IPS and IDS

Part 1:instrusion Detection VS instrusion Prevention

Instrusion Detection System (IDS) is a security control or countermeasure , the capability to detect Misuse and abuse of, and unauthorized access to, network resources.

Instrusion Prevention System (IPS) is a security control or countermeasure , the capaility to detect and prevent misuse and abuse of, and unauthorized access to, Netwrok resources.

Some of the most commonly detected attacks by networks IDS is as follows:

• Application Layer attacks; (directory traversal attacks, buffer overflows, various form of command injection)
• Network Sweeps and scans
• DoS attacks (TCP SYN, ICMP)
• Common Network anomalies on most OSI Layers (Invalid IP datagrams, Invalid TCP packets, malformed application Layer PR Otocol units, malformed ARP request or replies)

After a IDS detects an anomaly or offending traffic, it generaes alerts. An IDS cannot stop an attack or malicious traffic along.

Part 2:ips

Security controls is classified in one of the following terms:

True Positive: a situation in which a signature fires correctly when intrusive traffic for that signature was detected on the network . The signature correctly identifies an attack against the Netwrok. This represents normal and optimal operation.

False Positive: A situation in which normal user activity triggers an alarm or response. This is a consequence of nonmailcious activity. This represents an error and generally are caused by excessively tight proactive controls or excessively relaxed reactives Controls.

Ture Negative: a situation in which a signature does does fire during normal user traffic on the network. The Securirty control has not acted and there is no malicious activity. This represents normal and optimal operation.

False Negative: a situatoin in which a detection system fails to detect instrusive traffic although There is a signature designed to catch the activity. in this situation, there is malicious activity, but the security control does not act. This represents an error and generally are caused by excessively relaxed proactive controls or excessively tight reactive C Ontrols.

A vulnerability is a weakness that compromises either the security or the functionality of a system. You ' ll often hear the following examples listed as Vulnerabilitys:

• Insecure Communications
• Poor passwords
• Improper input handling

An exploit was the mchanism used to leverge a vulnerability to compromise the security functionality of a system .

• Executable code
• Password-guessing Tools
• Shell or batch Scripts

A threat is defined as any circumstance or event with the expressed potential for the occurrence of a harmful eve NT to a information system in the form of destruction, disclosure, adverse modification of data, or DoS.

A risk is the likelihood that a particular threat using a specific attack would exploit a particular vulnerability of an asset or system, results in an undesirable consequence.

There is different aspects in which a network IPS analyzes traffic, such as following:

• Reassembles Layer 4 Sessions and analyzes their contents
• Monitors Packet and session rates to detect and/or prevent deviation from the baseline (or normal) Netwrok profil Es
• Analyzes groups of packets to determine whether they represent reconnaissance attempts
• Decodes Applicatoin layer protocols and analyzes their contents
• Analyzes packets to address malicious activity contained in a single packet

There is three commonly used approaches to network instrusion prevention by security manages today:

• Signature-based:
• Anomaly-based:
• Policy-based:

Endpoint Security Controls

Host IPS (HIPS) is another form of instrusion prevention. Consists of operating system security controls or security agent software installed on the hosts that can include desktops PCs , laptops, or servers.

IPS and IDS