How the intrusion detection system works:
Any network security plan should include intrusion detection and intrusion prevention system. An IDS will understand the content of packet headers such as flags, options, IP addresses, and ports. IDS monitors the intrusions and prevents the intruder from entering the system. IPS can detect the intrusion in an earlier stage itself and IPS(Intrusion prevention system) is used to stop the attack from happening. IDS mostly work based on pattern matching and detection of statistical anomalies.
Intrusion detection Approaches:
There are two types of IDS approach –
- Host-based – software is installed in a single system and the data from that system is used to detect intrusions. It protects the specific computer. It also monitors the ports and triggers alerts in case of any intrusion occurs in the port.
- Network-Based – It is used to monitor multiple hosts to detect intrusions in multiple systems. Here IDS examines the packet headers also, this enables detection of DOS attacks.
The most popular freeware of IDS is Snort which is used to perform real-time analysis of IP packets. Other tools for IDS are GFI LANGuard S.I.M, Tripwire. There are some commercial versions of IDS such as ISS real secure and GFI LANGuard S.E.L.M. Few IDS appliances are IntruShield, Cisco IDS, Top layer attack mitigator IPS, and Proventia IDS.
Architecture of Firewall:
There are different types of firewall architectures, broadly –
- Packet-filtering firewalls – Creates a checkpoint at traffic router or switch, it checks the incoming data packets through the router. It is dropped if the information is mismatching. But these are traditional types and easy to bypass.
- Stateful inspection firewalls – This firewall is a combination of packet inspection and TCP handshake verification to create a maximum level of protection. This might slow down the system.
- Circuit-level gateways – This firewall works by verification of TCP handshake, it is ensured that the session is legitimate and not from an intruder. They do not check the packets though.
- Application-level gateways (Proxy firewalls) – Operates on the Application layer to filter the incoming traffic between the network and traffic source. It connects to the source of traffic and inspects the incoming traffic. They perform deep layer inspection.
- Next-gen firewalls – This firewall ensures deep layer inspection, surface-level packet inspection, and TCP handshake checks. They include IPS to prevent attacks.
Honeypot & its Types:
Honeypot is a security mechanism that records all the actions, transactions, and interactions with users. They are used to track the attackers and defend the attacks. Based on their deployment types, it is classified into –
- Production honeypots – Easy to use but they capture only limited information. They are placed inside production networks to improve security.
- Research Honeypots –Works better in gathering information about attackers. They research the threats of the organization and try to prevent the threats. These are complex to deploy and maintain.
Based on design criteria, the honeypots are classified into –
- Pure honeypots – Activities are monitored using the honeypot’s installed link to the network.
- High interaction – Multiple honeypots in a single system. More secure, difficult to detect, expensive to maintain.
- Low interaction – Simulate the services of attackers.