Introduction to IDS/IPS
Posted Oct 11, 2023 10:34 PM
Introduction to IDS/IPS
An Intrusion Detection System (IDS) is a passive monitoring solution for detecting possible malicious activities/patterns, abnormal incidents, and policy violations. It handles alert generation for suspicious events. More specifically, these can be broken down into two main categories. Network Intrusion Detection Systems (NIDS) and Host-based Intrusion Detection Systems (HIDS).
Network Intrusion Detection Systems
NIDS monitor the traffic flow from various areas within a network. The aim is to automate traffic investigation across an entire subnet, and if conditions are met an alert is created.
Host-based Intrusion Detection Systems
HIDS monitor the traffic flow from a single endpoint device, such as a workstation. The aim is to investigate the traffic on a particular device, and if conditions are met an alert is created.
Similar in some aspects, Intrusion Prevention Systems (IPS) act as an active protection solution for preventing possible malicious activities/patterns, abnormal incidents, and policy violations. It is responsible for stopping, preventing, and or terminating any suspicious activities as soon as the detection is made. These can be broken down further into four main types;
Network Intrusion Prevention Systems (NIPS)
NIPS monitor the traffic flow from various areas within a network. The aim is to protect the traffic across the entire subnet. If a signature is detected, the connection is terminated.
Behavior-based Intrusion Prevention System (Network Behavior analysis - NBA)
Behavior-based systems monitor the traffic across various areas of the network based on pattern analysis, and either quarantines or terminates suspicious connections.
Network behavior analysis systems work similar to NIPS. The key difference between the two is that behavior based systems require a training period also known as “baselining” in order to learn normal traffic patterns and how to differentiate malicious traffic and threats. This model often provides more efficient results against new and emerging threats that might not be recognized yet. The system is trained to know the normal traffic and to detect the abnormal traffic. The training period is crucial to avoiding false positives. If a security breach occurs during the training period, the results could be incredibly problematic. Another critical point is ensuring that the system is well trained to recognize benign activities.
Wireless Intrusion Prevention Systems (WIPS)
WIPS monitors traffic flow from wireless networks. The aim is to protect the wireless traffic and stop possible attacks. If conditions are met, then the connection is terminated.
Host-based Intrusion Prevention Systems (HIPS)
HIPS actively protects the traffic flow from a single endpoint device. The aim is to investigate the traffic on a particular device. If conditions are met, the connection is terminated.
HIPS work in very similar manners to HIDS. The key difference between them being that, while HIDS will create alerts for threats, HIPS stops threats by terminating the connection.
Lastly, there are three main detection and prevention techniques used in IDS and IPS solutions:
Signature-based- This technique relies on rules that identify the specific patterns of known malicious behavior. This model is used to detect known threats.
Behavior-based - This technique identifies new threats with new patterns that pass through existing signatures. The model compares the known and normal with unknown and abnormal behaviors. This model is used to detect previously unknown or new threats.
Policy-based - This technique compares detected activities with system configuration and security policies. This model is used to detect policy violations.
With all of that explained, I hope you the reader have gained a better understanding of what IDS/IPS are and how they both align and differ in function.
Network Intrusion Detection Systems
NIDS monitor the traffic flow from various areas within a network. The aim is to automate traffic investigation across an entire subnet, and if conditions are met an alert is created.
Host-based Intrusion Detection Systems
HIDS monitor the traffic flow from a single endpoint device, such as a workstation. The aim is to investigate the traffic on a particular device, and if conditions are met an alert is created.
Similar in some aspects, Intrusion Prevention Systems (IPS) act as an active protection solution for preventing possible malicious activities/patterns, abnormal incidents, and policy violations. It is responsible for stopping, preventing, and or terminating any suspicious activities as soon as the detection is made. These can be broken down further into four main types;
Network Intrusion Prevention Systems (NIPS)
NIPS monitor the traffic flow from various areas within a network. The aim is to protect the traffic across the entire subnet. If a signature is detected, the connection is terminated.
Behavior-based Intrusion Prevention System (Network Behavior analysis - NBA)
Behavior-based systems monitor the traffic across various areas of the network based on pattern analysis, and either quarantines or terminates suspicious connections.
Network behavior analysis systems work similar to NIPS. The key difference between the two is that behavior based systems require a training period also known as “baselining” in order to learn normal traffic patterns and how to differentiate malicious traffic and threats. This model often provides more efficient results against new and emerging threats that might not be recognized yet. The system is trained to know the normal traffic and to detect the abnormal traffic. The training period is crucial to avoiding false positives. If a security breach occurs during the training period, the results could be incredibly problematic. Another critical point is ensuring that the system is well trained to recognize benign activities.
Wireless Intrusion Prevention Systems (WIPS)
WIPS monitors traffic flow from wireless networks. The aim is to protect the wireless traffic and stop possible attacks. If conditions are met, then the connection is terminated.
Host-based Intrusion Prevention Systems (HIPS)
HIPS actively protects the traffic flow from a single endpoint device. The aim is to investigate the traffic on a particular device. If conditions are met, the connection is terminated.
HIPS work in very similar manners to HIDS. The key difference between them being that, while HIDS will create alerts for threats, HIPS stops threats by terminating the connection.
Lastly, there are three main detection and prevention techniques used in IDS and IPS solutions:
Signature-based- This technique relies on rules that identify the specific patterns of known malicious behavior. This model is used to detect known threats.
Behavior-based - This technique identifies new threats with new patterns that pass through existing signatures. The model compares the known and normal with unknown and abnormal behaviors. This model is used to detect previously unknown or new threats.
Policy-based - This technique compares detected activities with system configuration and security policies. This model is used to detect policy violations.
With all of that explained, I hope you the reader have gained a better understanding of what IDS/IPS are and how they both align and differ in function.
Thank you for sharing.