Intrusion Detection & Prevention Iliandra Gonzalez
Intrusion Detection System Is a device/software application that monitors a network or systems for malicious activity or for any policy violations.
Cont. Intrusion detection system(IDS) are split into two type of systems. Host-based intrusion detection system(HIDS) Network-based intrusion detection system(NIDS)
Host-Based Network-Based Host based intrusion detection systems focus on : Aimed at collecting information. Is considered a sensor, collects data on the system it is monitoring. Relies on audit trails. Can be limited by this Source of choice Network based intrusion detection systems focus on : Aimed at analyzing incoming network traffic. Information collected from network traffic stream Data travels here Recognizes attack signatures Packet sniffing
How does it work? Intrusion detection system is used to detect anomalies with the aim of catching hackers before any real damage is done. It can be done host based or network It works by looking for signatures of know attacks Any deviations of normal activity
Products Intrusion detection system software are open source. Open source – software’s original code is available The following are six open source products available to the public Snort Secuirty Onion OSSEC OpenWIPS-NG Suricata Bro IDS
Intrusion prevention system Intrusion prevention system(IPS) is used to identify threats and respond to them Is a security prevention technology that inspects network traffic flows to detect and prevent vulnerability exploits.
IPS Tools Similar to IDS, Intrusion prevention systems have tools available. Anti-virus programs Clean-up Firewalls Static packet Stateful packet Stateful inspection Proxy
IDS and IPS Intrusion detection system and Intrusion prevention system both increase protection. Monitoring traffic Inspecting and scanning packets Recognize and store signatures
Difference between IDS and IPS Intrusion Detection System Intrusion Prevention System Provides network with level of security against suspicious activity Targets early warnings at system admin Cannot block attacks Is a device that controls access Protects systems from attack and abuse Inspects attack data Takes action Blocks from developing Creates rules in the firewall.
Why is it Necessary? The importance of detection is to indicate something was stolen or done maliciously. An alarm The importance of prevention is to have the ability to block attacks. Action ensues