IPS IDS

      The Intrusion prevention system / Intrusion Detection Systems (IPS/IDS) industry faces a major challenge in seeking to provide the necessary solutions to current and future threats.

 At the same time, this challenge presents vast opportunities to the IPS/IDS companies able to deliver effective functions, integrate systems, and maximize security and productivity per currency invested. The growing acceptance of cutting-edge IPS/IDS technologies in the private and public sectors is forecast-ed to drive the perimeter IPS/IDS market growth.

The rise in criminal theft and terror attacks are the key factors that drive the IPS/IDS and services market. Increasing leaning towards business and residential security system automation raises the demand for these systems and services.

In this article we will try to understand about Intrusion prevention system / Intrusion Detection Systems (IPS/IDS) and types of (IPS/IDS).

Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) solutions built an integral part of a robust network defense solution.

What is Intrusion Prevention System (IPS) 

Intrusion prevention is the process of performing intrusion detection and then stopping the detected incidents.

An IPS works inline in the data stream to provide protection from malicious attacks in real time. This is called inline mode. An IPS does not allow packets to enter the trusted side of the network. An IPS monitors traffic at Layer 3 (Network) and Layer 4 (Transport) to ensure that their headers, states, and so on are those specified in the protocol suite.

What is Intrusion Detection System (IDS) 

Intrusion detection is the process of monitoring the events occurring in your network and analyzing them for signs of possible incidents, violations, or imminent threats to your security policies.

An IDS captures packets in real time, processes them, and can respond to threats, but works on copies of data traffic to detect suspicious activity by using signatures. This is called promiscuous mode. In the process of detecting malicious traffic, an IDS allows some malicious traffic to pass before the IDS can respond to protect the network. An IDS analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating on a copy of the traffic is that the IDS does not affect the packet flow of the forwarded traffic. An IDS often requires assistance from other networking devices, such as routers and firewalls, to respond to an attack. It monitors all network packets right from OSI Layer 2 (Data) to Layer 7 (Application), and stores this vast amount of information in its database.

The main difference between them is that IDS is a monitoring system, while IPS is a control system.

IDS doesn’t alter the network packets in any way, whereas IPS prevents the packet from delivery based on the contents of the packet, much like how a firewall prevents traffic by IP address.

Intrusion Prevention System (IPS) and its Benefits

In addition to raising an alarm, IPS can also configure rules, policies and required actions upon capturing these alarms. It can also be classified into NIPS (network intrusion prevention system) which is placed at specific points on the network to monitor and protect the network from malicious activity or HIPS (host intrusion prevention system) which is implemented on each host to monitor its activities and take necessary actions on detection of anomalous behavior. Using signature or anomaly based detection technique, IPS can:

1.     Monitor and evaluate threats, catch intruders and take action in real time to thwart such instances that firewall or antivirus software may miss.

2.     Prevent DoS/DDoS attacks.

3.     Maintain the privacy of users as IPS records the network activity only when it finds an activity that matches the list of known malicious activities.

4.     Stop attacks on the SSL protocol or prevent attempts to find open ports on specific hosts.

5.     Detect and foil OS fingerprinting attempts that hackers use to find out the OS of the target system to launch specific exploits.

An IPS is an active control mechanism that monitors the network traffic flow. It identifies and averts vulnerability exploits in the form of malicious inputs that intruders use to interrupt and gain control of an application or system.

Intrusion Detection System (IDS) and its Benefits.

1.     It monitors the working of routers, firewall, key servers and files. It uses its extensive attack signature database, raises an alarm and sends appropriate notifications on detecting a breach.

2.     By using the signature database, IDS ensures quick and effective detection of known anomalies with a low risk of raising false alarms.

3.     It analyzes different types of attacks, identifies patterns of malicious content and help the administrators to tune, organize and implement effective controls.

4.     It helps the company maintain regulatory compliance and meet security regulations as it provides greater visibility across the entire network.

IDS is a  passive system,  but some active IDS can, along with detection and generating alerts, block IP addresses or shut down access to restricted resources when an anomaly is detected.

How Intrusion Prevention System Works?

An Intrusion Prevention System is treated as secure solution as compared to Intrusion Detection System due to its ability to act proactively and threat detection and prevention capabilities. An Intrusion Prevention System works in in-line mode. It contains a sensor that is located directly in the actual network traffic route, which deep inspects all the network traffic as the packets passes through it. The in-line mode allows the sensor to run in prevention mode where it performs real-time packet inspection. Because of this, any identified suspicious or malicious packets are dropped immediately.

An Intrusion Prevention System can perform any of the following actions as it detects any malicious activity in the network:

·         Terminates the TCP session that is being exploited by an outsider for the attack. It blocks the offending user account or source IP address that attempts to access the target host, application, or other resources unethically.

·         As soon as an IPS detects an intrusion event, it can also reconfigure or reprogram the firewall to prevent the similar attacks in future.

·         IPS technologies are also smart enough to replace or remove the malicious contents of an attack. When used as a proxy, an IPS regulates the incoming requests. To perform this task, it repackages the payloads, and removes header information that incoming requests contain. It also has the capability to remove the infected attachments from an email before it is sent to its recipient in the internal network.

Intrusion Prevention System uses four types of approaches to secure the network from intrusions which include:

·         Signature-Based – In this approach, predefined signatures or patterns of well-known network attacks are encoded into the IPS device by its vendors. The predefined patterns are then used to detect an attack by comparing the patterns that an attack contains, against the ones that are stockpiled in IPS. This method is also referred to as Pattern-Matching approach.

·         Anomaly-Based – In this approach, if any abnormal behavior or activity is detected in the network, an IPS blocks its access to the target device as per the criteria defined by the administrators. This method is also known as Profile-based approach.

·         Policy-Based – In this approach, administrators configure security policies into an IPS device according to their network infrastructure and organization policies. If an activity attempts to violate the configured security policies, an IPS triggers an alarm to alert the administrators about the malicious activity.

·         Protocol-Analysis-Based – This approach is somewhat similar to Signature-Based approach. The only difference between Signature-Based approach and Protocol-Analysis-Based approach is that the latter can perform much deeper data packet inspection, and is more resilient in detecting security threats as compared to Signature-Based.

Categories of Intrusion Prevention System

·         Host-Based Intrusion Prevention System (HIPS) – A host-based IPS is a software application that is installed on specific systems such as servers, notebooks or desktops. These host-based agents or applications only protect the operating system and the applications running on those specific hosts on which they are installed. A host-based IPS program either blocks the attack from its end, or commands operating system or application to stop the activity initiated by the attack.

·         Network-Based Intrusion Prevention System (NIPS) – Network-Based IPS appliances are deployed in in-line mode within the network parameter. In Network-Based IPS, all the incoming and outgoing network traffic that passes through it is inspected for potential security threats. As soon as the IPS identifies an attack, it blocks or discards the malicious data packet to prevent it from reaching to the intended target.

A firewall that has integrated Network-Based IPS feature contains at least two Network Interface Cards (NICs). One is selected as internal NIC and is connected to the internal network of the organization. The other NIC is selected as the external one and is connected to the external link, which in most cases is the Internet.

As the traffic is received at either of the NICs, it is deep inspected by the detection engine of integrated NIPS. If the NIPS perceives a malicious data packet, it instantaneously drops the data packet and alerts the network security personnel about the event. After detecting a single malicious packet from the source, it then immediately discards all the other packets arriving from that particular TCP connection, or blocks the session permanently.

How intrusion detection systems work?

Intrusion detection systems are used to detect anomalies with the aim of catching hackers before they do real damage to a network. They can be either network- or host-based. A host-based intrusion detection system is installed on the client computer, while a network-based intrusion detection system resides on the network.

Intrusion detection systems work by either looking for signatures of known attacks or deviations from normal activity. These deviations or anomalies are pushed up the stack and examined at the protocol and application layer. They can effectively detect events such as Christmas tree scans and domain name system (DNS) poisonings.

An IDS may be implemented as a software application running on customer hardware or as a network security appliance. Cloud-based intrusion detection systems are also available to protect data and systems in cloud deployments.

Based on the actions, intrusion detection systems were categorized as passive or active. A passive IDS that detected malicious activity would generate alert or log entries but would not take action; an active IDS, sometimes called an intrusion detection and prevention system (IDPS), would generate alerts and log entries but could also be configured to take actions, like blocking IP addresses or shutting down access to restricted resources.

Snort -- one of the most widely used intrusion detection systems -- is an open source, freely available and lightweight NIDS that is used to detect emerging threats. Snort can be compiled on most Unix or Linux operating systems (OSes), with a version available for Windows as well.