Question

In: Computer Science

As a penetration tester and security consultant, you have been engaged by a company to assist...

As a penetration tester and security consultant, you have been engaged by a company to assist them in selecting an Intrusion Detection System (IDS) for their infrastructure. They're considering installing a signature or anomaly based IDS product. They've asked you to provide a concise analysis of the strengths and potential weaknesses of each of the IDS types.

Discuss and explain the strengths and weaknesses of each type of IDS and any considerations they should make in selecting one over the other.

Solutions

Expert Solution

An Intrusion Detection System is a software product that not only keeps a check on the system for malicious events and activities but also monitors policy violations if any. It is under the direct control of the system administrator and only he can configure the events and activities associated with the intrusion detection system.

Intrusion Detection Systems lie in a wide variety of ranges depending upon the complexity of networks that a system might be involved in. Network Intrusion Detection Systems are the most common ones along with the host-based intrusion detection system. Some of them are also signature-based detection systems and anomaly-based intrusion detection systems.

Different types of Intrusion Detection Systems include:-

1. Signature-based Intrusion Detection System:- It's functioning is very similar to the way a virus scanner works. A virus scanner basically keeps a track of a sequence of steps that a virus may follow while penetrating into the system. These serve as the basis of testing further attempts and are stored as signatures or so called rules.

Advantages

  • It has high accuracy and speed against the attacks already attempted in the past.
  • It has low false positive means that it would not warn in case the file is virus free.

Disadvantages

  • Since it works on the a certain set of rules it wont be able to detect the attacks that are new or for which the rules are not made.

2. Anomaly-based Intrusion Detection System:- It works by recognizing unusual patterns in the sequence of activities. It can give an indication of whether someone is checking or sweeping the network. It can thus keep one informed of an immediate attack. Example:- Multiple password changed requests or multiple failed login attempts.

Signature-Based vs. Anomaly-Based IDS

The anomaly-based intrusion detection system is quite slow as compared to signature-based intrusion detection system whereas a signature-based intrusion detection system can only operate on the basis of signature or rules that have been predefined. So all in all to have a good intrusion system to be in place in an organization an intrusion detection system that offers the abilities of both should be considered because both of these have their demerits. Having an intrusion detection system following the dual approach will compensate for each other's demerits.

Other kind of classifications of intrusion detection system include:-

Network-based Intrusion Detection System:- These systems monitor a network for all the incoming and   outgoing traffic. If it detects any pattern in the incoming/outgoing traffic or if any other abnormal behaviour is observed it sends a warning message to the administrator. A warning is also sent if any packet differentiates itself from the standard traffic over the network.

Advantages

  • It is easy to implement over an existing network with very few changes.
  • These are usually not visible to attackers and cannot be attacked directly.

Disadvantages

  • It cannot handle large traffic volumes.
  • It does not work well over encrypted data.

Host-based Intrusion Detection System:- This system monitors the data on the system where the important data is kept. It will keep a check on the host machine for any suspicious activity and take snapshots at regular time intervals. If any change is discovered upon analyzing the images, an alert is issued to the admin.

Advantages

  • It works well with encrypted packets.
  • It can monitor audit logs in order to track any suspicious activity

Disadvantages

  • It cannot bear a direct attack on the host system.
  • It occupies a large amount of space on the host machine.

Network-based Vs Host-based Intrusion Detection System

These are very different in the way they operate. One works on the real-time traffic and reports issues as and when occurred while the other works on checking a set of historical data. It works well to detect the hackers that use conventional ways to get into the systems and hide from the modern-day devices. Here also a combination of both of these types of intrusion detection systems will work well for the organization and complement each other in the way they operate. A network-based system may secure online traffic while a host-based system will secure a breach from within the organization.

Hope this helps :)


Related Solutions

You are working as a consultant and have been hired by a company to assist in...
You are working as a consultant and have been hired by a company to assist in creating a company Code of Ethics in order to attract and retain more customers to your products and to prove the company’s ethical conduct & practices. This smaller, private company sells footwear for the Canadian and American marketplaces. The company has made the decision to do business with a supplier in Brazil. The initial product quality has been very good, and the delivery of...
You are a management consultant, and you have been engaged by A & J bank. The...
You are a management consultant, and you have been engaged by A & J bank. The bank currently has over 150 branches in Melbourne, Sydney, and Adelaide. The CEO, Ali Jas, has asked you to develop a training plan which can be administered across all the bank branches, and also in its Melbourne Headquarters 1. a list, brief description, and justifications of training materials you will use to manage a team.
You have been hired as a project management consultant to assist the Acme Company in evaluating...
You have been hired as a project management consultant to assist the Acme Company in evaluating two different project proposals they are considering. Proposal A calls for the construction of a new plant which will require three years to complete and will have much greater capacity than the old plant. Because the plant will have to be built on the current site, the old plant will have to be razed. Proposal B involves the renovation of this plant. This renovation...
You have been hired as a project management consultant to assist the Acme Company in evaluating...
You have been hired as a project management consultant to assist the Acme Company in evaluating two different project proposals they are considering. Proposal A calls for the construction of a new plant which will require three years to complete and will have much greater capacity than the old plant. Because the plant will have to be built on the current site, the old plant will have to be razed. Proposal B involves the renovation of this plant. This renovation...
You have been engaged as a consultant to design a master budget model and then to...
You have been engaged as a consultant to design a master budget model and then to assist Helping Hand Corp. in making some management decisions based on that master budget. Helping Hand is a small, rapidly growing wholesaler of consumer electronic products. The company’s main product lines are small kitchen appliances and power tools. The marketing manager has recently completed a sales forecast. She believes the company’s sales will increase by 1 percent each month over the previous month’s sales...
A company contracted security consultant to perform a remote white box penetration test. The company wants...
A company contracted security consultant to perform a remote white box penetration test. The company wants the consultant to focus on internet-facing services without negatively impacting Production Services. Which of the following is the consultant most likely to use to identify the company's attack surface? Select 2 Web crawler WHOIS registry DNS records companies firewall ACL   internal routing tables directory service queries
You have been hired as a security consultant for a law firm. Which of the following...
You have been hired as a security consultant for a law firm. Which of the following constitutes the greatest source of security threats to the firm? A) Wireless Network B) Employees C) Authentication procedures D) Lack of data encryption
Question: Consider you are a recently hired penetration tester. (A) What needs to be in place...
Question: Consider you are a recently hired penetration tester. (A) What needs to be in place prior to the start of a penetration test? (B) Ideally, should a penetration tester perform tests on a live system? Why/why not. (C) How would you, the tester, identify vulnerabilities of the system under investigation? How would you disclose the vulnerabilities to the system owners? (D) Please make sure to reference at least one good online reference using APA, MLA or Chicago style.  
You are a consultant to a small size Company engaged in Medical Products. The company is...
You are a consultant to a small size Company engaged in Medical Products. The company is interested to expand its business to the Middle East - Dubai. Prepare a business report focusing on the business potential. Also, give advice on the entry mode and external risks if the decision is made to do business in the Middle East.
You have joined a company as a security consultant, discuss the vulnerabilities of the company’s data...
You have joined a company as a security consultant, discuss the vulnerabilities of the company’s data and systems and propose a plan to protect company assets.
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT