Intrusion Detection Systems
Introduction into Intrusion Detection Systems (IDS)
A relevant paper by Bykova et al reported on the development of an equivalent IDS based on the analysis of traffic on a University network. From their work, the IDS should scan for evidence of:
- Packets with low TTL values
- The same destination and source port numbers
- IP addresses in the private range
- Address violations (such as 0. as the destination IP, 127 as the source outside the host, all 1 bits in the host name)
- Invalid TCP flags (invalids combinations of SYN, URG, PSH, RST,FIN)
- Use of strict routing option
- Zero port
- Port source and destination have the same numbers (although this was considered to be more likely due to coincidence than attack)
- Header too short
In the Cisco document Network Security at a glance (http://www.cisco.com) the following factors are presented as the crucial ones in developing a secure network:
- Identify user ID (e.g. password)
- Identify Device identity on basis of IP/MAC address then can authenticate and apply proper policy for that user/device/app
- Apply perimeter security – access control lists on routers and switches
- Also use firewall, virus scanners, content filter and IDS
Page 1 - Page 2 - Page 3 - Page 4 - Page 5 - Page 6 - Page 7
