Watching for Wolves in Sheep's Clothing

Watching for Wolves in Sheep's Clothing

In a spy movie, the spy might need to get in to look around a big office campus. He might cut the phone lines to the building complex and then show up in a telephone repair truck saying, "Hi, our monitoring center noticed that a telephone line was cut. Want to let me in to fix it?" The security guard waves him through because he knows that the telephones have been acting up. Whoops! The bad guy is now free to roam around and do his spying!

In networking, intrusion detection systems (IDSs) look out for the equivalent of spies who are impersonating a legitimate user. IDSs watch the packets that the firewall allows through, and they look for things in the packets that might mean someone is trying to trick the firewall, get their packets through the firewall, and do bad things to the servers and hosts in your network.

Whereas it's easy to think of a spy from the movie posing as a telephone repairman, it's hard to understand how a cracker might make his packets look like packets sent by a legitimate user, but still use those packets to do harm. (The term cracker refers to someone who purposefully tries to cause problems with devices on a network; the term hacker refers to someone who might be trying to break into a network but does not intend to cause problems.) In some cases, the cracker might do something that causes a server to fail; that's called a denial of service attack. In other cases, the cracker actually puts programs on a computer, hoping to harm the computer, or possibly steal information. In that case, the programs that the cracker puts on the servers are called viruses. Although most people have a hard time fully understanding how these tricks are done, it does happen. In fact, Microsoft has offered rewards into the hundreds of thousands of dollars for leads to help the police find and arrest crackers who create particularly harmful viruses.

Some IDS devices sit in the network, watching packets that pass over a LAN, whereas others are software that sits on the servers. The IDSs on the network are called network-based IDSs, and those on the host are called (you guessed it) host-based IDSs. Figure 18-9 shows the typical location of a network-based IDS.