My TechnoBlogs

For those who can create wonders with Technology……

Posts Tagged ‘IPS’

IPS: Next generation IDS

Posted by Ravi shankar on March 2, 2009

An IPS offers the ability to identify an intrusion, relevance, impact, direction and proper analysis of an event and then pass the appropriate information and commands to the firewalls, switches and other network devices to mitigate the event’s risk.
The key technical components of IPS include the marriage of global and local host controls, IDS, global and local security policy, risk management software and globally accessible consoles for managing IPS.

An IPS is the next security layer to be introduced that combines the protection of firewall with the monitoring ability of an IDS to protect our network with the analysis necessary to make the proper decision on the fly.

IDS started the overall protection by first protecting host(HIDS), then network (NIDS). First and second generation IDS currently protects our network by identifying the threats. IDS provides real time alerts and reports. They cannot provide the necessary intelligence to notify all the network components downstream and upstream from the point of identification. This is where the IPS becomes the part of overall layered approach to security. IPS gathers all network information and make determination of the threat, then notify all other devices of those findings. Upstream providers can notify the downstream customers of possible attacks before or during the events as that malicious attempts arrives and vice versa.
Although IPS are actually the next generaton IDS, there will always be a need to keep those seperate technologies. Security devices must remain seperate to allow depth in overall protection; thus , firewall will need IDS and the network will need IPS. Each techology is bound to each other with the dependencies that will not disappear.

IPS has all the features of a good IDS, but can also stop malacious traffic from invading the enterprise. Unlike an IDS, an IPS sits inline with traffic flow on a network, actively shutting down attempted attacks as they are sent over the wire. It can stop the attack by terminating the network connection or user session originating the attack, by blocking access to traget from the user account, IP address or other attributes assocaited with that attacker, or by blocking all access to the targetted host, services, or application.

Advertisements

Posted in IDS/IPS | Tagged: | Leave a Comment »

Intrusion Detection System

Posted by Ravi shankar on March 2, 2009

Intrusion Detection System:

IDS is a software or hardware designed to detect unwanted attempts at accessing, manipulating and/or disabling of computer system, mainly through the network.  It is used to detect several types of malicious behaviour that can compromise the security and trust of the computer system. This includes the network attacks againts vulnerable services, data driven  attacked on the application, host based attacks such as privelege escalation, unauthorised login, access to sensitive files, and malware (viruses, trojan horses and worms).

An IDS is composed of several components:
-Sensor:    Which generates the security events
-Console:    To monitor events and alerts an control the sensor
-Central Engine:That records events logged by the sensor in a database and uses a system of rules to generate alerts from security events received.

There are several ways to categories an IDS depending on the type and location of the sensor and the methodology used by the engine to generate alerts. In many simple IDS implementation the three components are combined in a single device or appliances.

Types of IDS:

Network IDS (NIDS): It identifies the intrusion by examining network traffic and monitors multiple hosts. NIDS gain access to network traffic by connecting to a hub, network switch configured for port mirroring or network trap. Ex: SNORT

Protocol Based IDS (PIDS): The system is kept at the front end of the server, monitoring and analyzing the communication protocol between a connected device and server.
For Web Server this would typically monitor the HTTPS protocol stream and understand the HTTP protocol relative to the Web Server/system. When HTTPS is in use then this system would reside in the “shim” or interface between where HTTPS is un-encrypted and immediately prior to its entering the Web presentation layer.

Application Protocol baased IDS (APIDS): It consist of system or agent that would typically sit within a group of server, monitoring and analysing the communication on application specific protocol. For example: In a Web Server with a database this would monitor the SQL protocol specific to the middleware/business logic as it transacts with  the database.

Host based IDS (HIDS): It consisit of an agent on a host which identifies intrusion by analysing system calls, application logs, file system modification (binaries, passowrd files, capability /acl databases) and other host related activities and state. An example of a HIDS is OSSEC.

Hybrid IDS: It combined two or more approaches. Host agend data is combined with the network information to form a comprehensive view of the network. An example of Hybrid IDS is Prelude.

Passive system vs Reactive system:

In Passive system the IDS sensor detects a potential breach, logs information and signals an alerts on the console and or owner. In Reactive system also know as IPS (Intrusion Prevention System) , the IDS responds to suspicious activity by resetting the connection or reprogramming the firewall to block network traffic from the malacious sources. This can happen automatically or by the command of the operator.

A system which terminates connection is called an IPS and is another form of application layer firewall. The term IDPS is commonly used to refer to hybrid security system that both detect and prevent.

IDS uses one the two detection techniques: Statistical anomaly based and/or Signature based

Statistical anomaly based IDS: A statistical anomaly based IDS establishes a performance baseline based on normal network traffic evaluation. It will then sample traffic activity to this baseline in order to detect whether or not it is within baseline parameter. If the sampled traffic is not within the baseline parameter an alarm will be triggered.

Signature based IDS: Network traffic is examined for preconfigured and predetermined attacks pattern know as signature. Many attacks today have distinct signature. In good security practice, a collection of these signature must be constantly updated to mitigate emerging threats.

Free IDS:
Snort, Endian Firewall, Untangle, Bro NIDS, Prelude Hybrid IDS, Osiris HIDS, OSSEC HIDS, Flowmatrix

Professional IDS:
Sourcefire

Posted in IDS/IPS | Tagged: , | 1 Comment »