The document discusses intrusion detection systems (IDS) and intrusion prevention systems (IPS). It defines an intrusion as an attempt to compromise a system's integrity, confidentiality, or availability. IDS are designed to detect security breaches and aid in mitigating damage from hacking by identifying suspicious network or system activity and alerting administrators. IPS go further by attempting to block detected threats in addition to logging and reporting them. The document outlines different types of IDS and IPS like network IDS, host IDS, inline network IPS, layer 7 switches, and application firewalls.

1. IDS/IPS
Tapan kumar khilar

2. What is an Intrusion?
An intrusion is somebody attempting to break into or
misuse your system
Intrusion can be defined as any set of actions that attempt
to compromise the integrity, confidentiality or availability of
resource.
In the context of info systems, intrusion refers toany
unauthorized access, unauthorized attempt to access or
damage or malicious use of info resources.

3. WHO ARE INTRUDERS?
• Outsiders. Intruders from outside the
network. They may attempt to go around
the firewall to attack
internal network.
machines on the
• Insiders. Intruders that legitimately
use your internal network. These include
users who misuse privileges or who
impersonate higher privileged users.

4. HOW DO INTRUDERS GET INTO
THE SYSTEM?
• Physical intrusion.
• System intrusion.
• Remote intrusion.

5. • The main function of an IDS is to warn
about suspicious activity taking place, but
not to prevent them.
• An IDS specifically looks for suspicious
activity and events that might be the result
of a virus, worm or hacker.
WHAT IS AN INTRUSION
DETECTION SYSTEM?

8. Intrusion Detection Systems (IDS)
IDS designed to detect security breaches.
IDS designed to aid in mitigating damage caused by hacking.
Basic intent behind IDS: spot something suspicious on
NW/system and sound alarm.
May look for data bits that indicate questionable activity or
monitor system logs.
Events that sound alarm – may not be an intrusion; any
abnormal activity may trigger, depending on
configuration.

9. Intrusion Detection Systems (IDS)
Why use an IDS:
 To detect attacks and other security violations that
are not prevented by other security measures,
 To detect and deal with the preambles to attacks
(commonly experienced as network probes and
other “doorknob rattling” activities),
 To document the existing threat to an organization
 To act as quality control for security design and
administration, especially of large and complex
enterprises
 To provide useful information about intrusions that
do take place, allowing improved diagnosis,
recovery, and correction of causative factors.

10. Intrusion Detection Systems (IDS)
IDS can be configured for:
 Watch for attacks
 Parse audit logs
 Terminate a connection
 Alert an admin as attacks are happening
 Protect system files
 Expose a hacker’s techniques
 Throw up vulnerabilities that need to be
addressed.
 Possibly help to track down hackers
Two main type of IDS:
 NIDS
 HIDS

11. Network Intrusion Detection Systems (NIDS)
Uses sensors to monitor all NW tfc
Cannot see the activities within the computer itself.
IDS SOFTWARE
IDS software inspects host configuration files for risky
settings, password files for suspect passwords and other
areas to detect violations that could prove dangerous to the
network.
 Snort for Window
 Suricata
 Malware Defender

12. Host based Intrusion Detection Systems (HIDS)
Installed on indl workstns / servers
Watches for abnormal activity
NIDs understands and monitors NW
computer only on which it is installed.
tfc, HIDs monitors the
Gen, HIDS installed on critical servers only due to
administrative overheads.

13. An intrusion prevention system (IPS) is a system that
monitors a network for malicious activities such as
security threats or policy violations. The main function of
an IPS is to identify suspicious activity, and then log
information, attempt to block the activity, and then finally
to report it.
Intrusion prevention systems are also known as intrusion
detection prevention systems (IDPS).
WHAT IS IPS?

14. Intrusion Prevention Systems (IPS)
The bad guys are always one step ahead
professionals.
of the security
Security professionals try and come up with innovative means to
detect and prevent attacks.
IPS is a preventive device rather than a detective device (IDS).
An IPS combines the prevent action of a FW with the in depth
pkt analysis function of an IDS.

16. • Broadly classified into two categories
– Host IPS (HIPS)
– Network IPS (NIPS)
CLASSIFICATION OF IPS

17. • HIPS is installed directly on the system
being protected
• It binds closely with the operating system
kernel and services, it monitors and
to the kernel in
intercepts system calls
order to prevent
them.
attacks as well as log
• It prevents the system from generic
attacks
exists.
for which no “signature” yet
HOST-IPS

18. • Has two network interfaces, one designated
as internal and one as external.
• Packets passed through both interfaces and
they determined whether the packet being
examined poses a threat.
If it detects a malicious packet, an alert is
raised, the packets are discarded
immediately. Legitimate packets are passed
through to the second interface and on to
their intended destination.
•
NETWORK-IPS

19. TYPES OF IPS
• Inline network intrusion protection
systems.
• Layer seven switches.
• Application firewalls.
• Hybrid switches.
• Deceptive applications.

20. INLINE NETWORK IPS
• It is configured with two NICs,
management and one for detection.
one for
• NIC that is configured for detection usually does
not have an IP address assigned .
• It works by sitting between the systems that need
to be protected and the rest of the network.
• It inspects the packet for any vulnerabilities that
it is configured to look for.

21. INLINE NETWORK IPS
PKT SCRUBBING

22. • Placing these devices in front of your
firewalls would give protection for the entire
network.
• However the drawbacks are that they can
only stop attacks that they know about.
• The only attack they can stop that
others IPS can’t are the DoS attacks.
most
LAYER SEVEN SWITCHES

23. LAYER SEVEN SWITCHES

24. • These IPSs are loaded on each server that is to be
protected.
• These types of IPSs are customizable to each
application that they are to protect.
• It profiles a system before protecting it. During the
profiling it watches the user’s interaction with the
application and the applications interaction with the
operating system to determine what legitimate
interaction looks like.
• The drawback is that when the application is updated
it might have to be profiled again so that it does not
block legitimate use.
APPLICATION FIREWALLS

25. HYBRID SWITCHES
• They inspect specific traffic
content as has been configured .
for malicious
• Hybrid switch works in similar manner to layer
seven switch, but has detailed knowledge of the
web server and the application that sits on top
of the web server.
• It also fails , if the user’s request
match any of the permitted requests.
does not

26. HYBRID SWITCHES

27. DECEPTIVE APPLICATIONS
• It watches all your network traffic and figures out
what is good traffic.
• When an attacker attempts to connect to services
that do not exist, it will send back a response to
the attacker
• The response will be “marked” with some bogus
data. When the attacker comes back again and
tries to exploit the server the IPS will see the
“marked” data and stop all traffic coming from the
attacker.

28. THANK YOU