An Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) detects and – if possible – prevents activities that either compromise system security, or are a hacking attempt. An IDS/IPS monitors servers or the network for suspicious (and possibly hostile) activity and alerts the systems manager when these activities are detected.
A typical example of an IDS/IPS alert is the occurrence of a port scan, often used by hackers to find vulnerabilities in Internet-attached devices.
An IDS monitors a server or a network and provides alerts when something suspicious happens. An IPS, however, can also stop attacks by for instance changing firewall rules on the fly to block detected unwanted traffic. IPS systems are often combined with firewall functionality or have a direct interface to it. Two types of IDS/IPS systems exist: Network based IDS (NIDS) and Host based IDS (HIDS)
- A NIDS is typically placed at a strategic point within the network to monitor traffic to and from all devices on that network. A good place would be a central firewall, a core switch or a DMZ router. The NIDS is not part of the network flow, but just “looks at it”, to avoid detection of the NIDS by hackers.
- A HIDS runs on individual servers or network devices, where it monitors the network traffic of that device. It also monitors user behavior and the alteration of critical (system) files. A good place for a HIDS is a critical (production) server, or a server that can be reached from the Internet, like a webserver, an email server or an FTP server.
An IDS system works in one of two ways:
- Looking for specific signatures of known threats; similar to the way antivirus software works (also known as a statistical anomaly-based IDS)
- Comparing traffic patterns against a baseline and looking for anomalies (also known as a Signature-based IDS)
This entry was posted on Friday 14 December 2012