Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
By Stephen Bucaro
Many organizations employ Intrusion Detection Systems to detect and report attacks
against their networks. An IDS can detect unauthorized port scans, unauthorized
attempts to use File Transfer Protocol or Telnet to access the network, sniffing
attacks where a attacker monitors network traffic, unauthorized attempts to login,
and several other types of malicious attacks on the network.
An IDS is passive, monitoring packets of data that traverse the network and comparing
the traffic to a set of rules. If anything in the traffic matches a rule, the IDS
logs the event and sets off an alarm. Network administrators can then use their
judgment as to the seriousness of the treat and what countermeasures to take.
Behavior Based IDS
When you first activate a behavior based IDS, it creates a log of various network
parameters such as traffic, bandwidth usage, disk usage, processor and memory usage,
and other system activity over a period of time in order to create a baseline. Then
the behavior based IDS looks for anomalies based on statistics from normal behavior.
Certain variations from normal behavior triggers an alarm. One advantage of the
behavior based IDS is that it can quickly detect new attack methods. One disadvantage
of this type of IDS is that system behavior can fluctuate for many legitimate reasons,
so it produces a high number of false alarms.
Signature Based IDS
The signature based IDS, also known as a misuse-detection IDS or rule-based IDS
uses a database of attack signatures similar to the signatures used by anti-virus software,
but instead of containing virus data, it contains data that describe known intrusion
attack patterns. For example, the signature of a TCP flood attack would be a
large number of half-open TCP sessions. The signature of a port scan would be a large
number of requests to communicate with different ports. Another form of attack might
be packets with malformed headers.
Similar anti-virus software, because new attacks are being developed all the time, it's
important to keep the signature database updated. A signature based IDS produces fewer
false alarms compared to a behavior-based IDS.
A host based IDS uses applications installed on individual computers on a network and
it creates and analyzes several different log files (kernel, system, server, and others)
and compares those logs against a database of known attack signatures to detect if an
attack is in process.
Network Based IDS
Whereas host based IDS uses applications installed on individual computers to detect
if an attack is in process, a network-based IDS scans packets at hubs, routers, and
switches to detect if an attack is in process. It audits packet information, and logs
any suspicious packets into a special log file. It compares this log file against a
database of known network attack signatures and assign a severity level. At a preconfigured
severity level it will transmit an alarm.
Juniper Networks IDP 1100C
Intrusion Detection and Prevention
An Intrusion Prevention System provides all the functions of an IDS, but also
automatically takes measures to stop the detected attack. The IPS can block the
attackers IP address, block the user account from which the attack occurs, or
shut down the the targeted host, service, or application.
An IPS can mitigate some attacks on the network, for example by removing an infected
attachment from an email before forwarding the email to the user. An IPS can automatically
reconfigure a firewall or router to block an attack.
One problem with an IPS is that it sometimes gets false positives and takes automatic
measures to block legitimate traffic. An IPS needs to be frequently reconfigured to
detect new threats while minimizing the number of false positives. Because of this
problem with an IPS, most organizations use both an IDS and an IPS.
The IPS can be used to automatically block attacks where it is accurate, while the
IDS can be used to log and notify network administrators of suspicious activity so
they can use their judgment as to the seriousness of the treat and what
countermeasures to take. When vendors Place both IDS and IPS functions in the same piece
of software or hardware, they frequently call it an Intrusion Detection and Prevention System (IDPS).
More Network Security Articles:
• How to Secure Your Small Business Network
• Network Security by Filtering
• Wireless Network Security
• How to Use the Open Source Intrusion Detection System SNORT
• Handling Rogue Access Points
• What is a SQL Injection Attack?
• Detecting Network Sniffers
• NMAP (Network Mapper) Port Scanner
• Remote Access Authentication Protocols
• How to Tell if Someone is Lurking on Your Wireless Network