Business and government


Security is big issue in a computing world and more professionals and business and government seeking for further security to safeguard and protect their secret and critical data from falling into evil hands. Now people are security concerned as we have seen lot of cracking of computer, exploiting of program in past decade. Confidentiality, Integrity and Authentication are the top priority in security world. My aim in this thesis is to show how an Intrusion Detection System (IDS) can be handy in detection of network and computer attacks.


An attack is defined as "an assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system". [1]

We are now facing many threats to network security it could be anything from hijacking the critical data to exposing all the secrets to the enterprise rivals, denial of service and so on. I would be discussing what and how attack could be done against network and computer after reviewing all those attack suggesting prevention from them.


When most people think of network security, they think "Firewall". Firewall act as an access control device by permitting specific protocols such as HTTP, DNS, SMTP to pass between a set of source and destination addresses. In general, they do not inspect the entire content of the packet and can't detect or thwart malicious code embedded within normal traffic. Where as IDS inspect the entire content of every packet traversing the network to detect malicious activity. Intrusion detection systems are effective when sophisticated attacks are embedded in familiar protocols, such as HTTP session, which would normally pass undetected by a firewall. [2]

We can divide IDS into three categories

  • Network-based Intrusion Detection System (NIDS)
  • Host-based Intrusion Detection System (HIDS)
  • Hybrid Intrusion Detection System

Network Intrusion Detection (NIDS)

Network Intrusion Detection Systems use information gathered from a passive interface in promiscuous mode to detect attack patterns. NIDS, depending on placement within a network, can provide a great deal of network visibility and protect a substantial number of hosts with a single device and configuration. [3]

This monitors all network traffic passing on the segment where the sensor is installed, reacting to suspicious anomaly or signature-based activity. They analyse every packet for attack signature, though under heavy network load many will start to drop packet. [5]


Network-based intrusion detection systems consist of sensors deployed throughout a network that report to a central console. Sensors are usually self-contained detection engines that obtain network packets, search for pattern of misuse, and then report alarms to a central command console. There are two types of architectures: traditional sensor architecture and distributed network node. Traditional sensor-based architectures are also known as promiscuous mode network intrusion detection systems, or network taps.


  • One NIDS should be enough to monitor a network for medium and small sized network for bigger network they might want to deploy two or more NIDS.
  • Real time detection and alerting. Since many hackers follow a pattern to attack your network, you might be able to detect and stop the alert in real time.
  • NIDS won't consume your precious system resources if you have dedicated system for NIDS.
  • NIDS function at the network layer and because of that they are able to detect low level attacks such as ARP spoofing. [4]


  • Some NIDS do not make sense of higher level protocols such as HTTP. They are greatly however challenged by encryption.
  • Trend to produce higher false alerts than HIDS.
  • Some network card do not support promiscuous mode.
  • Most current NIDS do not function well under high speed networks such as Gigabyte Ethernet. [4]

Host Intrusion Detection System (HIDS)

Host Intrusion Detection Systems are software installed on the local system. Typical HIDS are very similar to virus protection software. They look for activity that matches a known attack signature and either allows the activity or prevents it. Some HIDS depend on abnormality detection; where current traffic is compared against baseline traffic, with anything that is not part of the baseline causing an alert. HIDS are designed to be installed on individual servers and workstations that you wish to protect. The HIDS software can be implemented a various levels. Some work by monitoring the host for critical files that should not change and alerting appropriate personnel if they change. Other HIDS monitor the network connections, general input strings and system memory for signatures, similar to signature-based NIDS, but only for the machine on which they are installed. [3]


Host-based intrusion detection systems are usually agent based. Agents are small executables that run on the target system and communicate with a central control computer, also known as the command console. Properly managed, these agents will not cause significant performance degradation on the targets, but they do have attendant problems with deployment and support because they are massively distributed. HIDS can be deployed into two forms as centralized host-based and distributed host-based. The difference between the two is that the raw data is forwarded to a central location before it is analysed andin distributed host-based raw data is analysed in real-time on the target first and only alerts are forwarded to the command console.


  • Could cost less than NIDS as HIDS does not require any dedicated hardware.
  • Can handle encrypted attacks.
  • Detects what happens to your system after the attack.
  • Works well with mobile devices such as laptops. [4]


  • Only detects attacks after they have occurred.
  • Could be disabled by a talented attacker. If the attacker hacks your system, he might be able to disable or alter the logs so the HIDS would lead in becoming untrustworthy.
  • Produces some CPU overhead, this is troublesome if you need every bit of your CPU processes.
  • Lead to an administrator's nightmare.

Hybrid Intrusion Detection System

Modern switched networks have created a problem for intrusion detection operators. In a switched network, the NIC may be running in promiscuous mode; however the traffic may not be visible to the NIC. Some switches will not allow it at all, making the installation of a traditional network IDS difficult. Furthermore, high network speeds mean that many of the packets could be dropped by a NIDS. A solution has arisen in the form of Hybrid IDSs, which takes delegation of IDS to a host one stage further, combining Network IDS and Host IDS in a network. [5]

Both network and host-based IDS solutions have unique strengths and benefits that complement each other. Combining these two technologies will greatly improve network resistance to attacks and misuse, enhance the enforcement of security policy and introduce greater flexibility in deployment options. The graphic below illustrates how network and host-based intrusion detection techniques interact to create a more powerful network defence. Some events are detectable by network means only. Others that is detectable only at the host. Several require both types of intrusion detection to function properly.


The definition of firewall is a filters packet in order to let only certain kinds of messages pass to and from computer network(s), in other word protecting local system or network system from unknown message or threats. Firewall can be used to block IP spoofing. Some important notes are:

  • A firewall is actually a computer. It is placed between internal network and outside/global network. It can also be placed in internal networks where access to some segments of the networks is security aware.
  • All traffic from inside and outside global must pass through firewall. This is achieved by physically blocking all access to the local network except via the firewall.
  • Firewall is a gate between global/outside networks and the internal network. It also provides several services such as access control, authentication, activity logging, and alarm warnings.

Types of Firewall

There are three common types of firewalls:

  • Packet-Filtering Routers (figure 5.0)
  • Application-level gateways (figure 5.1)
  • Circuit level gateways (figure 5.2)

Packet-filtering routers filter every incoming or outgoing packet (from or to the internal network). Packets that meeting some criterion are forwarded normally and those that fail the test are dropped.

Application-level gateway act as a relay of application level traffic, the users contact the gateway by using a TCP/IP application, such as telnet and FTP, and the user gives a name of the remote host to the gateway to be access. The gateway contact the application on the remote host and relays TCP segments containing the application data between the end two points while the user provide a valid ID and authentication information.

The last type for firewalls is a circuit level gateway. A circuit level gateway does not permit an end-to-end TCP connection; rather, the gateway set up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside. Circuit level gateway can be a stand-alone system or it can be a specialized function performed by an application-level gateway for certain application.


In conclusion network security is essential in IT industries. We have realized that network security is a real issue, not just paranoia. In short, implementing effective network security is everyone's responsibility, not just the IT staff. If we are understand about the security needs.

Firewall is really important in a big network it will prevent from someone sneaking into you privacy document. Designing a firewall is a heavy task. In practice, a system security management will do the design of firewall. The design needs special training and experience with various types of firewalls.


  1. Linux Dictionary,com_dictionary/task,view/id,23/ Accessed December 3rd 2009
  2. Dr Fengmin Gong "Next Generation Intrusion Detection Systems (IDS), McAfee Network Security Technologies Group Accessed December 3rd 2009
  3. Corbin Del Carlo "Intrusion detection evasion: How attackers get past the burglar alarm" SANS Institute 2009 Assessed December 4th 2009
  4. Q.o.D, "A look into IDS/Snort: part 1" December 2009 Assessed December 4th 2009
  5. Andy Cuff "Intrusion Detection Terminology (Part Two)"September 24, 2009 Assessed December 5th 2009
  6. Accessed December 5th 2009 Content

Please be aware that the free essay that you were just reading was not written by us. This essay, and all of the others available to view on the website, were provided to us by students in exchange for services that we offer. This relationship helps our students to get an even better deal while also contributing to the biggest free essay resource in the UK!