User:Erdi Hida/Intrusion detection system

Host intrusion detection systems[edit]
Main article: Host-based intrusion detection system

Host intrusion detection systems (HIDS) run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected. It takes a snapshot of existing system files and matches it to the previous snapshot. If the critical system files were modified or deleted, an alert is sent to the administrator to investigate. An example of HIDS usage can be seen on mission critical machines, which are not expected to change their configurations. '''HIDS is capable of utilizing two types of information sources, operating system audit trails, and system logs. '''

Limitations[edit].

 * Tailoring IDS configurations correctly to fit the needs of a particular network is difficult to do and requires an experienced IDS analyst. 

IDS Placement (Assignment 6)
The placement of Intrusion Detection Systems is critical and varies depending on the network. The most common placement being behind the firewall on the edge of a network. This practice provides the IDS with high visibility of traffic entering your network and will not receive any traffic between users on the network. The edge of the network is the point in which a network connects to the extranet. Another practice that can be accomplished if more resources are available is a strategy where a technician will place their first IDS at the point of highest visibility and depending on resource availability will place another at the next highest point, continuing that process until all points of the network are covered.

If an IDS is placed beyond a networks firewall its main purpose would be to defend against noise from the internet but more importantly defend against common attacks such as port scans and network mapper. An IDS in this position would monitor layers 4 through 7 of the OSI model and would be be signature based. This is a very useful practice because rather than showing actual breaches into the network that made it through the firewall, attempted breaches will be shown which reduces the amount of false positives. The IDS in this position also assists in decreasing the amount of time it takes to discover successful attacks against a network.

Sometimes an IDS with more advanced features will be integrated with a firewall in order to be able to intercept sophisticated attacks entering the network. Examples of advanced features would include multiple security contexts in the routing level and bridging mode. All of this in turn potentially reduces cost and operational complexity.

Another option for IDS placement is within the actual network. These will reveal attacks or suspicious activity within the network. Ignoring the security within a network can cause many problems, it will either allow users to bring about security risks or allow an attacker who has already broken into the network to roam around freely. Intense intranet security makes it difficult for even those hackers within the network to maneuver around and escalate their privileges.

Assignment 7
Peer reviewed Aimalahmadi on their Computer Scientist content. The link to the review is: User:Aimalahmadi/Computer scientist/Erdi Hida Peer Review. I linked this on their user sandbox talk page.

Assignment 9 Completed
My peer reviews were helpful in reinforcing what I did well and helped with my thought process of what should be changed & what should be kept. They also let me know whether or not my information was clear enough and with the positivity I received I'll feel more confident with actually adding to Wikipedia articles.

Assignment 10 Completed
Added my IDS placement section to the Intrusion Detection System article.

Assignment 11 Completed
Changed the structure of some sentences.