Pages

Sunday, January 17, 2016

IDS and IPS


IPS model hardware: 4240,4260,4270

Defend the network !!!

IPS & IDS: System that looks to network traffic and looks for a code to code malicious traffic on the network.

Two methods to put IPS and IDS devices on the network.
1. inline/sensor - traffic should pass through the device. eg in above figure we can place IPS device in between router and server so that any traffic between router f4/0 and server should pass through IPS.
Benefit: sensor will check for malicious traffic and if matched drop it. IPS can drop the attack before it reaches the service. IDS can't stop traffic inline.

2. IDS/ promiscuous mode
: In case of IDS, one of switch port placed between router and server is connected to IDS. Any traffic that is sent from router f4/0 to the server, a copy of it is forwarded to IDS.
Dis: this can't stop malicious immediate packet. The advantage there is no latency and no delay.

if IPS goes down, no traffic will flow but we can configure fault tolerance. If IDS goes down, traffic will still flow.

Result:
For high-security env use IPS and for lower security env use IDS.

Another term of IDS is promiscuous mode. If there is any malicious traffic found then IDS will inform to router and switch and ask them to block the same. To achieve this firewall will write SHUN commands and in router, we can have access-lists.

Another substitute for IPS hardware is: In router, we can install a software-based IPS, also known as IOS/IPS. Negative of running this is overhead since the same signature is used in the router and in IPS as well. For small office, this should work.

Another option is IPS hardware module for IOS router.

Another option on ASA we can install hardware module as well.

We can also use IDS blade inside 6500 switches. This can work on IPS or IDS mode.

There is also host-based IPS which is basically installed on critical servers.

True/Positive: If malicious traffic found and it is dropped.
False/Positive: traffic is not malicious but mistakenly IPS took countermeasure and drop traffic.
True/negative: no malicious traffic and no event triggered.
false/negative: these are most harmful. something malicious happened but IPS didn't see it as malicious traffic.

How do IPS know traffic is malicious?
Signature based and Policy based and Anomaly based

One of Identification method is signature matching.
One signature can be ping sweep.
ping sweep: one single ip address is sending icmp echo request to all range of devices.
Another signature can be to identify port scan.
port scan: device A is sending TCP sync to Device B on multiple ports says 1024,1025 and so on.

Another method can be policy based,
In network telnet should never be used, if we see any TCP traffic destined to port 23 we can trigger can alarm.

Anomaly based:
Say our base line is we accept or see on an average there are 20 half-open session found in 60 sec. If this rule gets violated then this is an indication of worm on the network. This is called anomaly based ID.
In this case, we can do rate limiting, packet filtering or dropping of traffic.

Reputation based: using resources outside on internet
Block traffic based on reputation.

 For IPS we can deny traffic ie deny the connection, deny IP address or deny the packet. we can also do logging. we can do alert and can be sent to mgmt station.

SDEE: Security device event exchange is a protocol used to send alerts to mgmt station.

Do TCP reset when any TCP based attack is found.
we can send snmp trap to snmp manager in case of SNMP attack

Counter measures:
Deny (IPS)
Block (IPS and IDS)
Alert
Log
TCP reset
Snmp trap


IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) are both security solutions designed to protect networks from unauthorized access, malicious activities, and security threats. However, they differ in their primary functions and capabilities:

1. **Intrusion Detection System (IDS)**:
   - An IDS is a passive security monitoring tool that analyzes network traffic and system logs to detect and alert on suspicious or potentially malicious activities.
   - IDS monitors network traffic and system events in real-time, looking for patterns and signatures indicative of known attacks, anomalies, or policy violations.
   - When an IDS detects suspicious activity, it generates alerts or notifications to alert security personnel, allowing them to investigate and respond to potential security incidents.
   - IDS does not take automated actions to block or mitigate threats; it only provides detection and notification capabilities, leaving response actions to be handled by security administrators.

2. **Intrusion Prevention System (IPS)**:
   - An IPS is an active security enforcement tool that not only detects but also takes automated actions to prevent or block detected threats in real-time.
   - IPS performs the same functions as an IDS, continuously monitoring network traffic and system events for signs of suspicious activity.
   - In addition to detection, an IPS has the ability to dynamically block or mitigate identified threats by dropping or modifying network packets, terminating connections, or taking other predefined actions.
   - IPS can be deployed in inline mode, where it actively intercepts and inspects network traffic in real-time, or in passive mode, where it operates passively, but still has the capability to take automated actions when necessary.
   
In summary, while both IDS and IPS are used for network security monitoring and threat detection, the primary difference lies in their ability to take automated actions to prevent or mitigate detected threats. IDS provides passive detection and alerting capabilities, while IPS offers active prevention and enforcement capabilities by blocking or mitigating identified threats in real-time. Organizations often use both IDS and IPS in conjunction to provide comprehensive network security protection.












No comments:

Post a Comment