{"id":157,"date":"2017-09-02T15:39:00","date_gmt":"2017-09-02T15:39:00","guid":{"rendered":"https:\/\/www.7sec.com\/blog\/?p=157"},"modified":"2021-06-10T13:11:26","modified_gmt":"2021-06-10T13:11:26","slug":"the-purpose-of-intrusion-detection-and-prevention-systems","status":"publish","type":"post","link":"https:\/\/www.7sec.com\/blog\/the-purpose-of-intrusion-detection-and-prevention-systems\/","title":{"rendered":"The Purpose of Intrusion Detection & Prevention Systems"},"content":{"rendered":"\r\n

Intrusion Detection System (IDS) is a detective device designed to detect malicious (including policy-violating) actions. An Intrusion Prevention System (IPS) is primarily a preventive device designed not only to detect but also to block malicious actions.<\/p>\r\n\r\n\r\n\r\n

Depending on their physical location in the infrastructure, and the scope of protection required, the IDS and IPS fall into two basic types: network-based and host-based. Both have the same function and the specific type deployed depends on strategic considerations.<\/p>\r\n\r\n\r\n\r\n

WHY ARE IDS and IPS necessary?<\/strong><\/h4>\r\n\r\n\r\n\r\n

The IDS and IPS devices employ technology, which analyses traffic flows to the protected resource in order to detect and prevent exploits or other vulnerability issues.<\/p>\r\n\r\n\r\n\r\n

These exploits can manifest themselves as ill-intended interactions with a targeted application or service. The goal is to interrupt and gain control of an application or a machine, thus enabling the attacker to disable the target causing a denial-of-service situation, or to gain access to rights and permissions available through the target.<\/p>\r\n\r\n\r\n\r\n

EVENT TYPES<\/h4>\r\n\r\n\r\n\r\n

There are four types of IDS and IPS events: true positive, true negative, false positive, and false negative. The goal of implementing an IDS or IPS is to achieve only true positives and true negatives.<\/p>\r\n\r\n\r\n\r\n

One should keep in mind that most implementations have false positives so monitoring engineers spend time investigating non-malicious events, and false negatives, which can lead to intrusions. Thus, a proper configuration of the system is of crucial importance as it must reflect the organization\u2019s traffic patterns.<\/p>\r\n\r\n\r\n\r\n

\r\n
\"\"<\/figure>\r\n<\/div>\r\n\r\n\r\n\r\n

IDS\u00a0are designed to provide readiness to prepare for and deal with cyber attacks. This is accomplished through information collected from a variety of systems and network sources, which is then analyzed for security problems. IDS are generally deployed with the purpose to monitor and analyze user and system activity, audit system configurations and vulnerabilities, assess the integrity of any critical system and data files, perform statistical analysis of activity patterns based on the matching to known attacks, detect abnormal activity and audit operating systems.<\/p>\r\n\r\n\r\n\r\n

\"\"<\/figure>\r\n\r\n\r\n\r\n

 <\/p>\r\n\r\n\r\n\r\n

The IPS is generally deployed in-line and analyses network packet traffic as it flows through. Thus, it is similar in function to an IDS \u2013 both attempt to match packet data against a signature database or detect anomalies against what is pre-defined as \u201cnormal\u201d traffic.<\/p>\r\n\r\n\r\n\r\n

In addition to this IDS functionality, an IPS does more than log and alert \u2013 It is usually used to react to detected anomalies. This reaction ability of the detections is what makes IPS more desirable than IDS in general.<\/p>\r\n\r\n\r\n\r\n

THE WHAT, WHERE AND WHO\u2019S OF IDS and IPS DEPLOYMENT<\/h4>\r\n\r\n\r\n\r\n

These questions are to be answered taking into account the specifics of one\u2019s environment. The most common locations for intrusion detection\/protection sensor are between the network and extranet, in the Demilitarized Zone (DMZ), between the servers and the user community, on the remote access, intranet, and database environment, establishing network perimeter, and covering all possible points of entry should be possible.<\/p>\r\n\r\n\r\n\r\n

Once placed, the sensors must be configured to report to the central management console, as dedicated administrators will manage the sensors, provide a new or updated signature, and review logs. In order to avoid data tampering, one must ensure the communication between the sensors and management console is secure.<\/p>\r\n\r\n\r\n\r\n

The proper identification of mission-critical systems and points of entry requires the following roles in an organization to be involved in any IDS\/IPS deployment:<\/p>\r\n\r\n\r\n\r\n