IDS & IPS¶
links: SPA TOC - Host & Network Security - Index
Overview¶
- Intrusion detection & prevention systems (IDS/IPS)
- can detect attacks or attempts to attack against hosts and networks
- can work together with firewalls and network devices to prevent or stop attacks
Host based IDS/IPS (HIDS)¶
- work close together with OS
- can detect attacks against the host
- can have a negative impact on system performance and stability
- sometimes not able to detect network based attacks (e.g. DoS attacks)
Network based IDS/IPS (NIDS/NIPS)¶
- analyze all network traffic, intelligent protocol analyzer
- detect attacks, start counter-measures
- need access to all packets of a network segment (often realized with mirror ports on switches)
- can detect anomalies and react preventive by interaction with network firewall
- not always detect attacks (e.g. if the attack is distributed on multiple packets and fragments, low profile attacks)
- can be disabled by DoS attacks, which they should detect
Hybrid IDS/IPS¶
- combination of both host and network-based IDS/IPS
- allows a better recognition of anomalies and attacks
- consists of:
- a central management system
- host based sensors
- network based sensors
links: SPA TOC - Host & Network Security - Index