IPS and IDS systems look for intrusions and symptoms within traffic. IPS/IDS systems would monitor for unusual behavior, abnormal traffic, malicious coding and anything that would look like an intrusion by a hacker being attempted.
IPS (Intrusion Prevention System) systems are deployed inline and actually take action by blocking the attack, as well as logging the attack and adding the source IP address to the block list for a limited amount of time; or even permanently blocking the address depending on the defined settings. Hackers take part in lots of port scans and address scans, intending to find loop holes within organizations. IPS systems would recognize these types of scans and take actions such as block, drop and log traffic. However this is the basic functionality of IPS, IPS systems have many advanced capabilities in sensing and stopping such attacks.
IDS (Intrusion Detection System) systems only detect an intrusion, log the attack and send an alert to the administrator. IDS systems do not slow networks down like IPS as they are not inline.
You may wonder why a company would purchase an IDS over an IPS? Surely a company would want a system to take action and block such attacks, rather than letting it pass and only logging and alerting the administer. Well there’s a few reasons; however there are two primary reasons which stand out. IDS systems if not fine tuned, just like IPS will also produce false positives. However it would be very annoying to have an IPS system producing false positives as legitimate network traffic will be blocked, as where an IDS will just send alerts, and log the false attack. The 2nd reason is, some administrators and managers do not want a system to take over and make decisions on their behalf; they would rather receive an alert and look into the problem and take action themselves.
Not having an IPS system result in attacks can going unnoticed. Don’t forget, a firewall does the filtering, blocking and allowing of addresses, ports, service, but also allows some of these through the network as well. However this means that the access allowed is just let through, they have no clever way of telling whether that traffic is legit and normal, this is where the IPS and IDS systems come into play. So where firewalls block attacks, IDS/IPS detect and may block attacks. IDS/IPS systems are made up of sensors, analysers and GUI’s in order to do their specialised job.
In particular the vendor IBM ISS have a very strong product set that specialise in IPS, IDS and ADS products.
Host based Intrusion detection and Network based Intrusion Detection
There are a few different types of intrusion systems. Firstly there’s host based (HIDS) and network based. Network based (NIDS) monitors for intrusions on the network. Host based sits on a computer itself, and monitors the host itself. HIDS are expensive to deploy on all computers, and so are used for servers that require this extra protection, where network based is usually cheaper to purchase as the investment is in one appliance sitting on your network monitoring traffic.
HIDS and NIDS can come in a number of types of intrusion systems as well;
Signature based
Signatures are created by vendors based on potential attacks and attacks that have been taken place in the past. These signatures are scheduled and downloaded by the intrusion software itself. Any packets arriving into the network are compared to the set of downloaded signatures comparing these for any attacks. Signature based systems are the most common. Most UTM appliances consist of signature based intrusion prevention/detection systems. The only downfall to these systems is that they can not detect new attacks, as they only compare attacks to the signatures their system currently holds.
Anomaly based
In anomaly based, the system would first need to learn the NORMAL behavior, traffic or protocol set of the network. When the system has learnt the normal state of a network and the types of packets and throughput it handles on a daily basis, taking into account peak times such as lunch time for example for web browsing, then it can be put into action. Now when traffic is detected that is out of the normal state of the network, the anomaly based detection system would take action.
The good thing about this type of system is that it can detect new attacks; it does not need to rely on signatures. The bad thing is if you do not spend time fine stunning the system and maintaining it, it will usually produce many false positives (Stop normal traffic). Also some clever hackers try and emulating their attacks as normal traffic, however this is usually difficult to do from a hacking perspective, but if they get it right, it may fool the ADS system as normal and legitimate traffic.
Rule based
Rule based systems are more advanced and cleverly built systems. A knowledge base programmed as rules will decide the output alongside an inference engine. If the defined rules for example all match, a certain assumption can be determined in which an action may take place. This assumption is the power of the inference engine. The inference engine can assume an attack may be occurring because of so many factors; this is unique and is very much behaving like the human mind. In normal computing assumptions can not be made, its either yes or no, but the inference engine adds a different level of thinking; it also adds the “Probably” to the list, like humans. If it rains and is warm, we can assume it may thunder. If more traffic was leaving the company than usual, as well as coming from a certain server, the inference engine may assume, the server could be compromised by a hacker.