3. INTRODUCTION
o Intrusion
A set of actions aimed to compromise the
Integrity, confidentiality, or availability, of a
computing and networking resource.
o Intrusion prevention systems (IPS)
Also known as intrusion detection and
prevention systems (IDPS), are network
security appliances that monitor network and system
activities for malicious or harmful activity.
4. OBJECTIVES
o The main objectives of intrusion
prevention systems are:
Identification of malicious activity
Log information about said activity
Attempt to block/stop harmful activity
Report malevolent activity.
5. IPS’S DETECTION METHODS
Themajority of intrusion prevention
systems utilize one of two detection
methods:
Signature-based Detection
This method of detection utilizes signatures of attack
patterns that are preconfigured and predetermined.
A signature-based intrusion prevention system
monitors the network traffic for matches to these
signatures.
Once a match is found the intrusion prevention
system takes the appropriate action.
6. CONTINUE...
Statistical anomaly-based or Knowledge-based
Detection
A statistical anomaly-based IDS determines normal
network activity like what sort of bandwidth is
generally used, what protocols are used, what ports
and devices generally connect to each other .
It alert the administrator or user and prevent
malicious contents when anomalous(not normal)
traffic is detected .
7. CLASSIFICATIONS
Intrusion prevention systems can be
classified into four different types:
o Network-based intrusion prevention system
(NIPS):
monitors the entire network for suspicious traffic by
analyzing protocol activity.
In a NIPS, sensors are located at network borders of
the network. Sensors capture all network traffic and
analyzes the content of individual packets for
malicious traffic and prevents them.
Example: Snort (Snort is a free and open
source network intrusion prevention system (NIPS)
created by Martin Roesch in 1998.Snort is now
developed by Sourcefire.)
8. CONTINUE…
Host-based intrusion prevention system
(HIPS):
Itis an installed software package which monitors a single
host for suspicious activity by analyzing events occurring
within that host.
Example: OSSEC ( OSSEC is a free, open source host-
based intrusion Prevention system (IDS). It provides
intrusion Prevention for most operating
systems, including Linux, OpenBSD, FreeBSD, Mac OS
X, Solaris and Windows OS.)
Wireless intrusion prevention systems
(WIPS):
monitors a wireless network for suspicious traffic by
analyzing wireless networking protocols.
Network behavior analysis (NBA):
Examines network traffic to identify threats that generate unusual
traffic flows, such as distributed denial of service (DDoS)
attacks, certain forms of malware and policy violations.
9. HOW IDS WORKS ?
IDS works with a copy of the traffic. It can detect
an attack and send an alert (and take other
actions), but it cannot prevent the attack because
it does not operate on traffic inline in the
forwarding path.
10. HOW IPS WORKS ?
IPS device operates in inline mode i.e. because
the IPS device is in the actual traffic path. This
makes the device more effective against worms
and atomic attacks (attacks that are carried out
by a single packet).
11. IPS VS. IDS
IDS typically record information related to
observed malicious events, notify security
administrators of important observed events, and
produce reports.
IPS is considered an extension of intrusion
detection system because they both monitor
network traffic and system activities for
malicious activity.
But unlike intrusion detection systems, intrusion
prevention systems are able to actively
prevent/block intrusions that are detected.
12. IPS VS. FIREWALL
IPS monitors the system for unwanted entry and
reports or alerts the same to the user and
prevents the connection .
A firewall monitors the system based on the rules
that are set by the user and regulates the activity
between the system and the Internet.
Therefore, to protect the system from unwanted
intrusions, it is always recommended to use
firewalls in conjunction with Intrusion
Prevention Systems (IPS).
This is also why the majority of internet security
systems comes with both firewall and IPS.
13. CONCLUSIONS
Intrusion detection systems constantly monitor a
given computer network for invasion or abnormal
activity.
Intrusion detection systems are highly
customizable to accommodate specific client
needs. This allows users to custom-build network
security to monitor highly-individualized activity.
IPS is used as Inline mode protection for
securing internal network.
Cisco 4200 series IDS and IPS sensors offer rich
set of features for ISD and IPS