Introduction to intrusion detection systems
We call IDS ( Intrusion Detection System ) a mechanism that listens to network traffic in a furtive way in order to identify abnormal or suspicious activities and thus making it possible to have a preventive action on the risks of intrusion.
There are two main distinct families of IDS:
The NIDS ( Network-Based Intrusion Detection System ), they provide security at the network level.The H-IDS ( Host Based Intrusion Detection System ), they provide security at host.
An N-IDS requires dedicated hardware and constitutes a system capable of monitoring the packets circulating on one or more network link (s) in order to discover if a malicious or abnormal act takes place. The N-IDS places one or more network interface cards of the dedicated system in promiscuous mode , they are then in "stealth" mode so that they do not have an IP address . They also do not have a protocol stack attached. It is frequent to find several IDS on the various parts of the network and in particular to place a probe outside the network in order to study the attempts of attacks as well as an internal probe to analyze the requests having crossed the barrier - fire or carried out from the inside.
The challenges of IDS
Publishers and the specialist press are increasingly talking about IPS ( Intrusion Prevention System ) in place of or to distinguish themselves from "traditional" IDS.
IPS is a System for Prevention / Protection against intrusions and no longer only for recognition and signaling of intrusions as most IDS are. The main difference between an IDS (network) and an IPS (network) is mainly due to 2 characteristics:
positioning in cut-off on the IPS network and no longer only in listening on the network for the IDS (traditionally positioned as a sniffer on the network).
the possibility of immediately blocking intrusions, regardless of the type of transport protocol used and without reconfiguring third-party equipment, which means that the IPS is native to a packet and means filtering technique blockages ( drop connection , drop offending packets , block intruder , etc.).
There are two main distinct families of IDS:
The NIDS ( Network-Based Intrusion Detection System ), they provide security at the network level.The H-IDS ( Host Based Intrusion Detection System ), they provide security at host.
An N-IDS requires dedicated hardware and constitutes a system capable of monitoring the packets circulating on one or more network link (s) in order to discover if a malicious or abnormal act takes place. The N-IDS places one or more network interface cards of the dedicated system in promiscuous mode , they are then in "stealth" mode so that they do not have an IP address . They also do not have a protocol stack attached. It is frequent to find several IDS on the various parts of the network and in particular to place a probe outside the network in order to study the attempts of attacks as well as an internal probe to analyze the requests having crossed the barrier - fire or carried out from the inside.
The challenges of IDS
Publishers and the specialist press are increasingly talking about IPS ( Intrusion Prevention System ) in place of or to distinguish themselves from "traditional" IDS.
IPS is a System for Prevention / Protection against intrusions and no longer only for recognition and signaling of intrusions as most IDS are. The main difference between an IDS (network) and an IPS (network) is mainly due to 2 characteristics:
positioning in cut-off on the IPS network and no longer only in listening on the network for the IDS (traditionally positioned as a sniffer on the network).
the possibility of immediately blocking intrusions, regardless of the type of transport protocol used and without reconfiguring third-party equipment, which means that the IPS is native to a packet and means filtering technique blockages ( drop connection , drop offending packets , block intruder , etc.).
Comments
Post a Comment