Intrusion Detection and Prevention System

The Intrusion Detection System (IDS) can be defined as an automated security and defense system detecting hostile activities on a network or on a computer ( host or node). In addition, IDS attempts to prevent such malicious activities or reports to the network administrator responsible for the environment. It is a second-line defense mechanism. This means that only when there is evidence of an intrusion/attack that its mechanisms are used. The first defensive line is one that will try to limit or prevent access to the environment, which can be, for example, a firewall. The IDS can present a form of response to some type of attack, working in conjunction with the first line of defense, for example, including rules on the firewall or blocking the session in question. You can also report the malicious activities found to other network nodes.

What is IDS and how it works

According to the concepts described in one of the basic articles on IDS (see references at the end), we can conceptualize intrusion detection as a process for monitoring events that occur in a computer system or in a network and aims to analyze possible incidents, possible violations or imminent violations of the security rules of this environment. Incidents can have several causes, from the action of malware (worms, spyware, etc.) to attacks aimed at the unauthorized gain of the environment in question.

The use of IDS as a prevention system can involve everything from alerts to the network administrator and preventive exams to the obstruction of a suspicious connection. That is, the intrusion detection process is to preventively identify and respond to suspicious activities that may interfere with the principles of integrity, reliability, and availability. In addition, IDS tools are able to distinguish where the attacks originated from, inside or outside the network in question. IDS generally scan local files for traces of unsuccessful attempts to connect to the machine, or even in the layers of the TCP / IP stack model below the application layer, such as changes in the IP protocol header fields.

Read More:    network intrusion prevention system

what is ips security?

Managed Security includes intelligent, automated and customized security management solutions. Whatever the needs of your company.

The supervision and administration of company security is an increasingly complex task:

On the one hand, cyber threats are increasingly sophisticated. There are a large number of latent threats capable of rapidly mutating.

The traditional perimeter of corporate security has disappeared and possible entry points have multiplied. To traditional teams, we must add the irruption of mobile devices, cloud, social networks, and so on.

We cannot forget either the need to comply with multiple regulations, the safeguarding of the brand and reputation. We must protect the competitive advantage and guarantee customer satisfaction. Also look for efficiencies through automation to achieve cost reduction.

In response to this context, a series of products grouped under the term Managed Security Services are emerging in the cybersecurity market . These group usual services in this field (antivirus programs, firewalls, intrusion detection, updates, security auditing, content filtering, etc.), but adopting a new approach to the company's security needs. Based on this new approach, these services are managed by a third party that assumes responsibility for them to remain operational and monitored at all times .

In summary, a security service provider ((MSSP) for English managed security services provider) helps your organization by protecting your IT environment and mitigating the risks associated with security management. For this, it analyzes any vulnerability and subsequently applies the necessary solutions.

Advantages of Managed ids ips Services :

Cost reduction: using a managed security service usually saves costs compared to the option of an organization investing in its own personnel, software and hardware.

Increase in experience and quality of service: outsourcing services is a good solution especially for small and medium enterprises, with problems to have qualified personnel in this area.
Security systems 24 hours a day and 365 days a year : many companies can only guarantee them during normal business hours.

Efficiency: greater agility in the policies of backups or in the management of patches and updates, among others.

WHAT IS AN INTRUSION DETECTION AND PREVENTION SYSTEM (IDS)

An intrusion detection and prevention system is essential to help security professionals in detecting and responding to attacks and anomalies, and allows them to study the origin and structure of cyber attacks to create improved tools and processes that allow counteracting Future attacks

So what is an intrusion detection and prevention system?

It is one of the tools used to protect information management infrastructures. Denning (1987) clearly defines these systems as: "the elements that detect, identify and respond to unauthorized or abnormal activities."



The intrusion detection systems (IDS) were the first to appear, they are responsible for monitoring and detecting suspicious behavior and events both in host and network, in real time, then, these systems evolved to intrusion prevention systems (IPS ), which adopt a prevention and rapid response approach to suspicious events that occur, in addition to their analysis being often more complex. Today, these IDS and IPS systems are still found separately or in combination (IDS / IPS), depending on the implementation required.

 These systems can be implemented both on a network and on a particular host.


When deployed on host, they can monitor all traffic directed to a specific computer and unusual behaviors that occur in the system. When they are implemented in the network, they monitor all the traffic of the network and remain hidden from the attackers, while executing predefined actions before the attacks. There are also other categories for these systems, such as Wireless IDS / IPS that are implemented in wireless environments and Virtual IDS / IPS that are implemented in a virtual environment. The IDS / IPS base their operation by detecting events that coincide with those recorded in previously defined rule files or looking for unusual behavior patterns from data learned from what are considered normal activities performed on the network or host, that is, when Detect an activity that is not normally performed or that a user who connects during the day suddenly connects at dawn, will take it as unusual or suspicious behavior.

INTRUSION DETECTION AND PREVENTION SYSTEMS INTRODUCTION

An IDS (Intrusion detection system) is software that automates the intruder detection process.

An IPS (Intrusion prevention system) is the software that has IDS capabilities and can also try to stop possible incidents.

IDPS (Intrusion detection and prevention systems) focuses on identifying possible incidents, logging information on them, trying to stop them and reporting them to security administrators. The information it records are important events observed and then produce the reports.

There are techniques to respond to the detection of an intruder, which may be the change of security measures (eg, firewall reconfiguration) or change the content of what they are attacking.

The IDPS technology will depend on the type of event they are monitoring and the way in which they unfold.

There are many types of IDPS technologies, which differ mainly by the type of events they are able to identify and the methodologies used to identify incidents. However, all types of IDPS technology typically perform the following functions:

Record information related to the observed events: the information is usually stored locally or can be sent to separate systems as logging servers.

Notify system administrators about important events observed: these notifications, commonly known as alerts, can be made through different methods such as emails or syslog messages.
Generate reports: summaries of monitored events.

Read More:  ids security

Types of IPS

Types of IPS

Host-based intrusion prevention system (HIPS)

This system works in a similar way to HIDS. The checks are on the machine on which it is installed, however, in addition to detecting the attack, it makes decisions regarding the analyzes carried out.

It has direct access to the machine's operating system and the kernel itself, thus being able to control access to the file system, configuration and system logs.

Another differential of HIPS is that it identifies suspicious behavior in the operating system, instead of comparing signatures.

In addition, HIPS brings the possibility that encrypted network traffic is identified after the packet decryption process, enabling the detection of the previously encrypted attack, a fact that does not occur in the use of NIPS and NIDS.

Network-based intrusion prevention system (NIPS)

This type of system, on the other hand, is based on an inline device, which can be a router or a switch, as they forward packets between networks. Whenever an attack is identified, decisions are made based on predefined rules, and it is these rules that will block the suspect attack.

NIPS has the property of dropping the connection, thus preventing packets from reaching their destination, just as firewalls do.

There are several other types of IDS / IPS systems, here we mention the most common and used ones, but you can check out more others by accessing this material: