Skip navigation.

TOP Intrusion Detection Systems Interview Questions and FAQs -Part I

TOP Intrusion Detection Systems Interview Questions and FAQs:

Here is a list of the top intrusion detection systems frequently asked questions. This section is also a very good resource for preparation of job interviews for IDS.

What is Intrusion Detection?

Intrusion Detection is the active process to document and catch attackers and malicious code on a network. It is described in two types of software: Host based software and Network based software.

Why is an Intrusion Detection System (IDS) important?

Computers connected directly to the Internet are subject to relentless probing and attack.
While protective measures such as safe configuration, up-to-date patching, and firewalls are all prudent steps they are difficult to maintain and cannot guarantee that all vulnerabilities are shielded. An IDS provides defense in depth by detecting and logging hostile activities. An IDS system acts as "eyes" that watch for intrusions when other protective measures fail.

What is the difference between a Firewall and a Intrusion Detection System?

A firewall is a device installed normally at the perimeter of a network to define access rules for access to particular resources inside the network. On the firewall anything that is not explicitly allowed is denied. A firewall allows and denies access through the rule base.
An Intrusion Detection System is a software or hardware device installed on the network (NIDS) or host (HIDS) to detect and report suspicious activity.
In simple terms you can say that while a firewall is a gate or door in a superstore, a IDS device is a security camera. A firewall can block connection, while a IDS cannot block connection. An IDS device can however alert any suspicious activities.
An Intrusion Prevention System is a device that can start blocking connections proactively if it finds the connections to be of suspicious in nature.

If an IDS device cannot prevent a hack, then why have IDS devices?

Agreed that an IDS device cannot prevent a hack and can only alert any suspicious activities. However, if we are to go by past experiences, hacks and system compromises are not something that happens over night. Planned compromise attempts can take several days, weeks, months and in some cases even years. So a IDS device can alert you so that you can take the desired precaution in protecting the resources.

What is a network based IDS system?

An IDS is a system designed to detect and report unauthorized attempts to access or utilize computer and/or network resources. A network-based IDS collects, filters, and analyzes traffic that passes through a specific network location.

< Are there other types of IDS besides network based?

The other common type of IDS is host-based. In host-based IDS each computer (or host) has an IDS client installed that reports either locally or to a central monitoring station. The advantage of a host-based IDS is that the internal operation and configuration of the individual computers can be monitored.

What is the difference between Host based (HIDS) and Network based IDS (NIDS)?

HIDS is software which reveals if a machine is being or has been compromised. It does this by checking the files on the machine for possible problems. Software described as host based IDS could include File Integrity checkers (TripWire), Anti-virus software (Norton AV, MacAfee), Server Logs (Event viewer or syslog), and in some ways even backup software can be a HIDS. ISS Realsecure has many HIDS products.

NIDS is software which monitors network packets and examines them against a set of signatures and rules. When the rules are violated the action is logged and the Admin could be alerted. Examples of NIDS software are SNORT, ISS Real Secure, Enterasys Dragon and Intrusion.

Are there are any draw backs of host based IDS systems?

There are three primary drawbacks of a host-based ID:

(1) It is harder to correlate network traffic patterns that involve multiple computers;
(2) Host-based IDSs can be very difficult to maintain in environments with a lot of computers, with variations in operating systems and configurations, and where computers are maintained by several system administrators with little or no common practices;
(3) Host-based IDSs can be disabled by attackers after the system is compromised.

Why, when and where to use host based IDS systems?

Host based IDS systems are used to closely monitor any actions taking place on important servers and machines. Host based IDS systems are used to detect any anomalies and activities on these important and critical servers. You use Host based IDS systems when you cannot risk the compromise of any server. The server has to be very important and mission critical to use Host based IDS systems on these servers. Host based IDS systems are agents that run on the critical servers. The agent is installed on the server that is being monitored.

What is a Signature?

A signature is Recorded evidence of a system intrusion, typically as part of an intrusion detection system (IDS). When a malicious attack is launched against a system, the attack typically leaves evidence of the intrusion in the system’s logs. Each intrusion leaves a kind of footprint behind (e.g., unauthorized software executions, failed logins, misuse of administrative privileges, file and directory access) that administrators can document and use to prevent the same attacks in the future. By keeping tables of intrusion signatures and instructing devices in the IDS to look for the intrusion signatures, a system’s security is strengthened against malicious attacks.
Because each signature is different, it is possible for system administrators to determine by looking at the intrusion signature what the intrusion was, how and when it was perpetrated.

What are the common types of attacks and signatures?

There are three types of attacks:
Reconnaissance These include ping sweeps, DNS zone transfers, e-mail recons, TCP or UDP port scans, and possibly indexing of public web servers to find cgi holes.
Exploits Intruders will take advantage of hidden features or bugs to gain access to the system.
Denial-of-service (DoS) attacks Where the intruder attempts to crash a service (or the machine), overload network links, overloaded the CPU, or fill up the disk. The intruder is not trying to gain information, but to simply act as a vandal to prevent you from making use of your machine.
The signatures are written based on these types of attacks.