Using an Intrusion Detection System

  • Article

An intrusion detection system (IDS) can identify attack signatures or patterns, generate alarms to alert the operations staff, and cause the routers to terminate connections with hostile sources. These systems can also prevent denial–of-service attacks.

A denial-of-service attack occurs when an attacker sends fragments of TCP requests masked as legitimate TCP requests or sends requests from a bad IP source. The server cannot handle so many requests and displays a denial-of-service message to legitimate site users. An IDS provides real-time monitoring of network traffic and implements the "prevent, detect, and react" approach to security.

You should implement an IDS in front of a firewall in every security domain. Although IDSs are necessary for security, you should consider the following issues associated with their use:

  • They are processing-intensive; an IDS can affect the performance of your site.
  • They are expensive.
  • An IDS can sometimes mistake normal network traffic for a hostile attack and cause unnecessary alarms.

There are a number of third-party tools available for intrusion detection. For example, you can use Cisco's NetRanger or ISS's RealSecure for real-time network traffic monitoring. Enhancing and developing IDS technology is an ongoing process within the computer industry.

See Also

Preventing Denial of Service Attacks

Copyright © 2005 Microsoft Corporation.
All rights reserved.