Documente Academic
Documente Profesional
Documente Cultură
1
Introducing IDS and IPS
IDS:
IPS:
1|Page
Works inline in real time to monitor Layer 2 through Layer 7 traffic and content.
Needs to be able to handle network traffic.
Prevents malicious traffic from entering the network.
Shown in fig 1.2
2|Page
reading security event logs, checking for changes to critical system files, and checking system
registries for malicious entries.
IDS and IPS technologies generally use yes, signatures to detect patterns of misuse in network
traffic, although other technologies will be introduced later in this chapter A signature is a set of rules
that an IDS or IPS uses to detect typical intrusive activity. Signatures are usually chosen from a broad
cross section of intrusion detection signatures, and can detect severe breaches of security, common
network attacks, and information gathering.
IDS and IPS technologies look for the following general patterns of misuse:
Atomic pattern: In an atomic pattern, an attempt is made to access a specific port on a specific
host, and malicious content is contained in a single packet. An IDS is particularly vulnerable to
an atomic attack because until it finds the attack, malicious single packets are being allowed
into the network. An IPS prevents these packets from entering at all.
Composite pattern: A composite pattern is a sequence of operations distributed across
multiple hosts over an arbitrary period of time.
4|Page
Step 2. The IPS sensor analyzes the packets as soon as they come into the IPS sensor interface. The
IPS sensor, using signatures, matches the malicious traffic to the signature and the attack is stopped
immediately. Traffic in violation of policy can be dropped by an IPS sensor.
Step 3. The IPS sensor can send an alarm to a management console for logging and other management
purposes.
Management Console
A management console is a separate workstation equipped with software to configure, monitor, and
report on events.
Promiscuous Versus Inline Mode
A sensor can be deployed either in promiscuous mode or inline mode. In promiscuous mode, the sensor
receives a copy of the data for analysis, while the original traffic still makes its way to its ultimate
destination. By contrast, a sensor working inline analyzes the traffic live and therefore can actively
block the packets before they reach their destination
Advantage
Limitation
5|Page
Limitation
6|Page
CHAPTER
2
Host and Network IPS
IPS technology can be network based and host based. There are advantages and limitations to HIPS
compared with network-based IPS. In many cases, the technologies are thought to be complementary.
Fig.2.1
Step 1. An application calls for system resources.
Step 2. HIPS checks the call against the policy.
7|Page
Fig 2.2
HIPS deployment
8|Page
9|Page
Limitations of network IPS: Encryption of the network traffic stream can essentially blind network
IPS. Reconstructing fragmented traffic can also be a difficult problem to solve. Possibly the biggest
drawback to network-based monitoring is that
as networks become larger (with respect to
bandwidth), it becomes more difficult to place network IPS at a single location in the network and
successfully capture all the traffic. Eliminating this problem requires the use of more sensors
throughout the network. However, this solution increases costs.
Advantages
Limitations
Is host specific
Network
IPS
Cost-effective
Cannot
examine
encrypted
traffic
Not visible on the network
10 | P a g e
A host-based monitoring system examines information at the local host or operating system. Networkbased monitoring systems examine packets that are traveling through the network for known signs of
intrusive activity. As you move down the feature list toward network IPS, the features describe
network-based monitoring features; application-level encryption protection is a HIPS feature, whereas
DoS prevention is a network IPS feature.
11 | P a g e
CHAPTER
3
Types of IDS and IPS Systems
An operating system log entry with a status code value of 645, which indicates that the hosts
auditing has been disabled.
Signature-based detection is very effective at detecting known threats but largely ineffective at
detecting previously unknown threats, threats disguised by the use of evasion techniques, and many
variants of known threats. For example, if an attacker modified the malware in the previous example to
use a filename of freepics2.exe, a signature looking for freepics.exe would not match it.
Signature-based detection is the simplest detection method because it just compares the current unit of
activity, such as a packet or a log entry, to a list of signatures using string comparison operations.
Signature-based detection technologies have little understanding of many network or application
protocols and cannot track and understand the state of complex communications. For example, they
cannot pair a request with the corresponding response, such as knowing that a request to a Web server
for a particular page generated a response status code of 403, meaning that the server refused to fill the
request. They also lack the ability to remember previous requests when processing the current request.
This limitation prevents signature-based detection methods from detecting attacks that comprise
multiple events if none of the events contains a clear indication of an attack.
12 | P a g e
particular alert was generated and to validate that an alert is accurate and not a false positive, because
of the complexity of events and number of events that may have caused the alert to be generated.
The primary drawback to stateful protocol analysis methods is that they are very resource-intensive
because of the complexity of the analysis and the overhead involved in performing state tracking for
many simultaneous sessions. Another serious problem is that stateful protocol analysis methods cannot
detect attacks that do not violate the characteristics of generally acceptable protocol behavior, such as
performing many benign actions in a short period of time to cause a denial of service. Yet another
problem is that the protocol model used by an IDPS might conflict with the way the protocol is
implemented in particular versions of specific applications and operating systems, or how different
client and server implementations of the protocol interact.
15 | P a g e
CHAPTER
4
Snort
16 | P a g e
Snort uses a simple, lightweight rules description language that is flexible and quite powerful.
There are a number of simple guidelines to remember when developing Snort rules that will
help safeguard your sanity. Most Snort rules are written in a single line. This was required in
versions prior to 1.8. In current versions of Snort, rules may span multiple lines by adding a
backslash \ to the end of the line.
Snort rules are divided into two logical sections, the rule header and the rule options. The rule header
contains the rules action, protocol, source and destination IP addresses and netmasks, and the source
and destination ports information. The rule option section contains alert messages and information on
which parts of the packet should be inspected to determine if the rule action should be taken.
The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains
the rule options. The words before the colons in the rule options section are called option keywords.
All of the elements in that make up a rule must be true for the indicated rule action to be taken. When
taken together, the elements can be considered to form a logical AND statement. At the same time, the
various rules in a Snort rules library file can be considered to form a large logical OR statement.
17 | P a g e
Conclusion
There are many technologies in the market today to help companies fight the inevitable network and
system attack. Having IPS and IDS technologies are only two of many resources that can be deployed
to increase visibility and control within a corporate computing environment. IDS and IPS are to
provide a foundation of technology that meets the requirement of tracking, identifying network attacks
to which detect through logs of IDS systems and prevent an action through IPS systems. If the host is
with critical systems, confidential data and strict compliance regulations, then its a great to use IDS,
IPS or both in network environments. Intrusion types of systems are put in place to serve a business
needs for meeting an objective of network security. The IDS and IPS are to provide a foundation of
technology meets to tracking, identifying network attacks to which detect through logs of IDS systems
and prevent an action through IPS systems. If the host with critical systems, confidential data and strict
compliance regulations, then its a great to use of IDS, IPS or both in network environments. The basic
benefits of IDS and IPS systems are as:
The deterministic intrusion detection or prevention is the next generation firewall with deep packet
inspection and sniffing in network. But it is not a silver bullet, to become a basic at the border and
deeper in the network for Defense in Depth.1
18 | P a g e
References
[1] J.P. Anderson, Computer Security Threat Monitoring and Surveillance, tech. report; James P.
Anderson Co., Fort Washington, Pa., 1980.
[2] D.E. Denning, An Intrusion Detection Model, IEEE Trans. Software Eng., Vol. SE- 13, No. 2,
Feb. 1987, pp. 222232.
[3] Jennifer Jabbusch , IDS vs. IPS: How to know when you need the technology, 22 November
2010
[4] Brian Smith, IPS vs. IDS.
[5] Robert Drum, IDS & IPS Placement for network protection , CISSP 26 March 2006.
[6] Pete Lindstrom, Intrusion prevention systems (IPS): Next generation firewalls , A Spire Research
Report March 2004 by, Spire Security.
19 | P a g e