The Intrusion prevention system / Intrusion Detection
Systems (IPS/IDS) industry faces a major challenge in seeking to provide the
necessary solutions to current and future threats.
At the same time, this
challenge presents vast opportunities to the IPS/IDS companies able to deliver
effective functions, integrate systems, and maximize security and productivity
per currency invested. The growing acceptance of cutting-edge IPS/IDS
technologies in the private and public sectors is forecast-ed to drive the
perimeter IPS/IDS market growth.
The rise in criminal theft and terror attacks are the
key factors that drive the IPS/IDS and services market. Increasing leaning
towards business and residential security system automation raises the demand
for these systems and services.
In this article we will try to understand about
Intrusion prevention system / Intrusion Detection Systems (IPS/IDS) and types
of (IPS/IDS).
Intrusion Detection System (IDS) and Intrusion
Prevention System (IPS) solutions built an integral part of a
robust network defense solution.
What is Intrusion Prevention System
(IPS)
Intrusion prevention is the process of performing
intrusion detection and then stopping the detected incidents.
An IPS works inline in the data stream to provide
protection from malicious attacks in real time. This is called inline
mode. An IPS does not allow packets to enter the trusted side of the
network. An IPS monitors traffic at Layer 3 (Network) and Layer 4 (Transport) to
ensure that their headers, states, and so on are those specified in the
protocol suite.
What is Intrusion Detection System
(IDS)
Intrusion detection is the process of monitoring the
events occurring in your network and analyzing them for signs of possible
incidents, violations, or imminent threats to your security policies.
An IDS captures packets in real time, processes them,
and can respond to threats, but works on
copies of data traffic to detect suspicious activity by using signatures.
This is called promiscuous mode. In the process of detecting
malicious traffic, an IDS allows some malicious traffic to pass before the IDS
can respond to protect the network. An IDS analyzes a copy of the monitored
traffic rather than the actual forwarded packet. The advantage of operating on
a copy of the traffic is that the IDS does not affect the packet flow of the
forwarded traffic. An IDS often requires assistance from other networking
devices, such as routers and firewalls, to respond to an attack. It monitors all network packets right from OSI Layer 2 (Data) to Layer 7 (Application), and stores this vast amount of information
in its database.
The main difference between them is that IDS is a monitoring
system, while IPS is a control system.
IDS doesn’t alter the network packets in any way, whereas IPS
prevents the packet from delivery based on the contents of the packet, much
like how a firewall prevents traffic by IP address.
Intrusion Prevention System
(IPS) and its Benefits
In addition to raising an alarm, IPS can also
configure rules, policies and required actions upon capturing these alarms. It
can also be classified into NIPS (network intrusion prevention system) which is
placed at specific points on the network to monitor and protect the network
from malicious activity or HIPS (host intrusion prevention system) which is
implemented on each host to monitor its activities and take necessary actions
on detection of anomalous behavior. Using signature or anomaly based detection
technique, IPS can:
1.
Monitor
and evaluate threats, catch intruders and take action in real time to thwart
such instances that firewall or antivirus software may miss.
2.
Prevent
DoS/DDoS attacks.
3.
Maintain
the privacy of users as IPS records the network activity only when it finds an
activity that matches the list of known malicious activities.
4.
Stop
attacks on the SSL protocol or prevent attempts to find open ports on specific
hosts.
5.
Detect
and foil OS fingerprinting attempts that hackers use to find out the OS of the
target system to launch specific exploits.
An IPS is an active control mechanism that
monitors the network traffic flow. It identifies and averts vulnerability
exploits in the form of malicious inputs that intruders use to interrupt and
gain control of an application or system.
Intrusion Detection System
(IDS) and its Benefits.
1.
It
monitors the working of routers, firewall, key servers and files. It uses its
extensive attack signature database, raises an alarm and sends appropriate
notifications on detecting a breach.
2.
By
using the signature database, IDS ensures quick and effective detection of
known anomalies with a low risk of raising false alarms.
3.
It
analyzes different types of attacks, identifies patterns of malicious content
and help the administrators to tune, organize and implement effective controls.
4.
It
helps the company maintain regulatory compliance and meet security regulations
as it provides greater visibility across the entire network.
IDS is a passive system, but some active IDS can, along with detection
and generating alerts, block IP addresses or shut down access to restricted
resources when an anomaly is detected.
How Intrusion Prevention System Works?
An
Intrusion Prevention System is treated as secure solution as compared to
Intrusion Detection System due to its ability to act proactively and threat
detection and prevention capabilities. An Intrusion Prevention System works in in-line mode. It contains a sensor that
is located directly in the actual network traffic route, which deep inspects
all the network traffic as the packets passes through it. The in-line mode
allows the sensor to run in prevention mode where it performs real-time packet
inspection. Because of this, any identified suspicious or malicious packets are
dropped immediately.
An
Intrusion Prevention System can perform any of the following actions as it
detects any malicious activity in the network:
·
Terminates
the TCP session that is being exploited by an outsider for the attack. It
blocks the offending user account or source IP address that attempts to access
the target host, application, or other resources unethically.
·
As
soon as an IPS detects an intrusion event, it can also reconfigure or reprogram
the firewall to prevent the similar attacks in future.
·
IPS
technologies are also smart enough to replace or remove the malicious contents
of an attack. When used as a proxy, an IPS regulates the incoming requests. To
perform this task, it repackages the payloads, and removes header information
that incoming requests contain. It also has the capability to remove the
infected attachments from an email before it is sent to its recipient in the
internal network.
Intrusion
Prevention System uses four types of approaches to secure the network from
intrusions which include:
·
Signature-Based – In this approach, predefined signatures or
patterns of well-known network attacks are encoded into the IPS device by its
vendors. The predefined patterns are then used to detect an attack by comparing
the patterns that an attack contains, against the ones that are stockpiled in
IPS. This method is also referred to as Pattern-Matching approach.
·
Anomaly-Based – In this approach, if any abnormal behavior or
activity is detected in the network, an IPS blocks its access to the target
device as per the criteria defined by the administrators. This method is also known
as Profile-based approach.
·
Policy-Based – In this approach, administrators configure
security policies into an IPS device according to their network infrastructure
and organization policies. If an activity attempts to violate the configured
security policies, an IPS triggers an alarm to alert the administrators about
the malicious activity.
·
Protocol-Analysis-Based – This approach is somewhat
similar to Signature-Based approach. The only difference between
Signature-Based approach and Protocol-Analysis-Based approach is that the
latter can perform much deeper data packet inspection, and is more resilient in
detecting security threats as compared to Signature-Based.
Categories of Intrusion Prevention System
·
Host-Based Intrusion Prevention System (HIPS) – A host-based IPS is a
software application that is installed on specific systems such as servers,
notebooks or desktops. These host-based agents or applications only protect the
operating system and the applications running on those specific hosts on which
they are installed. A host-based IPS program either blocks the attack from its
end, or commands operating system or application to stop the activity initiated
by the attack.
·
Network-Based Intrusion Prevention System (NIPS) – Network-Based IPS
appliances are deployed in in-line mode within the network parameter. In
Network-Based IPS, all the incoming and outgoing network traffic that passes
through it is inspected for potential security threats. As soon as the IPS
identifies an attack, it blocks or discards the malicious data packet to
prevent it from reaching to the intended target.
A
firewall that has integrated Network-Based IPS feature contains at least two
Network Interface Cards (NICs). One is selected as internal NIC and is
connected to the internal network of the organization. The other NIC is
selected as the external one and is connected to the external link, which in
most cases is the Internet.
As
the traffic is received at either of the NICs, it is deep inspected by the
detection engine of integrated NIPS. If the NIPS perceives a malicious data
packet, it instantaneously drops the data packet and alerts the network
security personnel about the event. After detecting a single malicious packet
from the source, it then immediately discards all the other packets arriving
from that particular TCP connection, or blocks the session permanently.
How intrusion detection systems work?
Intrusion
detection systems are used to detect anomalies with the aim of catching
hackers before they do real damage to a network. They can be either network- or
host-based. A host-based intrusion detection system is installed on the client
computer, while a network-based intrusion detection system resides on the
network.
Intrusion
detection systems work by either looking for signatures of known attacks or
deviations from normal activity. These deviations or anomalies are pushed up
the stack and examined at the protocol and application layer. They can
effectively detect events such as Christmas tree scans and domain name system
(DNS) poisonings.
An IDS
may be implemented as a software application running on customer hardware or as
a network security appliance. Cloud-based intrusion detection systems are
also available to protect data and systems in cloud deployments.
Based
on the actions, intrusion detection systems were categorized as passive or
active. A passive IDS that detected malicious activity would generate alert or
log entries but would not take action; an active IDS, sometimes called
an intrusion detection and prevention system (IDPS), would generate
alerts and log entries but could also be configured to take actions, like
blocking IP addresses or shutting down access to restricted resources.
Snort --
one of the most widely used intrusion detection systems -- is an open source,
freely available and lightweight NIDS that is used to detect emerging threats. Snort can be compiled on most Unix or Linux
operating systems (OSes), with a version available for Windows as well.
2 Comments
thank you