IDS, IPS, IDPS

By Minhaz

2k12/CO/001

minhazav@gmail.com

Information and Network Security

What is a Firewall?

A firewall is a network security system

that controls the incoming and outgoing

network traffic based on an applied rule

set.

A firewall establishes a barrier between

a trusted, secure internal network and

another network (e.g., the Internet) that

is assumed not to be secure and

trusted.

So is a well configured

FIREWALL

enough??

Intrusion Detection System

It monitors network or system activities for malicious activities or policy

violations and produce a report to the authority! It is used for:

- Detecting individuals from violating security policies.

- Documenting existing threats!

- Identifying problems with security policies!

IDS can be classified on following categories:

1. HIDS (Host IDS) and NIDS (Network IDS)

2. Passive and Reactive

3. Statistical anomaly based & signature based

HIDS NIDS

Runs on a host in a network!

It maintains a snapshot of the system and after any

event it matches the snapshot with current one & if any

imp system files are deleted the admin is notified and

the request pattern is logged.

Placed at a point within network. It performs

analysis of packets passing through entire

subnet.

Its normally installed where firewall is!

PASSIVE REACTIVE

Detects a potential breach!

Logs it!

Signal alert to the administrator.

Responds to suspicious activities by

reseting connections or by

reprogramming the firewall to block

network traffic from the malicious

source!

Its called IDPS: Intrusion Detection

and Prevention system!

Note: Software that can reset the connection (Incoming or Outgoing) to mitigate a possible attack is called Intrusion Prevention

System!

Statistical Anomaly

based IDS

Will monitor the network traffic &

compare it against established

baseline. It will have figured out what

is normal for a network, considering

parameters like:

- Bandwidth

- Protocols

- Ports

- Devices connected to each other!

Monitors and matches against a

database of signatures or attributes of

malicious threats.

(Similar to anti viruses)!

Signature based IDS

Limitations

1. No of real attacks are smaller than the false alarms!

2. Outdated signatures can raise lot of false positives, as softwares might

have been updated!

3. Database need to be updated regularly for new signatures.

4. Encrypted packets cannot be matched against patterns!

5. The source address in IP packets is used as main parameter, but it can be

faked.

Thanks

Good questions are welcomed!

Hard ones not!!