Symantec United States
global sites
products and services
purchase
support
security response
downloads
about symantec
search
feedback


© 1995-2007 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy
The Critical Intrusion Detection Layer

In a recent article, we talked about Defense in Depth; the creation of multiple layers of protection around your computers and valuable data using different security technologies, including antivirus, firewall, intrusion detection systems (IDS), and virtual private networks (VPN), at different points in the network. These multiple layers of security are intended to keep a compromise of one level from causing a general compromise of the entire network. Today we invite you to learn more about IDS – what it does, and how it works – because IDS is a crucial layer of security that no small business should be without.

How IDS “raises the bar”
Having a firewall – but no IDS in place – all too often gives small businesses a false sense of security. While firewalls and other controls can block unauthorized access to your network resources, they are limited in their ability to protect from a Denial of Service (DoS) attack, Trojan horse, worm, or a host of other malicious attacks that are growing in frequency. Employing IDS on your small business network will essentially “raise the bar" on the level of determination or skill needed by an attacker to release a threat that can effectively penetrate networks protected by that extra layer of security.

A sudden shift or increase in activity over ports can signal a possible attack, but would go unnoticed if relying only on a firewall for protection at the perimeter. IDS constantly monitors and analyzes the events occurring in a computer system or network for suspicious activity (preliminary signs such as host sweeps or port scans), or head-on attacks, alerting you in real time so you can take immediate action.

Today’s climate calls for IDS
The increasing frequency of fast-moving blended threats remains the most urgent issue for small businesses that lack IDS. Blended threats use combinations of malicious code such as viruses, worms, and Trojan horses to exploit known vulnerabilities in application or system code. Other concerns are the rapid increase in the number of Windows 32 threats, the growing number of threats targeting P2P services and instant messaging clients.

Additional areas of concern:

  • Attacks becoming more virulent. The recent MyDoom and Netsky outbreaks started 2004 off on a destructive note for the cyber world. These worms were essentially an amalgamation of the most harmful characteristics of the major 2003 worms – Welchia, WinMail, and SoBig. With every outbreak, threats seem to become more refined, attacking via multiple entry points, and spreading at a faster rate than ever, meaning the luxury of having time to react to an attack is slipping away – leaving it up to IDS to detect preliminary signs of attack before it gets into the network.


  • More vulnerabilities, faster exploitation. Along with an ever-growing list of vulnerabilities, there is less of a gap between the time a vulnerability is discovered and the time it becomes exploited – that gap is known as the “Vulnerability Threat Window,” and it’s rapidly shrinking.


  • Hackers have more tools. The hackers of today don’t need a wealth of technical knowledge to launch an attack. There is an abundance of easy-to-use hacking tools available that can launch increasingly sophisticated attacks.

The different flavors of IDS
Intrusion detection systems are distinguished by the kind of monitoring they provide –the most prevalent being network-based or host-based. In fact, many comprehensive IDS solutions offer the two approaches integrated into a single solution. Their names hint at where they are monitoring:

  • Host-based IDS & network-based IDS provide real-time monitoring, detection, and prevention of security breaches. Host-based IDS is placed on the local server, and monitors the traffic, including audit and event logs, while network-based IDS uses sensors placed at critical points of the network. As a complement to firewalls and other access controls, host- and network- based IDS enable development of proactive policies to stop hackers or authorized users with malicious intent from misusing systems.
  • Honeypot technology – By creating a realistic mock network environment to divert and confine attacks, honeypots, or “decoy” servers act as an attack target in order to protect critical areas of the network. They help provide early detection of internal, external, and unknown attacks, unauthorized use of passwords and server access to help prioritize threats, and increased network protection against intrusions.

Methods of detection
Until now, incoming attacks have been primarily identified through signature-based IDS. Signature-based IDS relies upon a database of attack methods to help pick out suspicious traffic. However, due to the increasing frequency of attacks, false positives, etc., the days of only relying on signature-based IDS are over, due to the potential for a lapse in time between a new attack being discovered and the attack signature database being updated. Protocol anomaly detection provides an effective solution where other signature-based IDS falls short. Protocol anomaly detection is built on a foundation of modeling normal activity, making it different from the explicit matching process that signature-based systems go through.

Here are some features and benefits of protocol anomaly detection:

  • Detects modified and new attacks
  • Defends against the unknown
  • No updates required
  • High-speed attack detection capability
  • Scalable, and easy to maintain and manage - Eliminates the need for extensive attack-signature databases, which means a smaller footprint than signature-based systems.

Integrated solutions for security
Integrated products containing IDS are most attractive to small businesses that are typically short on the staff needed to manage multiple security products on different platforms. Consolidation of security functions into one box makes it easier for a small company manage to IDS systems while staying on top of other important concerns like antivirus updates and patching. Ideally every small business should have an Internet security solution that combines antivirus, firewall, intrusion detection and vulnerability management for maximum protection.

Today’s security solutions require several layers of defense that address the various types of threats faced by today's networks. Firewalls are designed to keep hackers out, essentially “locking” the doors into the computer network. As the attackers become more sophisticated, finding newer and faster methods to propagate, some attacks will inevitably slip past the firewall, but into the path of the IDS. IDS technology works with your network firewall, VPN, and other security components to extend your security management capabilities – protecting all layers of the network.
home find a solution library tech resources