Many people are familiar with the network devices such as network firewall and router/modems but have never heard of an IDS and IPS.
In today’s complex and expansive network environment, the standard all-in-one firewall solution does not do the complete job of protecting enterprise networks and devices. While the possibility of attacks cannot be completely eliminated, security threats are reduced by following the three principles of Cyber Security (commonly known as CIA) by implementing cyber security devices such as an Intrusion Protection System and Intrusion Prevention System. An IPS and IDS solution is critical to the security of enterprise networks.
Network Security Metrics:
Confidentiality (C)- This metric measures how confidentiality of a system is breached due to an attack because of a system vulnerability. Confidentiality means to limit access to only people who need access ,and to prevent access to others who do not specifically need access to the system.
Integrity (I) – The integrity metric is based on whether information that should not be accessed are ableto be accessed by the hacker, or whether certain information can be modified because of a vulnerability.
Availability (A). – The availability metric is based on the impact of availability of the system. Availability of the system includes factors such as network bandwidth, processor cycles and disk space that all contribute to the availability metric score of the system.
An Intrusion Detection System (IDS) is a device that helps monitor network security by listening for malicious traffic or security violations that occur within a network. This device reports potential threats to the Network Administrator or appropriate network personnel.
An Intrusion Prevention System (IPS) is an Intrusion Detection system that has the ability to block attacks and intrusive behavior by hackers. An IPS system uses real-time packet inspection to look inside each network packet that traverses across a network and determines if the network traffic is dangerous or not.
Why do I need an IPS and IDS System for my network? Isn’t a firewall enough?
By having an IDS and IPS solution in place, the system administrator can easily be notified when a potential attack is occurring. Firewalls may be breached, without knowledge, and an attack could occur. Without an intrusion detection system in place, an attack could be carried out unknown to users. This is known as a backdoor attack.
An IPS system prevents the following types of attacks:
• Denial of Service
• Distributed Denial of Service – (DDOS)
• Worms and Viruses
If the packet is determined to be a threat, the IPS then blocks the attack using three methods:
1. Dropping the TCP packet and blocking the source IP address. Any communication from that IP
address will be blocked in future requests.
2. Configuring the firewall to stop the type of attack
3. Removing malicious content on the network. Repackaging payloads to make files more secure.
What solutions are available to implement an IDS and IPS system?
SNORT is an open-source Intrusion Detection and Prevention System (IDS and IPS) It uses rule-based threat detection to stop attacks on the network. It can be installed on a Linux or Windows system and is able to function as an Intrusion Detection and Intrusion prevention system.
Snort consists of 4 components
• Packet Decoder – The packet decoder sets pointers on each network packet to track the data, network, transport, and application layers.
• Detection Engine – The detection engine looks at each network packet and analyzes the packets based on rulesets.
• Logger – The logger keeps track of packets that correspond to the set of rules and translates the alerts into a human readable format for human beings to read.
• Alerter – The alerter tells the network administrator of any possible threats that match ruleset via a file, sockets, or a database.