A typical corporate network makes use of a number of networking devices for preventing attacks originating from the internet and maintaining the security of their network.IDS/IPS is one of the prime networking defenses in line to achieve this goal. In this article, we will be learning about IDS/IPS in depth.
IDS stands for Intrusion Detection System. As the name suggests, IDS is used to detect and monitor traffic for illegitimate packets or suspicious activity and raises an alert when it comes across one. An IDS is usually a software which scans a network and reports it to SIEM for further analysis so appropriate actions are taken as per the organisation policy.
IDS detection method
IDS implements two methods to detect anomaly in the packet in the network. They are :
- Signature-based detection: In signature-based detection, IDS detects malicious packets by observing the events and identifying patterns with the signatures of known attacks. If the signature matches then the alert is raised, else the packet is allowed in the network.
- Anomaly-based detection: In anomaly-based detection, packet filtering is based on a predefined set of rules or patterns rather than signatures/patterns. If the packet does not match the rules/patterns then the alert is raised and sent to SIEM.
IDSes can be classified into five types.
- Network Intrusion Detection System (NIDS) – NIDS as the name suggests, identifies intrusions by inspecting the network traffic. In NIDS, sensors are placed in DMZ or at network borders. Snort is the best example of NIDS.
- Host Intrusion Detection System (HIDS) – As the name suggests, HIDS is specific for a host. HIDS agent is installed on the host and the traffic flowing in/out of the host, logs, access is monitored. OSSEC is an HIDS based IDS.
- Protocol-based Intrusion Detection System (PIDS) – PIDS is usually installed on a server, and monitors and analyses the protocol in use by the server. Example – A PIDS installed on a web server will be used for monitoring and analyzing HTTP/HTTPS traffic flowing in/out of the server.
- Hybrid Intrusion Detection System – Hybrid Intrusion Detection System combines two or more different types of IDS and combines it into one.
Now we have a good understanding of IDS, let’s learn about IPS.
IPS stands for Intrusion Prevention System. As the name suggests, it detects malicious packets, sends info to SIEM and blocks the packet. Unlike IDS, which just detects and reports the packet, IPS attempts to block the packets as well. Thus, IPS is a bit advanced and is more effective than IDS.
IPS Detection Method
IPS implements three methods to detect anomaly and block the packet in the network. They are:
- Signature-based detection: In signature-based detection, IPS detects malicious packets by observing the events and identifying patterns with the signatures of known attacks. If the signature matches, then the alert is raised and the packet is dropped.
- Anomaly-based detection: In anomaly-based detection, packet filtering is based on a predefined set of rules or patterns rather than signatures/patterns. If the packet does not match the rules/patterns then the alert is raised, sent to SIEM and the packet is dropped.
- Stateful protocol analysis detection: In stateful protocol analysis detection, detection is based on divergence of protocol. Incoming packets are compared with the profile of accepted definitions and accordingly packet is dropped or allowed.
Best IDS/IPS Softwares
Now we have a good overview of IDS/IPS and their types, following are the options available for someone who wants to deploy IDS/IPS in their environment.
The below mentioned tools are open source and does not include proprietary ones –
- SolarWinds Security Event Manager – Free for 30 days
- Open DLP
- Security Onion
Indication of Intrusion/Compromise
Major indication of Intrusion/Compromise are as follows –
- Active access to unused logins
- Login during non-working hours
- New user account creation
- System logs deletion
- Degradation in System performance
- Unknown files and program on the system
- File size and file permission modifications
- Random log data in log files
- Repeated login attempts from remote locations
- Strange file identification on the local system