IDS and IPS
(OBJ 3.2)
Key difference
- IDS - Logs and alerts
- IPS - Logs, alerts, and takes action
- Blocking suspicious traffic, stop running applications or kicking from connections, etc.
Intrusion Detection Systems (IDS)
- Logs or alerts that it found something suspicious or malicious
- Network Intrusion Detection Systems (NIDS)
- Responsible for detecting unauthorized network access or attacks
- Do not stop and attack but react on certain criteria, but will communicate responsible or SOC analysts for actions to be taken
- Three Types of Intrusion Detection Systems (IDS)
- Network-based IDS (NIDS)
- Monitors the traffic coming in and out of a network
- Configured as a network appliance that's installed on a spam port or mirrored port from your backbone switch
- Generally configured to look for network attacks or indicators of upcoming attack
- Port scans
- Suspicious content
- Traffic from/to suspicious IP or port
- Host-based IDS (HIDS)
- Looks at suspicious network traffic going to or from a single or endpoint
- Piece of software installed on a software or endpoint
- Wireless IDS (WIDS)
- Detects attempts to cause a denial of a service on a wireless network
- Flooding authentication attempts
- Disassociation attacks
- De-authentication attacks
- Detects attempts to cause a denial of a service on a wireless network
- Network-based IDS (NIDS)
- Intrusion detection systems operate either using signature-based or anomaly-based detection algorithms
- Signature-based IDS
- Analyzes traffic based on defined signatures and can only recognize attacks based on previously identified attacks in its database
- Require frequent updates to remain effective and they are not considered effective against zero-day attacks
- Pattern-matching
- Specific pattern of steps
- NIDS, WIDS (network-based IDSs)
- Stateful-matching
- Known system baseline
- Report any changes to that state
- HIDS (host-based IDSs)
- Analyzes traffic based on defined signatures and can only recognize attacks based on previously identified attacks in its database
- Anomaly-based IDS
- Analyzes traffic and compares it to a normal baseline of traffic to determine whether a threat is occurring
- Known as behavioral-based detection, it reports on anything outside of the normally expected behaviors, but this can also result in a higher rate of false positives.
- Five Types of Anomaly-based Detection Systems
- Statistical
- Protocol
- Traffic
- Rule or Heuristic
- Application-based
- Analyzes traffic and compares it to a normal baseline of traffic to determine whether a threat is occurring
- Signature-based IDS
Intrusion Prevention Systems (IPS)
- Logs, alerts, and takes action when it finds something suspicious or malicious
- Scans traffic to look for malicious activity and takes action to stop it
- We want it placed right near the border of the network, right behind your firewall, so we have all the traffic funneling right through it so it can stop and block things as needed.