intrusion dps

8/2/2019 Intrusion DPS

1/26

Intrusion Detection & Prevention System 1


2/26

Content

Introduction

What is Intrusion

What is IDPS

Principles

Components

Need of IDPS

Types of IDPS

Conclusion


3/26

IntroductionIntrusion Detection & prevention systems (IDPS) was invented in

the late 1990s by Andrew Plato who was a technical writer and

consultant for Network ICE ,@ USA.

The goal of Computer Network Security is to improve

Confidentiality

integrity

and availability

3Intrusion Detection & Prevention System


4/26

What is an intrusion?

Intrusion is the act of entering(putting) one self in without

invitation, permission, or welcome.

It is Any set of actions that threaten(damage) theintegrity,availability, or confidentiality of computer network resources.

Intrusion prevention (authentication, encryption, etc.) alone is not

sufficient. Intrusion detection is needed!!



5/26

Intrusion Detection/Prevention Systems

(IDPS) It is a one type computer network security in which un

authorized access to a computer system or a computer

network can be detected.

In other case it is a hardware or software application that

monitors network or system activities from malicious

activities or policy violations and produces reports to a

Management Station.

It is the combined applications of IDS and IPS.



6/26

What process IDPS is involves?

Monitoring and analyzing network traffic.

Identifying abnormal activities.

Assessing severity and raising alarm.

The primary responsibility of an IDPS is to detectunwanted and malicious activities.



7/26

Intrusion Prevention System (IPS)

IPS is not a new technology, but it is simply an evolvedversion of IDS.

IPS combine IDSs and improved firewall technologies, they

make access control decisions based on application content,rather than IP address or ports as traditional firewalls haddone.

IPS is software that has all the capabilities of an intrusiondetection system and can also attempt to stop possible

incidents. Usually IPS is a combination of a firewall and an IDS



8/26

Terminology used in IDPSs

Risk : Accidental exposure of information, or violation of

operations integrity due to the malfunction of hardware or

incomplete or incorrect software design.

Vulnerability: A known or suspected flaw(error) in the

h/w or s/w or operation of a system that exposes the

system to penetration or its information to accidental

disclosure.

Attack: A specific formulation or execution of a plan tocarry out a threat.

Penetration: A successful attack.



9/26

Goal of IDPS

Detect wide variety of intrusions.

Detect intrusions in timely fashion.

Present analysis in simple, easy-to-understand format

Be accurate

Minimize time spent verifying attacks, looking for them

Minimize false positives, false negatives.

False positive: An event, incorrectly identified by the IDPS as being an

intrusion when none has occurred.

False negative: An event that the IDS fails to identify as an intrusion when

one has in fact occurred



10/26

Components Of IDPS

1. Sensor or Agent:- Monitor and analyze activity.

2. Management Server:- A centralized device thatreceives information from the sensors or agents and manages them.

3. Database Server:- A database server is a repository forevent information recorded by sensors, agents, and/or managementservers. Many IDPSs provide support for database servers.

4. Console:- It is a program that provides an interface for theIDPSs users and administrators.



11/26

Database Server

Management Server

Servers

IDPS

Console

Work Station

Internet

Wireless Sensor

Coredata centre

Access

Wireless Access

Point


12/26

General IDS Arch/Model

Sensor

Analyzer

Manager

Administrator

Operator

Sensor

Analyzer

Manager

Sensor

Administrator

Operator

Data SourceActivity

SecurityPolicy

SecurityPolicy

SecurityPolicy

SecurityPolicy

Notifications

Response

AlertsEvents

Ev

ents



13/26

Why IDPS Should Be Used?

Because it is cost-effective ways to

Block malicious traffic,

Detect and contain worm and virusthreats,

Serve as a network monitoring point,

Assist in compliance requirements, and

Act as a network sanitizing agent.



14/26

How Does IDPS Is Works?

1. Recording information related to observedevents

2. Notifying security administrators of important

observed events.3. Producing reports.

4. The IPS stops the attack itself.

5. The IPS changes the security environment.6. The IPS changes the attacks content



15/26

What can an IDPS do?

IPDS can detect and block :-

OS, Web and database attacks

Spyware / Malware

Instant Messenger

Peer to Peer (P2P)

Worm propagation

Critical outbound data loss (data leakage)



16/26

What can not IDPSs do?

One of the most common problems with an IDPS is the

detection of

false positives or

false negatives

This occurs when the system blocks a activity on the network because

it is out of the normal and so it assumes it is malicious, causing denial of

service to a valid user, trying to do a valid procedure; or in the case of a

false negative, allowing a malicious activity to go by.



17/26

Principles of Intrusion Detection/Prevention Systems

The IDPS Must Be:-

Run un attended for extended periods oftime

Stay active and secure

Able to recognize unusual activity

Operate without unduly affecting thesystems activity

Configurable



18/26

What Should Be Done After/While

Detection Happen?

Reconfigure firewall

Send e-mail/page to System administrator

Terminate the TCP session

Authentication

Encryption



19/26

Type of IDPS Technologies

1. Network-Based

2. Host-Based

3. Wireless

4. Network Behavior Analysis etc

1. Network-Based

:-Monitors network traffic for particular

network segments or devices and analyzes thenetwork and application protocol activity to

identify suspicious activity.



20/26

Type of IDPS Technologies(cont...)

2. Host-Based

:-Monitors the characteristics of a single host and theevents occurring within that host for suspicious activity.

3. Wireless:- Monitors wireless network traffic and analyzes it to

identify suspicious activity involving the wireless networkingprotocols .

4. Network Behavior Analysis (NBA)

:-examines network traffic to identify threats thatgenerate unusual traffic flows, such as DDoS attacks,scanning, and certain forms of malware.



21/26

Common Detection Methodologies

Signature-Based Detection

compares known threat signatures to observedevents to identify incidents.

Anomaly-Based Detection compares definitions of what activity is considered normal

against observed events to identify significant deviations.

State full Protocol Analysis

compares predetermined profiles of generally accepted

definitions of benign protocol activity for each protocol

state against observed events to identify deviations.



22/26

What to Consider When Buying IDPS?

Speed / latency

Will the device perform under load?

Accuracy

How many attacks did it miss?

How many false attacks did it block? Signature Updates

Absolutely critical. How often the signatures are updated is a keyindicator of how serious they are about selling IPS

High Availability

Will it do Active-Passive, Active-Active? Fail Open

Will the device pass traffic in the event of a device failure?



23/26

Implementation An effective IDPS does not stand alone, It must be supported by a number

of other systems.

Among these systems the following are necessary:-

Operating Systems

A good operating system that has logging and auditingfeatures.

Eg Windows, Unix/linux, and others

Services All applications on servers such as Web servers, e-mail

servers, and databases should include logging/auditingfeatures as well.

Firewalls

A good firewall should have some network intrusion

detection capabilities.Network management platform

Hardware platform

Intel based

SPARC based



24/26

IDPS is a powerful security system and it's proving to make a

significant impact in information systems.

There are limitations of IDPSs however these limitations for

the most part can be worked around.

The amount of network bandwidth that can be handled through

IPDS units has grown substantially.

Generally we can conclude that IPDSs are useful and have

proven to make significant differences on large networks

where many attacks are evident or happen.

Conclusion



25/26

****************************************

THANK YOU 4 UR

ATTENTION!!!!* *

* *

* *

*

@25Intrusion Detection & Prevention System


26/26

Questions

Are

Appreciated!!26Intrusion Detection & Prevention System

intrusion dps

Documents