Unit 8: Intrusion Detection and Prevention Systems
Even though networks and hosts have security methods in place, hackers continue to attempt to intrude upon systems and sometimes and are successful at gaining access. Intrusion detection systems (IDS) are used to track these attempts or intrusions and have the ability to stop an intruder from gaining access to information thereby keeping the information secure. This unit will discuss the different types of intrusion detection and intrusion prevention systems and will differentiate between network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). Tools for system information and event management (SIEM) such as scanners, network scanners, and web applications are also discussed.
Completing this unit should take you approximately 4 hours.
Upon successful completion of this unit, you will be able to:
- discuss the purpose and the need for intrusion detection systems (IDS) and intrusion prevention systems (IPS);
- compare and contrast the characteristics of signature-based, anomaly-based, and rule-based IDS technologies;
- compare and contrast network-based intrusion detection system (NIDS) and host-based intrusion detection systems (HIDS); and
- explain the methodology of common system information and event management (SIEM) systems.
8.1: Intrusion Detection Systems (IDS)
Tools that monitor systems for malicious activity are called intrusion detection systems, or IDS. Read this article to learn the common components and functions of an IDS, and some kinds of IDS, like signature, anomaly, and rule-based. What is the difference between and IDS and an intrusion protection systems (IPS)? Obviously, network detection systems (NIDS) are installed on networks and host-based intrusion detection systems (HIDS) are installed on hosts. The purpose of NIDS and HIDS are similar; they both detect intrusion, but they operate differently. What does each one do?
This video goes into more detail about intrusion detection systems (IDS) and intrusion prevention systems (IPS), the differences between an IPS and an IDS, and how a signature-based and an anomaly-based IDS functions. You should be able to explain what true positives, false positives, true negatives, and false negatives are. When using a detection system, which type of response would be of the most concern? Pay attention to the differences between a network-based IDS and a host-based IDS. What is an IDPS? What is the correct placement of an IDS and an IPS? What are some weaknesses and limitations in IDS detection? How is packet fragmentation used to avoid detection by an IDS? What are the names of some of the IDS vendors?
The purpose of an intrusion detection system (IDS) is to protect the confidentiality, integrity, and availability of a system. Intrusion detection systems (IDS) are designed to detect specific issues, and are categorized as signature-based (SIDS) or anomaly-based (AIDS). IDS can be software or hardware. How do SIDS and AIDS detect malicious activity? What is the difference between the two? What are the four IDS evasion techniques discussed, and how do they evade an IDS?
This video explains what an intrusion detection system (IDS) does in general terms. You will learn about two common techniques used by IDS to identify threats. What are these two common techniques and how do they detect system attacks? Where can IDS software be placed on a small network, and where can it be placed to keep from slowing down systems on the network? What is a popular opensource IDS software? What are the two types of protection offered by IDS software?
Read section 2 of this article to learn about signature-based intrusion detection systems (IDS). You should be able to explain what signature-based IDS detects on a system, as well as some advantages and disadvantages of the system. What is a popular signature-based network intrusion detection system?
Anomaly-based intrusion detection systems (IDS) detect anomalies. This is different from signature detection, which matches patterns. While you read, try to explain how an anomaly is different from a signature. An anomaly-based IDS can be either host or network based. When reading this article, note the explanation of the host based and the network-based anomalies. What are some of the network anomalies? How would you define a static and a dynamic anomaly? What is the advantage and disadvantage of an anomaly-based IDS as compared to a signature-based IDS?
Another type of intrusion detection system is a rule-based intrusion detection system (IDS). Read the section on intrusion detection systems, focusing on rule-based IDSes and how they function. What are two techniques used by rule-based IDSes? What are two downsides to a rule-based IDS?
This video provides a good visual example of rules coded in a system. As you watch, you will see rule headers, snort rules, and rule options. This example will help you to understand a rule-based attack as related to rule-based IDS.
8.2: Network Intrusion Detection Systems (NIDS)
As you learned in the previous section, intrusion detection does not prevent intrusions but detects and logs intrusions. This section will focus on network intrusion detection systems (NIDS), and the next section will discuss host-based detection systems (HIDS).
Read sections 22.4 and 22.4.1. What is the main idea behind network intrusion detection? What is the basis for network intrusion detection systems (NIDS)? What is the issue that occurs when NIDS has to reassemble TCP streams?
8.3: Host-based Intrusion Detection Systems (HIDS)
The previous section focused on network intrusion detection systems (NIDS). This section will go into more detail about host-based intrusion detection systems (HIDS). There is a difference between the two tools but in essence, they both have the same goal; to detect system intrusions. Notice how HIDS differs from NIDS.
The counterpart to network intrusion detection systems are host-based intrusion detection systems (HIDS). Pay attention to the description of a HIDS, the purpose of a HIDS, and what type of attacks HIDS can detect. What are the types of HIDS and what are they based on? What are three categories of measurement that can implicate an instrusion?
In retrospect, you have learned about host-based intrusion detection systems (HIDS) and network-based intrusion detection systems (NIDS). Read this article on intrusion detection systems and note the strengths of HIDS and NIDS, and the overall pros and cons of intrusion detection systems.
8.4: Intrusion Prevention Systems (IPS)
As we discussed, the previous sections defined intrusion detection but did not provide for intrusion protection. Intrusion protection systems (IPS) detect and perform actions to prevent an intrusion. This section will describe IPS in more detail. You should notice the differences between intrusion detection systems and IPS.
Read the section on intrusion prevention in this article for an explanation of an intrusion prevention systems (IPS). What are the main functions of IPS?
8.5: System Information and Event Management (SIEM)
Security information and event management (SIEM) systems differ from intrusion detection and prevention systems in that they log, monitor, and analyze event reports. There are different types of SIEM to include scanners for the network and the web. Splunk is also discussed and is one popular SIEM tool used by private and public organizations. Security professionals approve the types of detection or prevention systems that are appropriate for a system, so you should understand the appropriate use for and the differences between these tools.
This video will discuss some system information and event management (SIEM) tools. When reviewing this video, pay attention to the purpose of a SIEM and the difference between events and incidents when using a SIEM tool. What are some examples of SIEM tools?
Vulnerability analysis is performed on systems to determine the weaknesses of a system. When watching this video on vulnerability analysis, pay attention to the benefits of a vulnerability scan and to some popular types of scanners such as Nessus and Retina.
Scans can be performed on networks as well. TCP, port, or host scans are performed depending on the type of data to be collected by the scan. While watching, you should learn the types of network scans and the purpose of each type of scan.
Web scanners are used to find vulnerabilities in websites to protect them from being hacked. A web application vulnerability scanner (WAVS) is used to scan websites. Are these scans white, black, or gray box scanning? What are the two types of WAVS? Once viewed, you should have a general idea of how WAVS scan for vulnerabilities. Pay attention to the description of cross-site scripting (XSS) and cross site request forgery (CSRF) attacks.
Watch this video to get a basic understanding of the purpose for using Splunk. What output does Splunk produce that provides assistance to security personnel? What is the benefit of Splunk to security personnel?
Unit 8 Assessment
- Receive a grade
Take this assessment to see how well you understood this unit.
- This assessment does not count towards your grade. It is just for practice!
- You will see the correct answers when you submit your answers. Use this to help you study for the final exam!
- You can take this assessment as many times as you want, whenever you want.