
  • It can detect changes in files, memory, and applications.
  • It can detect attacks that NIDS fails to detect, such as changes from a system console.  

Limitations of HIDS:

  • You need to deploy an agent to each host you want to monitor.
  • It does not detect network scans or reconnaissance attacks.
  • The host it resides on is susceptible to attack and disablement.

AlienVault OSSIM Limitations: Both AlienVault OSSIM and the USM Appliance HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that USM Appliance and AlienVault OSSIM provide. However, AlienVault OSSIM lacks the depth of NIDS information that is provided to USM Appliance through the Threat Intelligence Updates.