Intrusion Detection and Prevention System

An intrusion detection system (IDS) keeps an eye on system or

network activity and uses signature, anomaly, or heuristic-based
detection to find possible security risks. It notifies
administrators of possible problems, allowing for prompt action. An
Intrusion Prevention System (IPS), on the other hand, adopts a more
proactive approach by actively stopping hostile activity in addition
to just detecting it. IPS provides instantaneous protection against
known threats by automatically blocking or filtering suspicious
traffic while operating in real-time. In order to ensure
comprehensive cybersecurity, IDS and IPS work together to offer
warnings for post-incident analysis and dynamic risk mitigation.
This ensures both detection and prevention in the ever-evolving
world of cyber threats.
How IDS/IPS Operates
1. Information Gathering: In order to collect data, IDS/IPS
continuously monitors device actions, system records, and
network traffic.
2. Methods of Detection:
Using a database of recognized attack signatures,
a. Signature-based detection: It contrasts noticed patterns.
b. Anomaly-Based Detection: Spots departures from
predetermined parameters or typical behaviour.
c. Heuristic-Based Detection: Utilizes behavioural patterns
and predetermined rules.
3. Evaluation and Association: Examines gathered information to
find possible security issues or dangers. Connecting data from
different sources improves accuracy and lowers false
positives.
4. Creation of Alerts: Creates notifications or warnings in the
event that suspicious activity a sign of a possible security
threat is found. Information about the attack's nature,
intensity, and impacted systems is included in alerts.
5. Notification: Generate alerts towards system administrators or
security staff to identified events, allowing for quick
action.
6. Reaction (IPS): An Intrusion Prevention System (IPS) uses
automated procedures to stop or lessen threats that are
detected. This could entail rearranging firewall rules,
filtering or blocking harmful traffic, or putting other
predetermined responses into action.
7. Reporting: Detailed reports on incidents that are discovered
are provided, together with information on the threat's
nature, an impact analysis, and suggested preventative
measures.
 Workflow of IDS/IPS

Structure of IDS/IPS
1. Sensors: Record and keep an eye on system or network activity.
Strategically placed on individual devices or at network entry
points.
2. Detection Engines: Analyse collected data using signature-
based, anomaly-based, or heuristic-based techniques. Identify
 patterns or deviations indicative of potential security
threats.
3. Response Mechanisms (IPS): Automated reaction mechanisms in
IPS are activated in response to threats that are identified.
Firewall rules can be changed, malicious traffic can be
blocked, or other preventive measures can be put in place.
4. Management Console: The Management Console offers a
centralized interface for the IDS/IPS to be configured,
managed, and monitored. enables administrators to examine
warnings, adjust settings, and do report analysis.
5. Alerting System: Notifies administrators of possible security
incidents by creating alerts in real-time. Information
essential for quick and well-informed decision-making is
included in alerts.

Deployment of IDS and IPS

It is not strictly necessary to deploy Intrusion Prevention Systems
(IPS) and Intrusion Detection Systems (IDS) in parallel; rather,
this is a common convention that has developed based on the typical
functions and goals of IPS and IDS. Here's a breakdown of the
reasoning:

1. IDS Deployed Vertically:

o Detection Emphasis: Without actively stopping or
halting it, the main goal of intrusion detection
systems (IDS) is to identify and analyze network
data for indications of questionable or hostile
activity.
 o Single Point of Analysis: A single point of analysis
is made possible by the vertical deployment of IDS.
In addition to offering a thorough view of network
activity for detection purposes, it streamlines
management.
o Alert Generation: IDS sends out alerts to
administrators so they may look into any risks and
take necessary action.
2. IPS Deployed in Parallel:
o Prevention Emphasis: Based on the dangers that have
been detected, IPS is built to actively prevent and
stop harmful actions. It goes beyond detection by
taking immediate action to stop or mitigate attacks.
o Distributed Prevention: By deploying IPS in
parallel, the network's preventive systems are
dispersed. This provides for more precise control
over the locations and methods of applying
preventative measures.
o Redundancy and Scalability: This parallel deployment
enables scalability and redundancy. There are still
other IPS systems and devices that can safeguard you
in case one fails. As the network expands, it also
makes easy scalability possible by adding more IPS
devices.
 Deployment of IDS and IPS in a Network

Hybrid Deployments: In some cases, organizations opt for a hybrid

approach, leveraging both vertical and parallel deployment models.
Difference between Firewall and IDS/IPS

Firewall IDS/IPS
Functionali Serves as a line of Tracks and examines system
ty defence between unreliable or network activity in
external networks and order to find and address
reliable internal security issues. can, in
networks. regulates all the case of an IPS,
traffic, both coming and actively prevent or block
going, according to pre- threats that are
set security criteria. discovered.
Deployment Located between network Installed on the network
segments or at network to track and examine both
perimeters. filters data inbound and outbound
according to predefined traffic. can be positioned
guidelines. on individual devices or
in different locations,
such as network edges.
Traffic Permits or prohibits Examines traffic patterns
Handling traffic according to pre- for indications of
 established guidelines, potentially harmful
including IP addresses, activities.
ports, and protocols. creates notifications or
acts prophylactically in
real time.
Awareness Is not deeply aware of Actively searches for
particular anomalies or anomalous activity and
signatures of attacks. recognized attack patterns
primarily concerned with (based on signatures).
rule-based traffic
filtering.
Active Basically a passive system IPS actively blocks or
Response that uses rules to prevents malicious
determine whether to allow behaviour in response to
or prohibit traffic. It threats that are detected.
stops specific traffic in
response to threats
detected, but doesn't take
any further action.
Level of Examines network and Conducts more thorough
Inspection packet-level traffic. packet inspection, looking
concentrates on the for indications of
connection state and basic potential attacks in
header information. content and behaviour.
Granularity Based on broad rules, it Provides more detailed
offers more control over inspection and detection
traffic. It usually by focusing on particular
carries out network and behaviours or signatures.
transport layer policy
enforcement.
Role in The firewall is a An advanced security
Security fundamental element of incident detection and
network security that response technology.
regulates the flow of increases network security
traffic. It frequently by offering tools for
combined with additional preventing and detecting
security measures to intrusions.
provide a complete
protection.

Types Of Intrusion Prevention System

A few different types of IPS exist, each with a somewhat

distinct capability:
1. WIPS: Specifically designed to monitor and protect
wireless networks. Detects and prevents unauthorized
access points, rogue devices, and other security threats
in wireless environments. Ensures the security of Wi-Fi
networks by monitoring for unusual or malicious activity.

2. NIPS: Known also as a network interruption anticipation

framework, this type of intrusion prevention system (IPS)
 is only used in critical locations to properly screen all
company traffic and look for threats.

3. NBA: Also known as network conduct investigation,

analyses network traffic to distinguish bizarre traffic
designs, like DDoS attacks.

4. HIPS: In contrast to NIPS, HIPS is implemented on a

single endpoint, such as a PC, and is solely responsible
for monitoring both incoming and outgoing traffic
specific to that endpoint. Its optimal deployment is in
conjunction with NIPS, serving as the final layer of
defence against threats that may have bypassed the
network-based protection.

Snort

The open-source, lightweight, and extensively used Snort

intrusion detection and prevention system (IDS and IPS) was
created by Sourcefire, a company that is now a part of Cisco.
It is intended to examine network traffic in order to identify
and stop a range of security risks, including as intrusions,
exploits, and questionable activity. The extensibility,
adaptability, and real-time traffic analysis capabilities of
Snort are especially well-known.

Honeypots
One kind of Internet security tool called a honeypot is used to lure
in cybercriminals and trick them into lying when they attempt to
breach the network for any unauthorized purpose. These honeypots are
typically installed in order to monitor an attacker's activities
within the network and help the company develop more effective
preventative measures against such intrusions. Since the honeypot is
a fictitious proxy that aids in network traffic recording, it does
not contain any valuable data. Let’s take an example of two nmap
scan reviews of a system with and without the Honeypot active.

Result of Nmap scan when Honeypot is not active on Target System

Result of Nmap scan when Honeypot is Active on Target System
 In the Honeypot all the activities performed are logged

Types of Honeypots:

Low-Interaction Honeypots: They are compatible with a relatively

small set of services and applications that exist on the system or
on the network. You can use this kind of honeypot to monitor TCP,
ICMP, and UDP ports and services. Here, we employ fictitious files,
databases, and other data as bait to entice attackers and help them
comprehend the kind of attacks that could occur in real life. A few
Low-Interaction tools are KFsensor, Specter, Honeytrap, and others.

Medium-Interaction Honeypots: Their foundation lies in mimicking

real-time operating systems, with all the features and applications
of a target network. Since their goal is to delay the attacker and
give the company more time to react to the threat, they typically
gather more information. A few medium-interaction tools are HoneyPy,
Cowrie, and so on.

High-Interaction Honeypots: These are real, vulnerable programs that

are installed on a real operating system and contain a variety of
programs that are often found on a production system. These
honeypots are more inventive in the information they collect, but
they are challenging to keep up. A honeynet is an illustration of a
high-interaction gadget.

Pure Honeypots: Typically, these honeypots mimic an organization's

real production environment, leading an attacker to believe it to be
authentic and devote greater effort to its exploitation. The
organization will be informed as soon as the attacker attempts to
identify the weaknesses, allowing for the early prevention of any
kind of attack.