IPS (Intrusion Prevention System) and IDS (Intrusion Detection Systems)

The IPS and IDS systems look for intrusions and symptoms within the traffic. IPS / IDS systems would monitor unusual behavior, abnormal traffic, malicious coding and anything that looks like an intrusion by an attempted hacker.


IPS (Intrusion Prevention System) systems are implemented online and actually take action by blocking the attack, as well as recording the attack and adding the source IP address to the block list for a limited period of time; or even permanently block the address according to the defined configuration. Hackers participate in many port scans and address scans, with the intention of finding loop holes within organizations. IPS systems would recognize these types of scans and take measures such as blocking, dropping, quarantining and recording traffic. However, this is the basic functionality of IPS. IPS systems have many advanced capabilities to detect and stop such attacks.


IDS (intrusion detection system) The system is a security creation of the network originated to detect the application of vulnerability against an application or a prevention computer (inadrow) Extension ID solutions by adding the ability to block threats in addition to detecting them and has become the option of dumped deployment for the ID / IPS technologies for the / ip technologies.

IDS vs IPS

IDS systems only detect an intrusion, record the attack and send an alert to the administrator.
IDS systems do not slow down networks such as IPS, since they are not online.
You might wonder why a company would buy an IDS through an IPS. Surely a company would want a system to take action and block such attacks instead of letting it pass and only registering and alerting the administrator. Well, there are some reasons; However, there are two main reasons that stand out. IDS systems, if not adjusted, like IPS, will also produce false positives. However, it would be very annoying to have an IPS system that produces false positives, since legitimate network traffic will be blocked, since an IDS will only send alerts and record the false attack. The second reason is that some administrators and managers do not want a system to take over and make decisions on their behalf; They would prefer to receive an alert and analyze the problem and take action themselves.


However, with that said today, you will find solutions with both built-in IDS and IPS capabilities. IDS can be used initially to see how the system behaves without actually blocking anything. Then, once the IPS is adjusted, the system can be implemented online to provide full protection.

IPS and IDS versus firewalls

By not having an IPS system, attacks go unnoticed. Do not forget that a firewall filters, blocks and allows addresses, ports and services, but also allows some of them through the network. However, this means that the allowed access is simply allowed to pass, and firewalls do not have a smart way of knowing if that traffic is legitimate and normal. This is where the IPS and IDS systems come into play.


Then, when firewalls block and allow traffic, IDS / IPS detects and observes that traffic in detail to see if it is an attack. IDS / IPS systems are composed of sensors, analyzers and GUIs to perform their specialized work.


The work of an IPS IDS system
Let’s take a look at an IPS / IDS (also known as IPD systems).

The most common types of attack for which IPS and IDS systems are used are;

Policy violations: rules, protocols and package designs that are violated. An example would be an IP packet of incorrect length.


Holdings: try to exploit a vulnerability of a system, application or protocol. An example would be a buffer overflow attack.


Recognition: is a detection method that is used to obtain information about the system or network, such as the use of port scanners to see which ports are open.


DOS DDOS: This is when an attack attempts to tear down your system by sending a large number of requests, such as SYN flood attacks.

IPS techniques to defend against attacks

Intrusion prevention sensors look at the header and traffic portions of traffic for suspicious traffic that indicates malicious activity.


The IPS / IDS solution has the ability to detect threats using a signature database, using anomaly detection techniques that look for abnormal behavior within protocols and can also use or integrate with antivirus for malware detection. Anomaly detection systems point to traffic that is not necessarily bad but is used with bad intentions, such as heavy traffic to overwhelm a system. The TCP Syn Flood attack is an example.


IPS has the ability to take action on defined policies, such as blocking a connection, providing alerts, recording the event, quarantining the host or a combination of these. Policies define the rules that specify


IPS solutions also provide logging and alerts about recent attacks, so it should be easy to understand and track an attack, and provide support tools that would help block attacks. Also clicking on the attack should provide detailed information about the attack and what can be done to resolve that attack. IPS and IDS systems have the ability to search for attacks using different characteristics of an attack, such as by attack name, affected applications, attack ID, etc.


The IPS and IDS systems must be configured to use only the signatures they require and to protect the required assets, since using all signatures and targeting it to protect everything will use many more resources, such as CPU, memory and bandwidth. So, if it were a web server that required protection, then only signatures should be used for web servers and only protect the DMZ where web servers are located. This can also be defined as protocols such as HTTP, RDP or systems such as Unix, Windows or applications such as IIS and Adobe.


Attacks must have a severity level that is linked to a response such as blocking, quarantine, logging, notification or a combination of these.

IPS /IDS implementation

IPS can be implemented in span tap mode, online or IPS on a device. In span tap mode, an IPS sensor receives a copy of each packet and can alert you to attacks, but cannot block them. This is good for initially testing the system and adjusting policies before implementing it in online mode. Inline is where it is located in line with the network and can block and alert on attacks. If you are using a Cisco infrastructure, IPS can be deployed on a storage device where packets can be forwarded to multiple IPS sensors using Cisco Ethernet Channel technology.
Some IPS solutions can be segregated into virtual IPS sensors that are an option for shared environments or MSSP.


The practice of betting would be to create multiple policies for different resources. Define policies for a network segment or for an interface or subinterface for VLAN. It also defines the traffic direction so that it is only protecting a target area, such as the entrance from the Internet to the DMZ.
Host-based intrusion detection and network-based intrusion detection
There are some different types of intrusion systems. First, it is based on the host (HIDS) and the network (NIDS). Network-based monitors (NIDS) for network intrusions. Host-based is located on a computer and monitors the host itself. HIDS are expensive to implement in all computers, so they are used for servers that require this additional protection, where network-based purchase is generally cheaper since the investment is in a device that is in the traffic of Network monitoring
HIDS and NIDS can also come in various types of intrusion systems;


Signature based
Signatures are created by providers based on possible attacks and attacks that have occurred in the past. These signatures are programmed and downloaded by the intrusion software itself. Packets that reach the network are compared to the set of downloaded signatures that compares them for any attack. Signature-based systems are the most common. Most UTM devices consist of signature-based intrusion detection / prevention systems. The only disadvantage of these systems is that they cannot detect new attacks, since they only compare the attacks with the signatures that your system currently has.


Anomaly-based
In the event of a failure, the system would first need to learn the NORMAL behavior, the traffic or the set of protocols of the network. When the system has learned the normal state of a network and the types of packets and the performance it handles on a daily basis, taking into account peak hours, such as lunch time, for example, for web browsing, it can be put into action. Now, when traffic that is outside the normal state of the network is detected, the anomaly-based detection system would take action.


The good thing about this type of system is that it can detect new attacks; You do not need to depend on signatures. The bad thing is that if you don’t spend time stunning and maintaining the system, it will generally produce many false positives (Stop normal traffic). In addition, some smart hackers try to emulate their attacks as normal traffic, however, this is usually difficult from a piracy perspective, but if they do well, it can fool the ADS system as normal and legitimate traffic.


Rule based
Rule-based systems are more advanced and intelligent systems. A knowledge base programmed as rules will decide the exit along with an inference engine. If the defined rules, for example, match, you can determine an assumption in which an action can take place. This assumption is the power of the inference engine. The inference engine may assume that an attack may be occurring due to so many factors; This is unique and behaves like the human mind. In normal computing, you can’t make assumptions, whether yes or no, but the inference engine adds a different level of thinking; It also adds the “Probably” to the list, like humans. If it rains and it is hot, we can assume that it can thunder. If more traffic left the company than usual, in addition to coming from a certain server, the inference engine may assume that the server could be compromised by a hacker.


Many IDS / IPS solutions have combined a detection system based on signatures and anomalies.


Note: If you find this article helpful, then you should not forget to comment and share it. This will encourage me and my team to write more good technical articles. Thanks !!!!!!