13

ids/ips

Previous12 NextRevision for CT

Last updated 1 year ago

13

ids/ips

IDS

Detect vulnerability exploits/potential threats
Listen-only device
Monitors traffic
Detection/depth of analysis may not be performed quickly enough -> Speed of analysis/detection may not be able to keep pace with components on direct communication path of the network.

Types of IDS

Network-based intrusion detection system (NIDS)
1. Deployed across the infrastructure
2. Border of subnets
3. Any strategic points on the network infrastructure
4. Monitors all network security
Host-based intrusion detection system (HIDS)
1. Monitors computer infrastructure
2. Deployed on specific endpoint -> eg. Company Laptop

There are also more types of IDS, eg. Wireless-based intrusion detection (WIDS).

Types of IDS Detection

Signature
1. Looks for specific patterns and sequences that match known attack signatures
2. 100% accurate, but scope only to known attacks
3. When 0-day attack occurs,
Anomaly-based
1. Machine learning is used to analyze the current network data and traffic
2. Machine then creates a baseline (model of normal activity) and uses it to identify anomalous behavior.
3. Very prone to false positives(false alarm)
  1. To set heuristics, for vendor to fine tune.

Any IDS solution will have both signature-based and anomaly-based detection methods.

IDS Evasion Techniques

Fragmentation
1. Divides packet into smaller, fragmented packets.
2. Packets are later reconstructed by the recipient node at the IP layer.
3. Packet then becomes malicious
Flooding
1. Overwhelm the detector, triggering a failure of control mechanism.
Obfuscation
1. Altering program code in packet to keeps functionality indistinguishable - IDS unable to know
Encryption
1. Encrypting the program transfered in the packet means that IDS without encryption/decryption capabilities are unable to detect it.

IPS

Largely automated
Able to detect and take action on traffic
Functionality integrated into unified threat management ()
Now connected to cloud-based computing

IDS - out-of-line/out of band deployment IPS - inline deployment

Several actions IPS can do:

Send an alarm to the administrator (similar to IDS)
Drop malicious packets
Block traffic from a source address specified
Reset a connection
Configure firewall to prevent future attacks

Types of IPS and their detection methods

Similar to IDS, has:

Network based intrusion prevention system
Host intrusion prevention system

Detection methods for IPS are also signature based and anomaly based.

Merging IDS,IPS and Firewall in Firewall

IDS + IPS = IDPS

IDPS

Allows administrator to control and configure what actions to be taken (eg. alert only like a traditional IDS, or take action on a packet like traditional IPS when a malicious packet is detected)
IPS and firewall technology may be integrated due to similarity in terms of having rule-based policy controls.
- Firewall -> Allow/Deny traffic based on ports/source or destination IP addresses
- IPS -> Compares traffic patterns to signatures and allows/drop packet based on signature matches found

Almost all NGFWs are with IPS capabilities *just in case not all are not having ips capabilities

Previous12 NextRevision for CT

Last updated 1 year ago

IDS

Detect vulnerability exploits/potential threats
Listen-only device
Monitors traffic
Detection/depth of analysis may not be performed quickly enough -> Speed of analysis/detection may not be able to keep pace with components on direct communication path of the network.

Types of IDS

Network-based intrusion detection system (NIDS)
1. Deployed across the infrastructure
2. Border of subnets
3. Any strategic points on the network infrastructure
4. Monitors all network security
Host-based intrusion detection system (HIDS)
1. Monitors computer infrastructure
2. Deployed on specific endpoint -> eg. Company Laptop

There are also more types of IDS, eg. Wireless-based intrusion detection (WIDS).

Types of IDS Detection

Signature
1. Looks for specific patterns and sequences that match known attack signatures
2. 100% accurate, but scope only to known attacks
3. When 0-day attack occurs,
Anomaly-based
1. Machine learning is used to analyze the current network data and traffic
2. Machine then creates a baseline (model of normal activity) and uses it to identify anomalous behavior.
3. Very prone to false positives(false alarm)
  1. To set heuristics, for vendor to fine tune.

Any IDS solution will have both signature-based and anomaly-based detection methods.

IDS Evasion Techniques

Fragmentation
1. Divides packet into smaller, fragmented packets.
2. Packets are later reconstructed by the recipient node at the IP layer.
3. Packet then becomes malicious
Flooding
1. Overwhelm the detector, triggering a failure of control mechanism.
Obfuscation
1. Altering program code in packet to keeps functionality indistinguishable - IDS unable to know
Encryption
1. Encrypting the program transfered in the packet means that IDS without encryption/decryption capabilities are unable to detect it.

IPS

Largely automated
Able to detect and take action on traffic
Functionality integrated into unified threat management ()
Now connected to cloud-based computing

IDS - out-of-line/out of band deployment IPS - inline deployment

Several actions IPS can do:

Send an alarm to the administrator (similar to IDS)
Drop malicious packets
Block traffic from a source address specified
Reset a connection
Configure firewall to prevent future attacks

Types of IPS and their detection methods

Similar to IDS, has:

Network based intrusion prevention system
Host intrusion prevention system

Detection methods for IPS are also signature based and anomaly based.

Merging IDS,IPS and Firewall in Firewall

IDS + IPS = IDPS

IDPS

Allows administrator to control and configure what actions to be taken (eg. alert only like a traditional IDS, or take action on a packet like traditional IPS when a malicious packet is detected)
IPS and firewall technology may be integrated due to similarity in terms of having rule-based policy controls.
- Firewall -> Allow/Deny traffic based on ports/source or destination IP addresses
- IPS -> Compares traffic patterns to signatures and allows/drop packet based on signature matches found

Almost all NGFWs are with IPS capabilities *just in case not all are not having ips capabilities