i ntrusion p revention s ystem (ips). o utline introduction objectives ips’s detection methods...
DESCRIPTION
I NTRODUCTION Intrusion A set of actions aimed to compromise the Integrity, confidentiality, or availability, of a computing and networking resource. Exploits against operating systems, application etc Buffer overflows, cross site scripting, other vulnerabilities o Intrusion prevention systems ( IPS ) Also known as intrusion detection and prevention systems ( IDPS ), are network security appliances that monitor network and system activities for malicious or harmful activity.TRANSCRIPT
![Page 1: I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall](https://reader030.vdocuments.us/reader030/viewer/2022012914/5a4d1b107f8b9ab05998eb1e/html5/thumbnails/1.jpg)
INTRUSION PREVENTION SYSTEM(IPS)
![Page 2: I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall](https://reader030.vdocuments.us/reader030/viewer/2022012914/5a4d1b107f8b9ab05998eb1e/html5/thumbnails/2.jpg)
OUTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall
![Page 3: I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall](https://reader030.vdocuments.us/reader030/viewer/2022012914/5a4d1b107f8b9ab05998eb1e/html5/thumbnails/3.jpg)
INTRODUCTION
Intrusion A set of actions aimed to compromise the Integrity,
confidentiality, or availability, of a computing and networking resource.
Exploits against operating systems, application etc Buffer overflows, cross site scripting, other
vulnerabilities
o Intrusion prevention systems (IPS) Also known as intrusion detection and prevention
systems (IDPS), are network security appliances that monitor network and system activities for malicious or harmful activity.
![Page 4: I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall](https://reader030.vdocuments.us/reader030/viewer/2022012914/5a4d1b107f8b9ab05998eb1e/html5/thumbnails/4.jpg)
OBJECTIVESo The main objectives of intrusion
prevention systems are:
Identification of malicious activity
Log information about said activity
Attempt to block/stop harmful activity
Report malevolent activity.
![Page 5: I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall](https://reader030.vdocuments.us/reader030/viewer/2022012914/5a4d1b107f8b9ab05998eb1e/html5/thumbnails/5.jpg)
IPS’S DETECTION METHODS
The majority of intrusion prevention systems utilize one of two detection methods: Signature-based Detection
This method of detection utilizes signatures of attack patterns that are preconfigured and predetermined.
A signature-based intrusion prevention system monitors the network traffic for matches to these signatures.
Once a match is found the intrusion prevention system takes the appropriate action.
![Page 6: I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall](https://reader030.vdocuments.us/reader030/viewer/2022012914/5a4d1b107f8b9ab05998eb1e/html5/thumbnails/6.jpg)
Statistical anomaly-based or Knowledge-
based Detection A statistical anomaly-based IDS determines
normal network activity like what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other .
It alert the administrator or user and prevent malicious contents when anomalous(not normal) traffic is detected
![Page 7: I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall](https://reader030.vdocuments.us/reader030/viewer/2022012914/5a4d1b107f8b9ab05998eb1e/html5/thumbnails/7.jpg)
Protocol Analysis Detection:
Protocol analysis detection is based on the anomalies specific to protocol
This model is integrated into the ips model recently
It identifies TCP/IP protocol specific flaws in the network
The pace at which the malicious signature attacker is growing is incredibly fast .But the network protocol, in comparison, is well defined and changing slowly. Therefore, the signature database must be updated frequently to detect attack
Protocol analysis detection systems are easier to use because they require no signature updates
The best way to present alarms is to explain which part of the state system was compromised. For this the ips operators have to have thorough knowledge of the protocol design; the best way is the documentation provided by the IDS
![Page 8: I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall](https://reader030.vdocuments.us/reader030/viewer/2022012914/5a4d1b107f8b9ab05998eb1e/html5/thumbnails/8.jpg)
CLASSIFICATIONS
Intrusion prevention systems can be classified into four different types:
o Network-based intrusion prevention system (NIPS): monitors the entire network for suspicious traffic by
analyzing protocol activity. In a NIPS, sensors are located at network borders of the
network. Sensors capture all network traffic and analyzes the content of individual packets for malicious traffic and prevents them.
Example: Snort (Snort is a free and open source network intrusion prevention system (NIPS) created by Martin Roesch in 1998.Snort is now developed by Sourcefire.)
![Page 9: I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall](https://reader030.vdocuments.us/reader030/viewer/2022012914/5a4d1b107f8b9ab05998eb1e/html5/thumbnails/9.jpg)
CONTINUE… Host-based intrusion prevention system (HIPS):
It is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.
Example: OSSEC ( OSSEC is a free, open source host-based intrusion Prevention system (IDS). It provides intrusion Prevention for most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows OS.)
Log file monitoring(LFM): Log file monitor monitoring log files created by network services. LFM IDS searches through the logs and identifies malicious activity. IN similar manner to NIDS, these system looks for pattern in the log files
that suggest an intrusion
File integrity checking(FIC): These mechanism checks for Trojan horse, or files that have otherwise been
modified , indicating an intruder has already ben there
![Page 10: I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall](https://reader030.vdocuments.us/reader030/viewer/2022012914/5a4d1b107f8b9ab05998eb1e/html5/thumbnails/10.jpg)
HOW IDS WORKS ? IDS works with a copy of the traffic. It can
detect an attack and send an alert (and take other actions), but it cannot prevent the attack because it does not operate on traffic inline in the forwarding path.
![Page 11: I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall](https://reader030.vdocuments.us/reader030/viewer/2022012914/5a4d1b107f8b9ab05998eb1e/html5/thumbnails/11.jpg)
HOW IPS WORKS ? IPS device operates in inline mode i.e.
because the IPS device is in the actual traffic path. This makes the device more effective against worms and atomic attacks (attacks that are carried out by a single packet).
![Page 12: I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall](https://reader030.vdocuments.us/reader030/viewer/2022012914/5a4d1b107f8b9ab05998eb1e/html5/thumbnails/12.jpg)
IPS VS. IDS IDS typically record information related to
observed malicious events, notify security administrators of important observed events, and produce reports.
IPS is considered an extension of intrusion detection system because they both monitor network traffic and system activities for malicious activity.
But unlike intrusion detection systems, intrusion prevention systems are able to actively prevent/block intrusions that are detected.
Detection –Alarm or alert Prevention– Stop before it gets into the
network
![Page 13: I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall](https://reader030.vdocuments.us/reader030/viewer/2022012914/5a4d1b107f8b9ab05998eb1e/html5/thumbnails/13.jpg)
IPS VS. FIREWALL IPS monitors the system for unwanted entry
and reports or alerts the same to the user and prevents the connection .
A firewall monitors the system based on the rules that are set by the user and regulates the activity between the system and the Internet.
Therefore, to protect the system from unwanted intrusions, it is always recommended to use firewalls in conjunction with Intrusion Prevention Systems (IPS).
This is also why the majority of internet security systems comes with both firewall and IPS.
![Page 14: I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall](https://reader030.vdocuments.us/reader030/viewer/2022012914/5a4d1b107f8b9ab05998eb1e/html5/thumbnails/14.jpg)
IPS VS. FIREWALL The Firewall has static rules The IPS learns and creates rules (or gets them added
with updates from the manufacturer). You want the FW, because if all packets were allowed
on the network the IPS would be overwhelmed so you can't just do an IPS (e.g. if you had a 1000 people in your house the security guard inside couldn't watch them all) But you want the IPS to add a second layer of intelligence beyound the rules enforced at the FW (e.g. someone looking for shady behavior in the house gives a better level of security).
![Page 15: I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall](https://reader030.vdocuments.us/reader030/viewer/2022012914/5a4d1b107f8b9ab05998eb1e/html5/thumbnails/15.jpg)