chapter 3-3.5 IDS and IPS (IDS concept:Monitoring- an action of gathering…
IDS and IPS
IDS- is designed to monitor all inbound and outbound network activity
and also identify any suspicious patters that may indicate a network or system attack from someone attempting to break into or compromise a system
the TCP/IP packets are examined in a number of ways after they are confirmed
can be configured to block the intruder IP when an alert is generated in response to the activity of the same IP.
IPS- can be any device that uses access control to guard systems from misuse of attackers
IPS needs to function as an IDS to output considerably less false positives
applications content is the key for making access control decisions.
employs access control for securing systems from abuse: via enchancement of the IDS
IDS concept:Monitoring- an action of gathering data from a a data source and passing it to an analysis engine.
host target seperation
host target co-location
IDS concepts:Goals- to identify abnormal behavior of network or misuse of resources.
Characteristic of IDS
enforces least overhead on the system
observes deviations from normal behavior
runs constantly without human supervision
systems errors cannot be overlooked by IDS
IPS deployment risk:
exploit defeat the attempted block
session interception and IDS identification
blocking legitimate traffic
Importance of IDS
deals with large amount of data
provides system administrator the ability to calculate attacks
creates a database of the types of attacks
Types of IDS
gateway intrusion detection
host-based memory and process protection