An intrusion detection system or "IDS" is a mechanism which detects malicious activity occurring within an IT infrastructure. IDS systems may be host-based (referred to as host-based intrusion detection systems or "HIDS") which monitor activity on a single host, or network based ("NIDS") systems which monitor traffic to and from all hosts on a given network segment.
Intrusion detection systems may be passive in nature, simply alerting the administrator when events occur, or proactive in nature whereby the IDS attempts to actively thwart attacks by means of attack countermeasures such as connection resets, or dynamic firewall blocking. Proactive intrusion detection systems may be referenced by the more specific acronym: "Intrusion Detection and Prevention" or "IDP." However, the two terms are often used interchangeably.
The fundamental difference between an IDS and a traditional "firewall" is application-layer visibility. While several current-generation firewalls blur the line between traditional firewall and IDS by incorporating some degree of application-layer awareness, firewalls are primarily intended to make traffic routing decisions in real time. To keep up with high-bandwidth traffic links, firewalls typically examine only the TCP/IP packet headers in order to keep up with blistering-paced traffic flows. IDS systems compliment firewalls by inspecting the traffic that has already been allowed by the basic firewall policy. However, this in-depth level of application data inspection comes at the cost of increased time as application-layer inspection is so much more involved than simple packet examination.
As traffic patterns vary from network to network, IDS systems are rarely accurate right out-of-the-box. Deploying an IDS system entails a significant amount of time for initial calibration, as well as ongoing fine-tuning in order to prevent high false-positive / false-negative rates. IDS systems also contain rule sets or "signatures" that must be kept up to date, and should be tested thoroughly before being deployed into production. Many IDS systems allow administrators to create custom rules, which is advantageous for defending against zero-day attacks and protecting custom applications.
|
|
Last Updated on Saturday, 21 November 2009 09:24 |
Feed Entries 
Tech Encyclopedia 
