Intrusion Detection System Vs. Intrusion Prevention System

Intrusion Detection System (IDS) is a computer security system that monitors network traffics for malicious activities and alert the network administrator when malicious activities detected. IDS performs a passive monitoring and implement in passive/promiscuous mode. IDS can detect the malicious activities but cannot prevent it. IDS have these capabilities include:
  • Monitoring about malicious activities
  • Auditing about malicious activities
  • Forensics about malicious activities
  • Reporting about malicious activities
Figure 1: Intrusion Detection System
  1. Attacker sends a malicious traffic via internet to the target host.
  2. Data packets will reach to both network and IDS.
  3. In IDS, packet will be inspected by sensor.
  4. Store the log report on management console.

Intrusion Prevention System (IPS) is a computer security mechanism that inspect a network traffics for malicious activities (security threats or policy violations) and take actions for detected activities. IPS have capabilities include:
  • Identify any malicious activity on the network.
  • Send an alarm to the network administrator when malicious activity detected on the network system.
  • Drop the malicious packets.
  • Block the traffics from the source address that malicious packets arrived.
  • Record the activities on management console.
  • Reset the connection.
IPS performs an active monitoring and implement in inline mode. IPS can be divided into two types. Host-based IPS and network based IPS.

Figure 2: Intrusion Prevention System
  1. Attacker sends a malicious traffic via internet to the target host.
  2. Data packet will reach to IPS and will be inspected by sensor.
  3. Store the log report on management console and record actions.
  4. Send the malicious packet to the bit bucket and drop it.
Step 3 and 4 will happen at the same time.

COMPARISON BETWEEN IDS AND IPS

IDS
IPS
Implement in passive/promiscuous mode
Implement in inline mode
Performs passive monitoring
Performs active monitoring
Can detect malicious traffics and alert about it in details
Can block malicious traffics and drop them into the bit bucket
No impact on the network performance and even if sensor failure or overload occurs
Some impact on the network performance, slow down the traffics on network and sensor failures stops the traffics flow (single point of failure)
Cannot stop malicious traffics from reaching the destination
Can stop any type of malicious traffics from reaching the destination

TYPES OF IPS

There are two types of IPS.
Host-based IPS: The popular technology nowadays because users need basic knowledge about the network. Each host device has an IPS. Inspect and protect Operating System (OS) and its process that specific to the host. The encrypted traffics can be inspected. Need to specify rules for each device. The main disadvantage is IPS doesn’t have a view of the overall network.

Figure 3: Host-based IPS

Network-based IPS: Only one IPS has been implemented to the whole network. Users need to have an advance knowledge about the network. The sensors placed at designated network points. Only plain text traffic can be inspected. Need to specify the rules to overall network. The main advantage is can view the attacks on the overall network because network-based IPS has the overall view of the network. The disadvantages are network bottleneck and single point of failure.

Figure 4: Network-based IPS


DETECTION AND PREVENTION

Signature: A signature is set of rules that an IDS/IPS used to represent a malicious behaviors. When IDS/IPS scanning the network traffics, they use signatures to detect known malicious behaviors and take actions against them before reaching the destination. If a new malicious behavior identified which is not contains in current signatures, new signature must be initiated and upload it to the IDS/IPS. The initiated file has been called as “signature file”.

Signatures have three distinct attributes:
Signature type: Atomic signature and Stateful signature
  • Atomic: examine a single packet or activity. If an alarm triggered, perform a single signature action. Do not require IDS/IPS to maintain state information.
  • Stateful: examine multiple packets or activities. Perform multiple signature actions. An IDS/IPS need to maintain state information. The length of time that a signature maintain state information is called “event horizon”.
Signature trigger: Pattern-based, Anomaly-based, Policy-based and Honeypot-based
  • Pattern-based detection: search for a specific known signatures. Triggers an action if a match is detected.
  • Anomaly-based detection: first, specify the normal behaviors of the network. This can be done by monitoring network activities, specific applications. Triggers an action if unknown activity occurs beyond the normal behaviors.
  • Policy-based detection: instead of defining patterns, define behaviors for malicious activities based on past experience.
  • Honeypot-based detection: uses a dummy server to attract attackers and distract from the real network. Able to analyze incoming attacks and malicious traffic patterns to find new types of malicious traffic.
Figure 5: Signature alarm types

Signature action: when a signature detects an activity or series of activities, signature triggers one or more actions.
  • Generating an alert.
  • Reporting the activity.
  • Dropping or preventing the activity.
  • Blocking the future activities.
  • Resetting TCP connection.


Comments

Post a Comment

Popular posts from this blog

Cross Site Request Forgery Prevention - Synchronizer Token Pattern

Image
With the Synchronizer Token approach, the server embeds a dynamic hidden variable in an input form. When the form is submitted, the server can check to make sure that the hidden variable is present and that it is the correct value. In login.php, we have to generate a session identifier and set it as a cookie inside the web browser. At the same time it generates the “CSRF token” and saves it in the server side. The generated token is mapped to the session identifier. In profile.php, You will see the form which you have to fill out a form providing your name, IT No and the faculty. What you can see is that there is a hidden field in this form which has the value of the received CSRF token. When this page loads, it executes an Ajax call which calls CSRF.php via a JavaScript which invokes the endpoint for obtaining the CSRF token created. What happens in the endpoint; which is submit.php in our case, it accepts the HT
Read more

Social Login with Facebook

Image
Social login is a form of single sign-on using existing information from a social networking service such as Facebook, Twitter or Google+, to sign into a third party website instead of creating a new login account specifically for that website. Social login is often implemented using the OAuth standard. OAuth is a secure authorization protocol which is commonly used in conjunction with authentication to grant 3rd party applications a "session token" allowing them to make API calls to providers on the user’s behalf. Sites using the social login in this manner typically offer social features such as commenting, sharing, reactions and gamification. Step 1 : Create an application in the developer account on Facebook. Go to https://developers.facebook.com/ create a new application. Provide a display name for your application and your contact email and create the application. Once your app is created, associate “Facebook Login” with it.
Read more