IDS/IPS overview
A typical corporate network makes use of a number of networking devices for preventing attacks originating from the internet and maintaining the security of their network.IDS/IPS is one of the prime networking defenses in line to achieve this goal. In this article, we will be learning about IDS/IPS in depth.
IDS
IDS stands for Intrusion Detection System. As the name suggests, IDS is used to detect and monitor traffic for illegitimate packets or suspicious activity and raises an alert when it comes across one. An IDS is usually a software which scans a network and reports it to SIEM for further analysis so appropriate actions are taken as per the organisation policy.
Learn Network Security Fundamentals
IDS detection method
IDS implements two methods to detect anomaly in the packet in the network. They are :
- Signature-based detection: In signature-based detection, IDS detects malicious packets by observing the events and identifying patterns with the signatures of known attacks. If the signature matches then the alert is raised, else the packet is allowed in the network.
- Anomaly-based detection: In anomaly-based detection, packet filtering is based on a predefined set of rules or patterns rather than signatures/patterns. If the packet does not match the rules/patterns then the alert is raised and sent to SIEM.
IDS Classification
IDSes can be classified into five types.
- Network Intrusion Detection System (NIDS) - NIDS as the name suggests, identifies intrusions by inspecting the network traffic. In NIDS, sensors are placed in DMZ or at network borders. Snort is the best example of NIDS.
- Host Intrusion Detection System (HIDS) - As the name suggests, HIDS is specific for a host. HIDS agent is installed on the host and the traffic flowing in/out of the host, logs, access is monitored. OSSEC is an HIDS based IDS.
- Protocol-based Intrusion Detection System (PIDS) - PIDS is usually installed on a server, and monitors and analyses the protocol in use by the server. Example - A PIDS installed on a web server will be used for monitoring and analyzing HTTP/HTTPS traffic flowing in/out of the server.
- Hybrid Intrusion Detection System - Hybrid Intrusion Detection System combines two or more different types of IDS and combines it into one.
Now we have a good understanding of IDS, let’s learn about IPS.
IPS
IPS stands for Intrusion Prevention System. As the name suggests, it detects malicious packets, sends info to SIEM and blocks the packet. Unlike IDS, which just detects and reports the packet, IPS attempts to block the packets as well. Thus, IPS is a bit advanced and is more effective than IDS.
IPS Detection Method
IPS implements three methods to detect anomaly and block the packet in the network. They are:
- Signature-based detection: In signature-based detection, IPS detects malicious packets by observing the events and identifying patterns with the signatures of known attacks. If the signature matches, then the alert is raised and the packet is dropped.
- Anomaly-based detection: In anomaly-based detection, packet filtering is based on a predefined set of rules or patterns rather than signatures/patterns. If the packet does not match the rules/patterns then the alert is raised, sent to SIEM and the packet is dropped.
- Stateful protocol analysis detection: In stateful protocol analysis detection, detection is based on divergence of protocol. Incoming packets are compared with the profile of accepted definitions and accordingly packet is dropped or allowed.
Best IDS/IPS Softwares
Now we have a good overview of IDS/IPS and their types, following are the options available for someone who wants to deploy IDS/IPS in their environment.
The below mentioned tools are open source and does not include proprietary ones -
- SolarWinds Security Event Manager - Free for 30 days
- Kismet
- Snort
- Zeek
- Open DLP
- Sagan
- Suricata
- Security Onion
Learn Network Security Fundamentals
Indication of Intrusion/Compromise
Major indication of Intrusion/Compromise are as follows -
- Active access to unused logins
- Login during non-working hours
- New user account creation
- System logs deletion
- Degradation in System performance
- Unknown files and program on the system
- File size and file permission modifications
- Random log data in log files
- Repeated login attempts from remote locations
- Strange file identification on the local system
Sources
Network Security Fundamentals
Learn the fundamentals of networking and how to secure your networks with seven hands-on courses. What you'll learn:- Models and protocols
- Networking best practices
- Wireless and mobile security
- Network security tools
- And more
In this Series
- IDS/IPS overview
- What is zero trust architecture (ZTA)? Pillars of zero trust and trends for 2024
- A deep dive into network security protocols: Safeguarding digital infrastructure 2024
- Asset mapping and detection: How to implement the nuts and bolts
- The Pentagon goes all-in on Zero Trust
- How to configure a network firewall: Walkthrough
- 4 network utilities every security pro should know: Video walkthrough
- How to use Nmap and other network scanners
- Security engineers: The top 13 cybersecurity tools you should know
- Converting a PCAP into Zeek logs and investigating the data
- Using Zeek for network analysis and detections
- Suricata: What is it and how can we use it
- Intrusion detection software best practices
- What is intrusion detection?
- How to use Wireshark for protocol analysis: Video walkthrough
- 9 best practices for network security
- Securing voice communications
- Introduction to SIEM (security information and event management)
- VPNs and remote access technologies
- Cellular Networks and Mobile Security
- Secure network protocols
- Network security (101)
- Exploiting built-in network protocols for DDoS attacks
- Firewall types and architecture
- Wireless attacks and mitigation
- Wireless network overview
- Open source IDS: Snort or Suricata? [updated 2021]
- PCAP analysis basics with Wireshark [updated 2021]
- What is a firewall: An overview
- NSA report: Indicators of compromise on personal networks
- Securing the home office: Printer security risks (and mitigations)
- Email security
- Data integrity and backups
- Cost of non-compliance: 8 largest data breach fines and penalties
- How to find weak passwords in your organization’s Active Directory
- Monitoring business communication tools like Slack for data infiltration risks
- Firewalls and IDS/IPS
- IPv4 and IPv6 overview
- The OSI model and TCP/IP model
- Endpoint hardening (best practices)
- Wireless Networks and Security
- Networking fundamentals (for network security professionals)
- How your home network can be hacked and how to prevent it
- Network design: Firewall, IDS/IPS
- Work-from-home network traffic spikes: Are your employees vulnerable?
- RTS threshold configuration for improved wireless network performance [updated 2020]
- Web server protection: Web server security monitoring
- Web server security: Active defense
- Web server security: Infrastructure components
- Web server protection: Web application firewalls for web server protection
- Web server security: Command line-fu for web server protection
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
