Intrusion Detection Systems (IDS) are a critical component of any network.
And IDS system does just what its name implies - it detects intrusions.
It typically does this by keeping a database of "signatures" that match
patterns of packets that flow across the network. When it finds a match,
it triggers an alert and notifies the system administrator of a possible
breach.
There are many types of IDS on the market, each with the same core components and different options.
The core of any good IDS is pattern matching on packets. Most of these systems are based on SNORT.
From here, many systems add file checking systems (Tripwire) that monitor critical files for any
changes. Others on the market will also check logs, performance monitors, snmp, and other critical
resources such as processor and memory utilization, etc.
A good IDS is also transparent. They can be set to act like a bridge with no ip
address to help keep would-be hackers from disabling the system. Most of these technologies are freely
available, but it takes a skilled Linux Systems Administrator to set it up and keep it functioning
properly. If you desire a turn-key system, there are several vendors that have included basic
SNORT and Tripwire technology in a GUI-based binary install.
We have setup several IDS solutions for our customers including the following:
- SNORT-based Linux server in an enterprise network
- GFI-based windows server in enterprise network
- Custom-script based ISP solution
