Can an IDS help when I'm behind a router?

I'm also on a home computer - not a server. But I read where some hackers are targeting routers, so I wonder if an IDS such as Norton's can enhance security.

 

I do have one port forwarded (I use it in case I file-share again.) Thanks for your opinion, and maybe others can weigh in.

 

I'm behind a router too, a Linux box, and i have an IDS on it, not on my computer.
The IDS can see all traffic, the traffic which will reach my computer, and the traffic which is drop by the firewall.

However, since i don't run any server/services available for the Internet, it's just by curiosity more than by need.
The IDS well configured doesn't log a lot of things, whereas firewall log grows quickly

 

Ideally, an IDS would be placed eternal to the border firewall and another internal to it (before it reaches any internal switch). But the main benefit is lost if there are few IPs on the side that each IDS monitors. So in a single IP DSL arrangement, to have it on the firewall host will not give you the degree of info that it would if there were a partial or full Class C network or greater behind it. Likewise if you have one internal to the firewall but the only thing inside it is a single host then you will see little benefit. However, the data can still be useful in a single IP environment, especially when someone is directing a stream of reconaissance probes or hack attempts.

 

So the only befefit I'd get from a software firewall/IDS combo is greater detail in alerts? If that's the case, I'm not sure using NPF would be worth using.

 

You would get greater detail in the alerts but you will also get more coverage to some extent. For example, if you decide to allow Web traffic through once you allow it most firewalls (without IDS capability) will pass it without comment or review, however the IDS will analyse the packet stream for characteristics specified as indications of one or another sort of attempt to leverage some vulnerability. However, this will entail some degree of false positives, for instance, it may see packet contents that are consistent with attempted vulnerability exploitation of,say, a certain version of Apache web server, but if you are only running a web client on your side then obviously it is of no interest to you, but there is some degree of legwork involved to find this out (that it is of no interest to you) and if it happens consistently you would go into the IDS administration and toggle that particular rule.

IDS's always serve as a complement to firewalls rather than as a redundancy but as stated previously, the returns on the investment in time of administration may differ depending on the network design and placement.

Hope this helps

{last minute note - My remarks are more geared towards Snort or Snort-based IDS (which is incorporated in some personal firewalls such as Tiny) I have no experience with Norton's implementation so it may be that the administration of its IDS is less involved but that would be some indication I think of the quality of the coverage, IMO}

 

Norton Personal Firewall has about 125 IDS signitures last time I checked - good, but not like Snort. Thanks for all the answers - they have been helpful.

 

Hi mvdu

As the others have mentioned, an IDS is most beneficial if you are running services that could be exploited and forwarding traffic through the firewall. It will analyze those packets allowed through the firewall for possible malicious content based on it's signatures. Depending on the IDS it may log or drop and log the packets when a signature is matched.

The signature based IDS in NIS was introduced in NIS2002 Pro (v4.5).

At that time the firewall/packet filter in NIS would not handle certain stealth scans properly and respond as closed instead of dropping (stealth) the packets. The IDS would identify some of these scans and drop and log the packets. The IDS, in this example, was somewhat beneficial for those users concerned about being stealth.

The packet filtering in the latest versions of NIS has improved and deals with these packets better now, but I have not tested without the IDS running to see how the packet filtering alone will handle all the different types of scans.

The IDS in NIS will also drop and log outbound packets that match it's signatures preventing you from sending them. Most postings I have seen on this usually involve false alarms. But as an example, I have seen it properly identify and drop certain packets when doing vulnerability testing on systems and would require disabling the IDS when doing this testing.

Regards,

CrazyM

 

Thanks, CrazyM. In fact, ZAP does not recognize certain scans - though I haven't seen any that I know got through. I guess it's possible that NPF, due to its IDS, could have an advantage over ZAP when it comes to allowed apps., too. I won't ask you which one I should use - I'll decide that - but I appreciate the feedback.