Please enable JavaScript.
Coggle requires JavaScript to display documents.
INTRUSION DETECTION SYSTEM (IDS) and INTRUSION PREVENTION SYSTEM (IPS)…
INTRUSION DETECTION SYSTEM (IDS) and INTRUSION PREVENTION SYSTEM (IPS)
INTRUSION DETECTION SYSTEM (IDS)
IDS monitors all inbound and outbound host activity and
identifies suspicious patterns on network, that indicate an
attack.
The TCP/IP packets are examinedin a number of ways
after they are confined.
IDS CONCEPT
ARCHITECTURE
2 PRIMARY ARCHITECTURAL COMPONENTS OF IDS :
: HOST TARGET CO-LOCATION
IDS usually protects the system that are running under their control.
: HOST TARGET SEPARATION
separating ids host machine from target system will improve the security of IDS.
MONITORING
Monitoring refers to an action of gathering data from a data source and passing it to an analysis engine.
4 DIFFERENT STRATEGIES OF MONITORING PROCESS ARE
: HOST-BASED MONITOR
gathers the data from sources internally to a system normally at operating system level.
: NETWORK-BASED MONITOR
collects the data from network packets which is done by using network devices that are set to promiscuous mode.
: APPLICATION-BASED MONITOR
gathers data from applications that are running.
: TARGET-BASED MONITOR
creates the data on its own.
GOALS
The main goal of IDS is to identify abnormal behavior of network or misuse of resources.
2 SPECIFIC GOALS OF IDS
: ACCOUNTABILITY
it is the capability to link a given activity or an event which is responsible for initiating it.
: RESPONSE
it is an activity that is used to recognize the capability of an attack and take action to block that attack.
CHARACTERISTICS OF IDS
Runs constantly without human supervision
Survives with system crash and must be fault toleraant
Enforces least overhead on the system
observes deviations from normal behavior
adaptability of system with technologies
system errors cannot be overlooked by ID
INTRUSION PREVENTION SYSTEM (IPS)
Can be any devices that uses access control to guard systems from misuse of attackers.
IPS needs to function as an IDS to output considerably less false positives.
Application content is the key for making access control decisions.
3 PREVENTION STRATEGIES OF IPS
: HOST-BASED MEMORY AND PROCESS PROTECTION
This strategy tells that the IP system monitors the execution process.
Disable the process that looks malicious.
: SESSION INTERCEPTION
Terminating a session by sending a reset (RST) packet.
This can be done when a flexible response plug-in is enable.
: GATEWAY INSTRUSION DETECTION
Snort uses gateway ID to block the hostile traffic.
Uses snortSAM to manipulate the access list of blocked traffic.
IPS DEPLOYMENT RISK
SESSION INTERCEPTION AND IDS IDENTIFICATION
: Snort terminates TCP session when it detects an attack with the help of RST packet.
EXPLOIT DEFEAT THE ATTEMPTED BLOCK : When there is any time ago between the IPS detecting the attack and ordering a change in access control lists.
SELF-INFLICTED DENIAL-OF-SERVICES : Modifying the actual source address as a forged address is called spoofing.
BLOCKING LEGITIMATE TRAFFIC : IPS usually blocks the legitimate traffic if the packet is identified as illegitimate.
TYPES OF IDS
Network-based IDS
Host-based IDS
Distributed-based IDS
Protocols IDS
IMPORTANCE OF IDS
It creates a database of the types of attacks
It deals with large amount of data
It possesses built-in forensic and reporting capabilities
It provides system administrator the ability to calculate attacks
It identifies both external hackers and internal network based attacks