IDS Policy

Case Study: Formulation of an IDS Policy

Securing your computer system, especially when all of your computers can reach the internet, is extremely important. But what is more important is having a plan that will you to be organized in your fight against intrusion and security breaches. No matter how big or small your company, having an IDS policy in place will assist in the preventing and notify personnel of security breaches. An IDS stands for Intrusion Detection System and it is a collaboration of hardware, software and personnel as the first line of defense when an intrusion occurs. An easy way to understand this is in four steps; Prevention, Intrusion Monitoring, Intrusion Detection and Response.

The first step of an IDS policy is prevention. Since prevention is where most companies pour their dollars into, there is a whole system devoted to prevention. This system is called Intrusion Prevention System (IPS). Some consider this an extension of an IDS policy and since I believe more fire power to an existing policy is better, I will include the IPS in an IDS policy. Prevention includes, but is not limited to, firewalls, antivirus and a security threat management team that seeks out malicious activities. Free open source applications assist in the IPS exist on the internet for download. A good example of this is Snort NIPS.

The next step in an IDS policy is monitoring along with Intrusion Detection (ID). Intrusion Detection and monitoring go hand in hand because ID needs the monitoring to determine if there are suspicious activities. How this works is by the existing programs that resides on your servers, computers or built into the network hardware. Almost every application that watches the network creates logs that can tell a story about the network traffic. Monitoring the network, critical server activities, unusual CPU activities at odd times and configuration files allow the threat management team to effectively understand problems that have occurred. If you set a baseline to what your configurations, bandwidths and CPU activities then you will be able to effectively monitor your activities.

Last, but not least, is Response. The best defense for responding to an attack understands what the attack is doing to your system. Where is the focal point of the attack? Is the attack trying to deny your service to the internet or is it trying to attack your payroll server? If the attack is legit and widespread, the threat management team needs to start informing users. Containing the attack by shutting down servers or computers may be ideal in destroying the intrusion. Then inform interested parties about the nature of the attack.

After you have experienced an attack, the best way to learn from it is to document everything that occurred before, during and after the attack. Document how the IDS reacted and how did the threat management team reacted to the threat. Implementing these steps will not prevent an attack, but it will make your team better prepared in the event of an attack. As long as there is a plan in place to secure your network and computers, you will have a leg up in securing your system and make it difficult for intrusions to take place.


TechGenix (2008).
Intrusion Detection Systems,
Retrieved February 22, 2009, from

Tony Bradley (1999). Introduction to Intrusion Detection Systems (IDS)/,
Retrieved February 22, 2009, from

Juniper (2008). Juniper Networks Intrusion Prevention,
Retrieved February 22, 2009, from

Interloci (2007). Network Intrusion Monitoring,
Retrieved February 22, 2009, from (2003-2008). intrusion detection,
Retrieved February 22, 2009, from,,sid14_gci295031,00.html#

Jim Reavis (09/13/99). Do you have an intrusion detection response plan?,
Retrieved February 22, 2009, from


Comments are closed.

%d bloggers like this: