SnapGear 2.0.1 User Manual

Intrusion Detection

90

The benefits of using an IDS

External attackers attempting to access desktops and servers on the private network
from the Internet are the largest source of intrusions. Attackers exploiting known flaws in
operating systems, networking software and applications, compromise many systems
through the Internet.

Generally firewalls are not granular enough to identify specific packet contents that signal
an attack based on a known system exploit. They act as a barrier analogous to a
security guard screening anyone attempting to enter and dismissing those deemed
unsuitable, based on criteria such as identification. However identification may be
forged. On the other hand intrusion detection systems are more like security systems
with motion sensors and video cameras. Video screens can be monitored to identify
suspect behaviour and help to deal with intruders.

Firewalls are often easily by-passed through well-known attacks. The most problematic
types of attacks are tunnelling-based and application-based. The former occurs when an
attacker masks traffic that should be normally screened by the firewall rules by
encapsulating it within packets corresponding to another network protocol. Application-
based attacks occur when vulnerabilities in applications can be exploited by sending
suspect packets directly with those applications.

These attacks can potentially be detected using an intrusion detection system (IDS). The
IDS logs information and sends alerts, so that administrators may be able to contain and
recover from any harm caused.