ids, ips, idps
TRANSCRIPT
IDS, IPS, IDPS
By Minhaz
2k12/CO/001
Information and Network Security
What is a Firewall?
A firewall is a network security system
that controls the incoming and outgoing
network traffic based on an applied rule
set.
A firewall establishes a barrier between
a trusted, secure internal network and
another network (e.g., the Internet) that
is assumed not to be secure and
trusted.
So is a well configured
FIREWALL
enough??
Intrusion Detection System
It monitors network or system activities for malicious activities or policy
violations and produce a report to the authority! It is used for:
- Detecting individuals from violating security policies.
- Documenting existing threats!
- Identifying problems with security policies!
IDS can be classified on following categories:
1. HIDS (Host IDS) and NIDS (Network IDS)
2. Passive and Reactive
3. Statistical anomaly based & signature based
HIDS NIDS
Runs on a host in a network!
It maintains a snapshot of the system and after any
event it matches the snapshot with current one & if any
imp system files are deleted the admin is notified and
the request pattern is logged.
Placed at a point within network. It performs
analysis of packets passing through entire
subnet.
Its normally installed where firewall is!
PASSIVE REACTIVE
Detects a potential breach!
Logs it!
Signal alert to the administrator.
Responds to suspicious activities by
reseting connections or by
reprogramming the firewall to block
network traffic from the malicious
source!
Its called IDPS: Intrusion Detection
and Prevention system!
Note: Software that can reset the connection (Incoming or Outgoing) to mitigate a possible attack is called Intrusion Prevention
System!
Statistical Anomaly
based IDS
Will monitor the network traffic &
compare it against established
baseline. It will have figured out what
is normal for a network, considering
parameters like:
- Bandwidth
- Protocols
- Ports
- Devices connected to each other!
Monitors and matches against a
database of signatures or attributes of
malicious threats.
(Similar to anti viruses)!
Signature based IDS
Limitations
1. No of real attacks are smaller than the false alarms!
2. Outdated signatures can raise lot of false positives, as softwares might
have been updated!
3. Database need to be updated regularly for new signatures.
4. Encrypted packets cannot be matched against patterns!
5. The source address in IP packets is used as main parameter, but it can be
faked.
Thanks
Good questions are welcomed!
Hard ones not!!