Next
IDS/IPS
Back
Restart
Next
This work is licensed with a
Creative Commons Attribution 4.0 International LicenseEndFragment
IDS/IPS
1/3
Intrusion Prevention Systems (IPS) are monitoring systems that detect suspicious activities or policy violations and drop noncompliant packets.
Intrusion Detection Systems (IDS) are monitoring systems that detect suspicious activities or policy violations and generate alerts when detected.
3/3
click on each icon to learn more
Internet
<>
Intrusion Prevention System
An IPS also enforces network security policies based on predefined rules or heuristics. It not only detects malicious activities, but it also takes proactive measures to prevent or block the activity in real-time. An IPS can automatically drop malicious packets, reset connections, or block traffic from malicious sources. It sits directly in the path of network traffic in a location where it can actively intercept and influence traffic. Because it is inline, performance is critical—a slow IPS can become a bottleneck. An IPS can generate false positives (incorrectly identifying traffic as malicious), leading to legitimate traffic being blocked disrupting network operations.
2/4
Sensors monitor network traffic, system logs, and other data sources for suspicious activity. They are the first component of an IDS. These sensors, can either be host- or network-based. They provide alerts when potential breaches are detected.
2
Place sensors near Access Points to monitor for rogue devices, unauthorized access, or attacks targeting the wireless infrastructure.
Place sensors within the internal network:At core switches to monitor traffic flowing between network segments.At critical subnets (HR or finance) for dedicated monitoring.At data centers to monitor traffic going in and out.
click on each number
Place sensors at the network perimeter:At the boundary between the internal network and the Internet to allow for monitoring all inbound and outbound traffic.Behind the firewall to capture traffic that has been filtered to identify attacks that might have bypassed firewall rules.At VPN Gateways to monitor traffic coming from remote users or branch offices.
3
4
1
Place sensors at Hosts:On servers that are mission-critical or contain sensitive data.On end-user systems in a high-security environment to monitor for signs of compromise.
IDS Sensors
Monitoring Traffic
One of the most important aspects of security is monitoring network traffic. An intrusion compromises a system by breaking its security or causing it to enter into an insecure state. A network intrusion is any unauthorized activity on a network and often involves stealing network resources and jeopardizing the security of the network and its data.
<>
2/3
The Analysis Engine examines the alerts generated by the sensors to determine whether they reflect actual threats. To identify potential threats, this component uses various techniques like signature-based detection, anomaly detection, and behavioral analysis.
3/4
Signature-Based
Establishes a baseline after a “learning” phase. Any deviation from the baseline is considered an anomaly.
Anomoly-Based
IDS detects possible threats by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.
Analysis Engine
Relies on understanding patterns of behavior and actions that deviate from expected behaviors. IDS continuously learns and adapts to new behaviors over time.
click on each button to learn more
Behavioral-Based
4/4
Main Menu
Central Console
The Central Console receives and manages warnings from sensors and the analysis engine. The security team can view and manage alerts, investigate problems, and respond appropriately.
2
IDS Types
A Network-Based IDS (NIDS) monitors and reports on traffic flow across the entire network (or specific network segments) and provides a broader view of activities acrosss the network. A NIDS reads a copy or mirror of the traffic via a network TAP (Test Access Point) device. Since the TAP copies network traffic, the NIDS does not affect traffic flow.
A Host-Based IDS (HIDS) monitors and analyzes the behavior of a specific host system, such as a server or workstation. It examines events and checks critical sysem files and directories for unauthorized changes.
1/4
1
A Network Behavior IPS involves anomaly-based detection to look for abnormal behavior in system or nework activity. This type of NIPS requires a training period to establish a “normal” baseline. The biggest advantage of anomaly-based detection is its ability to identify new threats.
A host-baed IPS (HIPS) anaylzes activity on a single host to detect and prevent malicious activiltiy. A HIPS used both signature and anomaly-based detection methods. A HIPS can prevent potential damage caused by rootkits or Trojan horses.
IPS Types
4
3
<>
A Network-based IPS (NIPS) detects and prevents malicious activity by analyzing protocol packets throughout the network. A NIPS can prevent attacks by sending a TCP connection to prevent an attack, limiting bandwidth usage, or rejecting suspicious network activity. A NIPS can even command firewalls and routers to block suspicious activity. A NIPS does NOT usually analyze encrypted traffic or handle direct attacks against the IPS.
A wireless intrusion prevention system (WIPS) operates at the Layer 2 (data link layer) of the OSI model. WIPS can detect the presence of rogue or misconfigured devices and can prevent them from operating on wireless networks.
Screens incoming and outgoing traffic and blocks unauthorized access
Detects both known and unknown threatsProvides more information on the type and source of attackDetects insider threats or policy violations
Strengths
Effectively blocks known threatsBlocks specific types of trafficEasy to implement and manageUsed to enforce company security policies
Comparison
False positives lead to unnecessary alerts and administrative workResource-intensive when analyzing network trafficNot as effective against sophisticated attacks that use encryption or other advanced techniques to evade detection
Weaknesses
High cost to implement and maintainPotential for generating false positivesImpact on network performance due to traffic analysis
Analyzes network traffic in real-time to identify potential threats AND take actions such as blocking traffic or terminating a connection
Monitors for malicious activity or policy violations by analyzing system activity and detecting unusual patterns
How does it work?
Fill in the comparison table by clicking on each button
Examines each data packet and compares it to predefined rules
Monitors for malicious activity or policy violoation plus it detects AND prevents potential cyber threats
Cannot detect new threatsCan be bypassed by sophisticated attacksDoes not provide detailed information on the type or source of the threat
Analyzes traffic or monitors system logs and audit trails and generates an alert when it detects suspicious activity
Function
Automatic response to potential threatsAbility to learn and improve detection accuracy and reduce false positives