Intrusion Detection System Vs. Intrusion Prevention System

December 29, 2018 | Views: 2159

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Intrusion Detection System (IDS) is a computer security system that monitors network traffics for malicious activities and alert the network administrator when malicious activities detected. IDS performs a passive monitoring and implement in passive/promiscuous mode. IDS can detect the malicious activities but cannot prevent it. IDS have these capabilities include:

  • Monitoring about malicious activities
  • Auditing about malicious activities
  • Forensics about malicious activities
  • Reporting about malicious activities

Figure 1: Intrusion Detection System

  1. Attacker sends a malicious traffic via internet to the target host.
  2. Data packets will reach to both network and IDS.
  3. In IDS, packet will be inspected by sensor.
  4. Store the log report on management console.

Intrusion Prevention System (IPS) is a computer security mechanism that inspect a network traffics for malicious activities (security threats or policy violations) and take actions for detected activities. IPS have capabilities include:

  • Identify any malicious activity on the network.
  • Send an alarm to the network administrator when malicious activity detected on the network system.
  • Drop the malicious packets.
  • Block the traffics from the source address that malicious packets arrived.
  • Record the activities on management console.
  • Reset the connection.

IPS performs an active monitoring and implement in inline mode. IPS can be divided into two types. Host-based IPS and network based IPS.

Figure 2: Intrusion Prevention System

  1. Attacker sends a malicious traffic via internet to the target host.
  2. Data packet will reach to IPS and will be inspected by sensor.
  3. Store the log report on management console and record actions.
  4. Send the malicious packet to the bit bucket and drop it.

Step 3 and 4 will happen at the same time.

COMPARISON BETWEEN IDS AND IPS>

IDS

IPS

Implement in passive/promiscuous mode

 

Implement in inline mode

Performs passive monitoring

Performs active monitoring

Can detect malicious traffics and alert about it in details

Can block malicious traffics and drop them into the bit bucket

No impact on the network performance and even if sensor failure or overload occurs

Some impact on the network performance, slow down the traffics on network and sensor failures stops the traffics flow (single point of failure)

Cannot stop malicious traffics from reaching the destination

Can stop any type of malicious traffics from reaching the destination

 

TYPES OF IPS


There are two types of IPS.

Host-based IPS: The popular technology nowadays because users need basic knowledge about the network. Each host device has an IPS. Inspect and protect Operating System (OS) and its process that specific to the host. The encrypted traffics can be inspected. Need to specify rules for each device. The main disadvantage is IPS doesn’t have a view of the overall network.


Figure 3: Host-based IPS

 

Network-based IPS: Only one IPS has been implemented to the whole network. Users need to have an advance knowledge about the network. The sensors placed at designated network points. Only plain text traffic can be inspected. Need to specify the rules to overall network. The main advantage is can view the attacks on the overall network because network-based IPS has the overall view of the network. The disadvantages are network bottleneck and single point of failure.


Figure 4: Network-based IPS

DETECTION AND PREVENTION

Signature: A signature is set of rules that an IDS/IPS used to represent malicious behavior. When IDS/IPS scanning the network traffics, they use signatures to detect known malicious behaviors and take actions against them before reaching the destination. If a new malicious behavior identified which is not contained in current signatures, new signature must be initiated and upload it to the IDS/IPS. The initiated file has been called as “signature file”.

Signatures have three distinct attributes:

Signature type: Atomic signature and Stateful signature

  • Atomic: examine a single packet or activity. If an alarm triggered, perform a single signature action. Do not require IDS/IPS to maintain state information.
  • Stateful: examine multiple packets or activities. Perform multiple signature actions. An IDS/IPS need to maintain state information. The length of time that a signature maintain state information is called “event horizon”.

Signature trigger: Pattern-based, Anomaly-based, Policy-based and Honeypot-based

  • Pattern-based detection: search for a specific known signatures. Triggers an action if a match is detected.
  • Anomaly-based detection: first, specify the normal behaviors of the network. This can be done by monitoring network activities, specific applications. Triggers an action if unknown activity occurs beyond the normal behaviors.
  • Policy-based detection: instead of defining patterns, define behaviors for malicious activities based on past experience.
  • Honeypot-based detection: uses a dummy server to attract attackers and distract from the real network. Able to analyze incoming attacks and malicious traffic patterns to find new types of malicious traffic.

Figure 5: Signature alarm types

Signature action: when a signature detects an activity or series of activities, signature triggers one or more actions.

  • Generating an alert.
  • Reporting the activity.
  • Dropping or preventing the activity.
  • Blocking the future activities.
  • Resetting TCP connection.
Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel