I wish to install an intrusion detection system to enhance the 
company’s network security. However the manager has said that the 
company already has a firewall and doesn’t see why she should 
authorise the purchase of an intrusion detection system as well. 
 
Wish to find out: 
1)what an intrusion detection system can do and why it is necessary to 
have one as well as a firewall. The manager has good knowledge of IT, 
but knows little about network security issues.  

Hi there! 
 
Our search returned the following results: 
 
This site is a thorough definition of what exactly an IDT is, what is
does, and how it is different from a firewall:
"Though they both relate to network security, an IDS differs from a
firewall in that a firewall looks out for intrusions in order to stop
them from happening. The firewall limits the access between networks
in order to prevent intrusion and does not signal an attack from
inside the network. An IDS evaluates a suspected intrusion once it has
taken place and signals an alarm. An IDS also watches for attacks that
originate from within a system."
&lt;a href=&quot;<a href="http://www.webopedia.com/TERM/I/intrusion_detection_system.html">http://www.webopedia.com/TERM/I/intrusion_detection_system.html</a>&quot;&gt;<a href="http://www.webopedia.com/TERM/I/intrusion_detection_system.html">http://www.webopedia.com/TERM/I/intrusion_detection_system.html</a>&lt;/a&gt; 
 
Feel free to post a clarification if there is something you don't
understand :)
Hope this helps! 
 
answerguru  

---

Request for Answer Clarification by aloy-ga on 06 May 2002 11:14 PDT

Hi answerguru, 
 
is it possible for you to find more sites on why IDS is necessary even
if a firewall is installed?
 
Is it possible for you to summarise why you think it is necessary to
have a IDS even if a firewall has been installed??  

---

Clarification of Answer by answerguru-ga on 06 May 2002 13:24 PDT

Hi, 
 
Well the information given in the original answer provides the main
differences  between firewalls and IDTs in general. Your first
follow-up question is difficult to answer in general and is really
another question altogether (because you would be comparing specific
products from each category).
 
As for the second question, the IDT is in general a "smarter" system
that doesn't just prevent outside access, but actually detects where
any attacks may be coming from (including from within the area that a
firewall is protecting). Personally, I think this is useful if you
suspect someone within your domain of harming your systems. As I have
simply researched this material for you I don't have enough background
on this to give you an informed summary (the links are there for that
reason).
 
answerguru-ga  

The answer given was too brief and did not really answer my question...

Hello, 
 
I can appreciate that you need to justify the requirement for an IDS
to your manager.  You could try explaining that a firewall and an IDS
do very different things, and both are essential as parts of a
comprehensive security setup.
 
A firewall,as you know, blocks certain traffic depending on type,
source etc.  They are good, but not perfect, at preventing comprimises
of your security.  Assuming that someone will find a hole in a
misconfigured firewall, or use a different attack vector such as email
trojans, social engineering (actually walking up to the machine and
comprimising the console) or any of a number of techniques, it is
important to be able to detect when a successful attack has taken
place so that you can limit the damage.  This is where the IDS comes
in.
 
A good IDS, such as tripwire (&lt;a href=&quot;<a href="http://www.tripwire.com">http://www.tripwire.com</a>&quot;&gt;<a href="http://www.tripwire.com">http://www.tripwire.com</a>&lt;/a&gt; - it's free!)
will monitor various system files and processes, watching for typical
changes an attacker may make.  For instance, an attacker may modify or
replace programs which will allow them to pass undetected, or gain
further control.  A tripwire will notice any such action and notify
the administrator, namely you.
 
IDS systems can monitor servers, switches, routers and other systems,
all of which are vital to your security.  Always remember that a
firewall, no matter how well put together, can never be perfect, and
indeed only protects you from attacks originating from networks on the
other side of it.  Always assume that you will get cracked, and look
to an IDS to tell you exactly what happened.  Then, you can make
damage assessments, and more importantly trace the intruder's
footsteps to make sure such an attack cannot succeed again.
 
There are some good articles at &lt;a href=&quot;<a href="http://www.cert.org">http://www.cert.org</a>&quot;&gt;<a href="http://www.cert.org">http://www.cert.org</a>&lt;/a&gt;, such as
&lt;a href=&quot;<a href="http://www.cert.org/homeusers/intruder_in_computer.html">http://www.cert.org/homeusers/intruder_in_computer.html</a>&quot;&gt;<a href="http://www.cert.org/homeusers/intruder_in_computer.html">http://www.cert.org/homeusers/intruder_in_computer.html</a>&lt;/a&gt; which looks at
basic system security with IDS, and a far more comprehensive look at
the subject here: &lt;a href=&quot;<a href="http://www.cert.org/tech_tips/intruder_detection_checklist.html">http://www.cert.org/tech_tips/intruder_detection_checklist.html</a>&quot;&gt;<a href="http://www.cert.org/tech_tips/intruder_detection_checklist.html">http://www.cert.org/tech_tips/intruder_detection_checklist.html</a>&lt;/a&gt;
 
 
Hope this helps, good luck. 
 
tripitaka  

The answers given are again too brief

Hello aloy-ga,

You can help both yourself and your manager with this document that is
found at the Internet Security Systems Website at
(http://documents.iss.net/literature/mss/Managed_Intrusion_Protection.pdf)

This document states everything that you are looking for, has
recommendations for such products, and also has block diagrams that
help graphically explain the process.

I hope that this additional information helps you in what you need to
do! Thanks for using Google Answers and have a great day!

No Google search terms were used in this comment. This website is one
of the companies that our company (the company I work for and not
Google) does business with.

Regards,

Interceptor-ga

An IDS is like a network antivirus. If it has a current signature file
it
can tell you if you are under attack. Take for example the recent Code
Red NIMDA
trojans. Assuming you have an internal IIS server which is behind a
firewall
(within your DMZ most likely), you should allow access to it. An IDS
will be
able to tell you if you are under a Code Red attack. If your budget is
tight
and you are fluent with Unix (Linux/FreeBSD/Solaris), I suggest that
you will
check out snort (http://www.snort.org). You can take an old PC running
Linux
and snort which will give you a feeling of IDS without investing
anything but your time.