Understanding IDS and IPSs (Intrusion detection systems (IDSs) (The Two…
Understanding IDS and IPSs
Intrusion detection systems (IDSs)
Help detect attacks on systems and networks.
IDS can respond either passively or actively.
The Two Primary IDS
1-Host-based IDSs (HIDSs) and
installed on individual servers and workstations
It provides protection to the individual host and can detect potential attacks and protect critical operating system files.
HIDS, monitor traffic passes through the network interface card (NIC)
Many host-based IDSs have expanded to monitor application activity
HIDS can help detect malicious software (malware) that traditional antivirus software might miss. buz of that company use it on every workstation as a second layer of protection
HIDS on a server is used primarily to monitor network traffic,
A workstation HIDS is primarily used to monitor network traffic reaching the workstation.
2-Network-based IDSs (NIDSs).
installed on network devices
such as routers and firewalls.
monitors activity on the network
anomaly should causes a significant difference in network traffic in orderr to NIDS to detect it
Detect only plaintext or nonencrypted traffic
Both detects attacks either through predefined attack signatures or by detecting anomalies.
The primary goal of any IDS is to monitor traffic.
Intrusion prevention systems (IPSs) :
stop attacks in progress by detecting and blocking attacks on systems and networks.
IPS esponds actively to prevent the attack.
similar to an active IDS with one distinctive difference
An IPS is always placed in-line with the traffic so it can prevent the attack from reaching the network
it’s placed in-line with traffic.
A passive IDS
logs an alert. It may also inform personnel of the alert.
Signature-based (or definition-based)
monitoring detects attacks based on known attack pattern
Also called behavior-based or heuristics-based
A. monitoring detects attacks by first identifying normal operation through a baseline
B. It then compares current operations against the baseline to detect abnormal behavior.
An active IDS
• logs and possibly informs personnel of the alert, and also takes action to change the environment.
IDSs and IPSs can detect a SYN flood attack and respond to block the attack
both IDSs and IPSs have protocol analyzer
or sniffer capabilities