Welcome to Bucaro TecHelp!

Bucaro TecHelp
HTTPS Encryption not required because no account numbers or
personal information is ever requested or accepted by this site

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)

Many organizations employ Intrusion Detection Systems to detect and report attacks against their networks. An IDS can detect unauthorized port scans, unauthorized attempts to use File Transfer Protocol or Telnet to access the network, sniffing attacks where a attacker monitors network traffic, unauthorized attempts to login, and several other types of malicious attacks on the network.

An IDS is passive, monitoring packets of data that traverse the network and comparing the traffic to a set of rules. If anything in the traffic matches a rule, the IDS logs the event and sets off an alarm. Network administrators can then use their judgment as to the seriousness of the treat and what countermeasures to take.

Behavior Based IDS

When you first activate a behavior based IDS, it creates a log of various network parameters such as traffic, bandwidth usage, disk usage, processor and memory usage, and other system activity over a period of time in order to create a baseline. Then the behavior based IDS looks for anomalies based on statistics from normal behavior. Certain variations from normal behavior triggers an alarm. One advantage of the behavior based IDS is that it can quickly detect new attack methods. One disadvantage of this type of IDS is that system behavior can fluctuate for many legitimate reasons, so it produces a high number of false alarms.

Signature Based IDS

The signature based IDS, also known as a misuse-detection IDS or rule-based IDS uses a database of attack signatures similar to the signatures used by anti-virus software, but instead of containing virus data, it contains data that describe known intrusion attack patterns. For example, the signature of a TCP flood attack would be a large number of half-open TCP sessions. The signature of a port scan would be a large number of requests to communicate with different ports. Another form of attack might be packets with malformed headers.

Similar anti-virus software, because new attacks are being developed all the time, it's important to keep the signature database updated. A signature based IDS produces fewer false alarms compared to a behavior-based IDS.

Host Based

A host based IDS uses applications installed on individual computers on a network and it creates and analyzes several different log files (kernel, system, server, and others) and compares those logs against a database of known attack signatures to detect if an attack is in process.

Network Based IDS

Whereas host based IDS uses applications installed on individual computers to detect if an attack is in process, a network-based IDS scans packets at hubs, routers, and switches to detect if an attack is in process. It audits packet information, and logs any suspicious packets into a special log file. It compares this log file against a database of known network attack signatures and assign a severity level. At a preconfigured severity level it will transmit an alarm.

Juniper Networks IDP 1100C Intrusion Detection and Prevention Security Appliance
Juniper Networks IDP 1100C
Intrusion Detection and Prevention
Security Appliance

An Intrusion Prevention System provides all the functions of an IDS, but also automatically takes measures to stop the detected attack. The IPS can block the attackers IP address, block the user account from which the attack occurs, or shut down the the targeted host, service, or application.

An IPS can mitigate some attacks on the network, for example by removing an infected attachment from an email before forwarding the email to the user. An IPS can automatically reconfigure a firewall or router to block an attack.

One problem with an IPS is that it sometimes gets false positives and takes automatic measures to block legitimate traffic. An IPS needs to be frequently reconfigured to detect new threats while minimizing the number of false positives. Because of this problem with an IPS, most organizations use both an IDS and an IPS.

The IPS can be used to automatically block attacks where it is accurate, while the IDS can be used to log and notify network administrators of suspicious activity so they can use their judgment as to the seriousness of the treat and what countermeasures to take. When vendors Place both IDS and IPS functions in the same piece of software or hardware, they frequently call it an Intrusion Detection and Prevention System (IDPS).

More Network Security Articles:
• How to Tell if Someone is Lurking on Your Wireless Network
• Difference Between Network Firewall and Web Application Firewall
• What's the Difference Between Sniffing, Snooping, and Spoofing?
• Why Become a CISSP?
• Network Security
• Design a Network Security Policy
• Types of Computer Security Threats
• Overview of IPsec with IKEv1
• Remote Access Authentication Protocols
• Firewall Perimeter Network (DMZ)

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro


Computer Networking Sections

Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2024 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268