IDS AND IPS

Day-7

What is INTRUSION?

• Intrusion can be defined as any unauthorised access, unauthorised attempt to access or damage, or malicious use of information systems.
• An intrusion may compromise the CIA(confidentiality, integrity and availability) of the information assets.

IDS

IDS(Intrusion Detection System) is a solution that continuously monitors the environment and detects and alerts malicious attempts to gain unauthorized access.

Function of IDS:-

• IDS gathers and analyzes information from within a computer or a network to identify violations of the security policy, including unauthorised access and misuse.
• It also referred to as a packet sniffer, which intercepts packets travelling via various communication media and protocols, usually TCP/IP.
• It evaluates traffic for suspected intrusions and raises the alarm upon detecting such intrusions.

Types of IDS:-

NIDS(Network based IDS)

A network-based intrusion detection system (NIDS) is an application that collects and monitors network traffic and network data. NIDS software is installed on devices located at specific parts of the network that you want to monitor. The NIDS application inspects network traffic from different devices on the network. If any malicious network traffic is detected, the NIDS logs it and generates an alert.

HIDS(Host based IDS)

A host-based intrusion detection system (HIDS) is an application that monitors the activity of the host on which it's installed. A HIDS is installed as an agent on a host. A host is also known as an endpoint, which is any device connected to a network like a computer or a server.

Advantages of IDS:-

1. Early threat detection
2. Less time taken for incident response
3. Protects against the zero-day attacks

Disadvantages:-

An IDS can only scan for known attacks, new and sophisticated attacks might not be caught. It doesn’t actually stop the incoming traffic.

IPS

Intrusion Prevention System (IPS) is a technology that monitors the environment and responds automatically when malicious attempts to gain unauthorized access are detected.

Function of IPS:-

• An intrusion prevention system (IPS) guards against any security threats that may arise from within your company as well as from outside threats. It assists in teaching your staff about appropriate and inappropriate behaviour.
• Intrusion prevention systems work by scanning all network traffic. There are a number of different threats that an IPS is designed to prevent.

Ex:- DoS Attack, Worms, Viruses

Types of IPS:-

1. NIPS(Network based IPS)A NIPS scans all network traffic for suspicious activity.
2. HIPS(Host based IPS)It is an integrated software programme that uses event scanning to operate a single host for questionable activities.
3. WIPS(Wireless IPS)It monitors a wireless network for suspicious traffic by analyzing wireless networking protocols.
4. NBIPS(Network behavior IPS)

Network traffic is analysed to find threats (including DDoS attacks, specialised viruses, and policy breaches) that cause anomalous traffic flows.

Advantages of IPS:-

1. It lowers the risk of successful attacks.
2. It improves the network visibility.
3. It provides better threat protection
4. It automatically alarms the administrators of suspicious activity.
5. It automates monitoring and other operational security tasks, improving efficiency and effectiveness.

Disadvantages of IPS:-

1. The IPS systems require careful tuning to minimize false positives while minimizing missed attacks.
2. An insufficient amount of bandwidth and network capacity inside an organisation may cause an IPS instrument to cause system slowdowns.