13

ids/ips

IDS

  • Detect vulnerability exploits/potential threats

  • Listen-only device

  • Monitors traffic

  • 👎Detection/depth of analysis may not be performed quickly enough -> Speed of analysis/detection may not be able to keep pace with components on direct communication path of the network.

Types of IDS

  1. Network-based intrusion detection system (NIDS)

    1. Deployed across the infrastructure

    2. Border of subnets

    3. Any strategic points on the network infrastructure

    4. Monitors all network security

  2. Host-based intrusion detection system (HIDS)

    1. Monitors computer infrastructure

    2. Deployed on specific endpoint -> eg. Company Laptop

There are also more types of IDS, eg. Wireless-based intrusion detection (WIDS).

Types of IDS Detection

  1. Signature

    1. Looks for specific patterns and sequences that match known attack signatures

    2. 100% accurate, but scope only to known attacks

    3. When 0-day attack occurs,

  2. Anomaly-based

    1. Machine learning is used to analyze the current network data and traffic

    2. Machine then creates a baseline (model of normal activity) and uses it to identify anomalous behavior.

    3. Very prone to false positives(false alarm)

      1. To set heuristics, for vendor to fine tune.

Any IDS solution will have both signature-based and anomaly-based detection methods.

IDS Evasion Techniques

  1. Fragmentation

    1. Divides packet into smaller, fragmented packets.

    2. Packets are later reconstructed by the recipient node at the IP layer.

    3. Packet then becomes malicious

  2. Flooding

    1. Overwhelm the detector, triggering a failure of control mechanism.

  3. Obfuscation

    1. Altering program code in packet to keeps functionality indistinguishable - IDS unable to know

  4. Encryption

    1. Encrypting the program transfered in the packet means that IDS without encryption/decryption capabilities are unable to detect it.

IPS

  • Largely automated

  • Able to detect and take action on traffic

  • Functionality integrated into unified threat management ()

  • Now connected to cloud-based computing

IDS - out-of-line/out of band deployment IPS - inline deployment

Several actions IPS can do:

  • Send an alarm to the administrator (similar to IDS)

  • Drop malicious packets

  • Block traffic from a source address specified

  • Reset a connection

  • Configure firewall to prevent future attacks

Types of IPS and their detection methods

  • Similar to IDS, has:

  1. Network based intrusion prevention system

  2. Host intrusion prevention system

  • Detection methods for IPS are also signature based and anomaly based.

Merging IDS,IPS and Firewall in Firewall

  • IDS + IPS = IDPS

IDPS

  • Allows administrator to control and configure what actions to be taken (eg. alert only like a traditional IDS, or take action on a packet like traditional IPS when a malicious packet is detected)

  • IPS and firewall technology may be integrated due to similarity in terms of having rule-based policy controls.

    • Firewall -> Allow/Deny traffic based on ports/source or destination IP addresses

    • IPS -> Compares traffic patterns to signatures and allows/drop packet based on signature matches found

Almost all NGFWs are with IPS capabilities *just in case not all are not having ips capabilities

Previous12NextRevision for CT

Last updated