Intrusion detection system setup features

Intrusion detection system specifics

Intrusion Detection System (IDS) – this is a software, and in some cases, also a hardware tool designed to detect unauthorized access to a computer system or unauthorized control over a network. This is an additional level of protection of computer networks from hacker attacks. You can read more about what an IDS system is, what types it is, what tools it uses in its work, what reports it generates, you can read here.

Now let's focus on how to set up an intrusion detection system and get it ready for work. Let's dwell on the applications that you need for this. We will also describe how the administration of the IDS system and its subsequent maintenance should be performed. We will also suggest one of the most effective and advanced solutions in the field of Internet security.


At this stage, it is necessary to take a number of measures that will ensure a quick and easy setup in the future. But the work ahead will differ depending on which intrusion protection system you plan to use: network-based (NIDS) or host-based (HIDS). Let's consider both options in more detail.

Placing sensors for the NIDS intrusion detection system

If you are deploying a network intrusion detection system, you should consider in advance where the monitoring sensors will be located. This will have a direct impact on what kind of attack you can detect with their help. We follow these recommendations:

  1. We form a detailed diagram of your network. As a result, you should get a special diagram on which key points or sets of systems with increased sensitivity to business operations will be plotted. So you will have a clear picture with places of increased vulnerability. It is in them that it will be necessary to place the sensors of the detection system.
  2. In the event that you plan to set up NIDS to monitor an Internet server in case of unauthorized access, then you can especially benefit from the so-called DMZ segment. We are talking about an isolated, demilitarized zone, which is separated from the Internet and the internal local network by special firewalls. In this case, if a hacker still compromises your server, then the system will most likely be able to identify the initial penetration or notice activity coming from the host that was attacked.
  3. If your first priority is to monitor for intrusions targeting internal servers, including DNS, mail servers, it would be best to install the sensor directly inside the firewall, in particular in the segment connecting the firewall and the local network. The logic of such a decision is easy to understand – with this placement of the sensor, the firewall will stop most of the attacks aimed at your internal servers. By examining the firewall log from time to time, you will be able to identify them. And you can also see those attacks that managed to get through. This is the so-called Defense in Depth.

Performing a host integration for the HIDS intrusion detection system

We note right away that the introduction of an intrusion detection system into blocks related directly to development should be installed much earlier than in production networks. The fact is that even in inactive systems, often some of the files are regularly updated. As an example – audit files. And here the HIDS system is designed to generate appropriate notifications about this. Also, it will send a notification if the user changes their password. But it can be either an ordinary, authorized person, or an attacker.

For the most part, all threats that the IDS system detects are written to a file. And what prevents a hacker from getting to it and making a number of changes? Therefore, we recommend checking these files regularly, paying special attention to those elements that have been changed or removed. The presence of such will become evidence of unauthorized access.

Getting acquainted with the configuration of intrusion detection system signals

As a network administrator, you should be aware that alarm levels can be configured independently, taking into account the specifics of the upcoming work. Some of the signals can be integrated directly into the network control center: they will be sent to e-mail as a report or displayed on the monitor screen as notifications. But there are also signals that can work directly with the firewall, automatically cutting off all traffic from the compromised network. In the latter case, the participation of the system administrator is not required.

But here it is very important to understand that the presence of errors in the alarm configuration itself can cause frequent false positives. As a result, it turns out that it is much easier to disable the intrusion detection system than to spend all the working time figuring out whether a given operation poses an immediate threat or not. And in fact, attackers often expect this. Often in practice, there are cases when hackers bombard the system and the administrator, in particular, with a bunch of false signals, waiting for them to simply stop responding to them.

There are also vulnerabilities in the case of the operation of the IDS-system and firewall. If it blocks all traffic, then hackers can take advantage of this. In their technical ability to simulate attacks from well-known sites or business partners. And what will be the result? The firewall will simply block the incoming traffic that is really important to you.

Create an integration schedule

If you install all the sensors at once, then you will not be able to understand how the intrusion detection system works. It will be difficult to navigate through all the identified activities, to understand which ones are worth responding to, and which ones can be ignored. It is best to install sensors one at a time. It will take you just a couple of days to study the features of the system at a particular point. Then you can connect a second sensor and again observe the features. And so on until all sensors are installed. This is the easiest way to navigate the nuances of how IDS works.

As practice shows, for stable and efficient operation, it will be necessary to install sensors in two zones at once:

  1. In the DMZ.
  2. On the internal network.

Each of these options has its own set of actions. And you, as a system administrator, need to understand the configurations of these sensors, understand how they work. This will greatly increase the efficiency of your work.

Preparing the technical component

This is already a direct connection of the intrusion detection system from the network. So, you need to complete a number of tasks:

  1. Connecting an IDS to a port. The connector that controls all traffic between the Internet and the internal network is selected. The optimal solution – hub or switch mirror port. In the event that you still want to use one system sensor in the firewall, then it is installed at the point between the firewall and the internal network.
  2. Select the hardware component. What car to use here? It all depends on the characteristics of the working environment and the data that is planned to be received. In some cases it will be possible to get by with one machine, but there are also cases when several independent devices are required. Their task will be to send reports to the central management server. That is, the larger your local network, the more machines should ideally serve it. Thanks to the availability of detailed information from different points, you can form a complete picture for analysis.
  3. Software. Not a bad choice for a – Oracle or Microsoft SQL Server. You will also need to install a web interface to this database, through which data will be transferred to the system administrator. The compiler, web server, and PHP scripting language can be used here as auxiliary tools for setting up the environment.

At this stage, the work is completed. Now let's focus on how to administer and maintain an intrusion detection system.

Intrusion detection system administration and maintenance

Once again, we draw your attention to the fact that most of the warnings generated by the system in reality will still turn out to be false positives. Often they are provoked by ordinary traffic, but not with quite classic reference characteristics. That is, there is nothing dangerous and criminal in it. To somewhat simplify the process of analyzing the information received, you can use the IDS-sensor. It is installed in the area between the firewall and the local network. At the same time, the firewall settings are performed, which prescribe the need to block traffic coming from an untrusted specific address. This way you can remove a significant part of false positives.

In addition to installing an IDS-sensor, an administrator needs to carefully study the capabilities of the product as such and the types of warnings that it will send in order to maintain the intrusion detection system as efficiently as possible. This will allow you to quickly discard false positives and not miss serious threats. It is important to constantly monitor threats and, when new ones appear, add rules to the system in accordance with their signatures. But it is imperative to check the reality of such threats and take action only when it is really necessary.

Ensure high security of networking

Yes, intrusion detection system – not ideal. It is not able to eliminate all threats, cannot fully systematize them and understand which of the identified activities poses a serious danger and which does not. But all this it has every chance of becoming part of your security system when working on the network. But is there a way to increase the level of protection against unauthorized access? If you are looking for a simple and easy-to-use solution, we recommend that you pay attention to mobile proxies from the MobileProxy.Space service. Among their features, we highlight:

  • High level of anonymity and security on the Internet. It is provided by replacing real user data with your own. Moreover, IP-addresses can be changed either by timer or by force. It also provides simultaneous work on HTTP(S) and Socks5 protocols.
  • The ability to effectively bypass regional restrictions. You will be able to access the site from any country by choosing the right geolocation and network operator.
  • Faster connection. The work of mobile proxies is based on the technical capabilities of mobile network operators, including DNS-servers. In addition, data caching is used.

We invite you to follow the link to learn more about features, functionality of mobile proxies from the MobileProxy.Space service. We also offer a free 2-hour trial.

Share this article: