You also can specify what the IDS should do when it detects a break-in attempt. It can log the activity, send an alert to a console or pager, and send a command to firewalls or routers. The most common action is to log the event--doing so provides forensic data for analyzing successful exploits and updating firewall, router and server policies to prevent recurrences. In many cases, the IDS handles only the logs and alerts, while the firewalls, routers and servers handle intrusion prevention.
Some IDSs can access new signature files generated by the vendor or a user community. In most cases, however, you must update the IDS regularly about threatening or illegitimate network behavior. If you don't, the IDS can't pinpoint exploits that haven't yet been identified in a signature.
Location Is Everything
So where do you set up an IDS? That depends on where (from which network or network segment) you expect threats to originate. The most obvious location is at the network perimeter, just inside the firewall. That's a hotspot because traffic that doesn't get through the firewall is of no interest, and any logging system that captures unfiltered Internet activity is likely to fill up quickly. Positioning an IDS inside the firewall helps you understand attacks that originate outside your network. It may not, however, cover exploits that originate from inside your network targeting your hosts, depending on your network's topology.
Choosing the Optimal Setup
Click to Enlarge