The pros and cons of the intrusion detection system

With its versatile technology, an intrusion detection system can detect attacks that a conventional firewall cannot detect. It analyzes the data packets up to the highest layer of the OSI model and supervises for this the applications executed individually. Anomaly detection systems can also detect new flexible attack patterns through their procedure, thereby increasing network security. However, do not believe that IDS software can replace the firewall, only a combination of the two security components provides optimal protection.

Since intrusion detection systems are active components of a network, they can also be a potential target for attack , especially if the intruder is aware of them. Due to their vulnerability to DOS attacks, that is to say targeted overload, IDS software can be extinguished in a very short time. In addition, the hacker can also take advantage of the automatic notification function of intrusion detection systems in order to launch DOS attacks from the IDS. In particular, the detection of anomalies is a major weakness in this case if the configuration is incorrect. Indeed, if the settings are too sensitive, the number of alert messages is then relatively high, and this even in the absence of unauthorized access.

In any case, you need to assess the costs, efforts and benefits of these security systems because you need not only the IDS software but also the appropriate hardware environment. And even if there are powerful open source solutions like that based on a Snort network , or based on a host like Samhain or the Suricata hybrid system , it is necessary to correctly install, configure and maintain.

Read More:   intrusion detection and prevention systems

The 8 best open source intrusion detection tools

In the information society in which we live, it is very important to keep our networks safe. Companies strive to contain and prevent attacks that may endanger that confidential information. For this, there are a number of tools that try to make our system as invulnerable as possible. In this article we will know the 8 best ones, so you can decide if you need to have any of them.

Currently, there are many intrusion detection and prevention systems   ranging from antivirus systems to hierarchical systems , which monitor network traffic. The most common are the following:

 NIDS : Network intrusion detection systems are placed at strategic points in the network to monitor the incoming and outgoing traffic of all network devices. But the exploration of all traffic could lead to the creation of bottlenecks, which affects the overall speed of the network.

 HIDS : Host intrusion detection systems run on machines or devices separate from the network and provide safeguards to the general network against threats from abroad.

 Signature-based IDS : Signature- based IDS monitors all packets in the network and compares them with the signature database, which are preconfigured and default attack patterns. They work similarly to antivirus software.

 Failure-based IDS : These IDS monitor network traffic and compare it to an established baseline. The baseline determines what is considered normal for the network in terms of bandwidth, protocols, ports and other devices, and the IDS alerts the administrator of all types of unusual activity.

 Passive IDS : This IDS system performs simple detection and alert work. Simply alert the administrator of any type of threat and block the activity in question as a preventive measure.
 Reactive identification : detects malicious activity, alerts the administrator of threats and also responds to those threats.

IDS and IPS: Similarities and differences between intrusion tools

The Intruder Detection System (IDS) and the Intruder Prevention System (IPS) prevent network intrusions in complementary ways.

Network data is usually protected by routers, firewalls or switches. Such technologies reduce the risks of those who work with the web, but in addition to having a configuration that requires advanced technical knowledge, in some cases they also allow undue access that leads to cyber attacks. It is through this loophole that IDS - Intrusion detection system and IPS - Intrusion prevention system.

Both the Intrusion Detection System (IDS) and the Intrusion Prevention System (IPS) are security techniques capable of detecting and preventing unauthorized access to networks and hosts. A switch, a router or a desktop server is enough for this system to be deployed or installed with software through hardware that fulfills the functions on your network. Although both perform the same function - that of preventing such unauthorized access -, they have some points that make them different.

what is the difference between IDS and IPS Security ?

Although very similar and with the function of providing security, the difference between IDS and IPS is in the way the service is presented. With regard to security, IDS is a passive system, while IPS is a system with active solutions. This is shown when, when it comes to acting, IDS shows itself as software that automates the procedure of detecting an intruder and IPS shows itself as software that prevents and prevents cyber attacks.

That is why the IDS is called a detector and the IPS is called a preventer. As soon as the IDS detects something suspicious, it logs this information (log) and sends an alert. Finally, it suspends the suspicious user's session and through the Firewall blocks network traffic from the suspected threat.

With IPS in use, it provides rules and policies for network traffic. The help of IDS makes it possible for the IPS to send its suspicious traffic alerts to administrators and also to provide all systems security, ranging from operational to data packages.

Comparison between IPS and IDS

New Generation IPS

The dynamism of current networks causes the constant emergence of new technologies, devices and systems, which increases exposure to improved techniques to violate information security, and demonstrates the need for mechanisms that have some intelligence to cope with it, promoting the development of New Generation IPS.

A New Generation IPS Security must comply with the following elements:

• Always Online: never hinder or interrupt the operation of a network.
• Application Awareness: ability to identify applications and implement network security policies at the application layer.
• Context Awareness: Threat detection and confrontation decisions must be based on the complex analysis of circumstances surrounding a specific attack, which allow the specific priority to be determined automatically to the response that the team must give to an imminent threat.
• Content Awareness: must be able to inspect and classify types of files reflected in data packages.
• Agility: must be able to incorporate new feedback mechanisms to face future threats.
• This new generation of IPS can have visibility on the behavior of the network, profiles of the equipment within the communication infrastructure, and the identity of the users and the applications that are in use, so that this information serves as input to perform an automatic tuning process.

Comparison between IPS and IDS

• Both the IDS (Intrusion Detection System) and the IPS (Intrusion Prevention System) increase network security, monitoring traffic, examining and analyzing packets for suspicious data. Both systems base their detections mainly on signatures or signatures already detected and recognized.
• The main difference between an IDS and an IPS is the type of action they take to detect an attack in its early stages (network analysis and port scanning):
• The IDS provides the network with a degree of security of a preventive nature in the face of any suspicious activity, and achieves its objective through early warnings addressed to system security administrators. IT However, unlike the IPS system, it is not designed to stop attacks
• The IPS is a device that exercises access control in a network to protect computer systems from attacks and abuses. It is designed to analyze the attack data and act accordingly, stopping it at the same time it is being developed and before it is successful.
• Combining both network-based and host-based intrusion detection and prevention systems is essential for good computer security health. None of the models presented is necessarily exclusive, on the contrary, they should be treated as complementary according to the need and criticality of protection required by a business.

What is an Intrusion Prevention System (IPS)?

In times of data leakage, such as constant leaks via e-commerce companies and the impact on the retail sector, which suffers an average of 4,000 information security threats each year, according to the Global State of Information Security Survey released by PwC in 2017, prevention becomes a strategic priority.

Intrusion detection (IDS) and intrusion prevention (IPS), because together we are stronger

With the level of attacks that we have today, remembering, for example, the cases of Ransomware, we cannot think about IDS versus IPS. Despite the differences in concept and applicability, both have the same objective: information security.

On a simple level, the difference is between detection and prevention. While IDS products are designed to inform you that something is trying to enter your system, IPS products try to prevent access.

IDS and IPS are designed for different purposes, but their technologies are similar. The applicability of the IDS is justified in situations where it is necessary to explain what happened in an attack, while the IPS stops the attacks. In short, an IDS system collects information that is not an IPS priority, such as port scans and other scans.

The efficiency of the Intrusion Prevention System - IPS  Security

An intrusion prevention system monitors network traffic and has the ability to take immediate action, based on a set of rules established by the network administrator, in cases where the intrusion occurs due to the nature of the attack and its speed.

The efficient use of the Intrusion Prevention System can, for example, discard a packet that it considers to be malicious and block all traffic from that IP address or port. Traffic that is considered legitimate or secure will be forwarded to the recipient without any apparent interruption or delay in the service.

The detection mechanisms perform the monitoring and analysis of traffic patterns, as well as individual packets, including address matching, string and HTTP substring, TCP connection analysis, detection of packet anomalies and traffic anomalies in port communication TCP / UDP.