+4 votes
in Security by (242k points)
System protection with Intrusion Prevention System and Intrusion Detection System

1 Answer

+5 votes
by (1.6m points)
Best answer

What is an intrusion detection system?
How do modern recognition systems work?
The advantages and disadvantages of the intrusion detection system
What is an Intrusion Prevention System?
DenyHost: the simple answer to brute force attacks
Snort: flexible rules for a secure network
Host-based intrusion detection system
Network-based Intrusion Detection System


System protection with Intrusion Prevention System and Intrusion Detection System

The best way to protect a network or computer system is to detect and mitigate attacks early before they can cause further damage. To this end, many implement systems such as the Intrusion Detection System (IDS) or the versatile Intrusion Prevention System (IPS). In this article we show you what these security components consist of and how exactly they work..

  1. What is an intrusion detection system?
    1. Host-based intrusion detection system
    2. Network-based Intrusion Detection System
  2. How do modern recognition systems work?
    1. Data monitoring
    2. Analysis
    3. Results report
  3. The advantages and disadvantages of the intrusion detection system
  4. What is an Intrusion Prevention System?
  5. DenyHost: the simple answer to brute force attacks
  6. Snort: flexible rules for a secure network

What is an intrusion detection system?

An Intrusion Detection System (IDS), in Spanish intrusion detection system, is used to detect attacks against a computer system or a network in time. The necessary IDS software can be installed on the system that is being monitored or, also, on a separate device. Many vendors distribute high-priced preconfigured IDS solutions. In addition, intrusion detection systems monitor and analyze network activities for unusual traffic to inform the user if there is any. Thus, it has the opportunity to respond to access attacks and to stop the attack. It is currently possible to distinguish between two different methods of network intrusion detection, either host-based or network-based.

Host-based intrusion detection system

The first host-based IDS software emerged in the 1980s and were intended to protect centralized computing structures . For this, the detection system was installed in the central computer through which the different connected terminals were executed and, from that host, the exchange of kernel files, registry files and other system data was controlled. With the evolution of terminals into independent workstations with their own computing power , the host-based technology had to be adapted. Thus, and to verify these independent systems, special modules were installed, also known as monitoring agents . Mainly, these were in charge of filtering the traffic, or the data whose audit was relevant, and sending the results to the central server which, in turn, was responsible for detecting the attacks. Due to their design, they are also known as distributed intrusion detection systems..

Network-based Intrusion Detection System

The increasing interconnection of local networks to the Internet required new developments in IDS technology. For one thing, the host-based approach was not made for the flexible and complex data flow of the Internet. On the other hand, physical proximity to the target system was no longer necessary to carry out the attack, which allowed them to be executed without complications through the clients distributed throughout the network. Since unauthorized access from the Internet takes place via protocols such as TCP / IP or UDP (User Datagram Protocol), now network-based systems do not check data, but IP packets . It is for this reason that they were closely linked to the firewall used. To do this, they also set up a central monitoring unit that was not limited to protecting a single system, but could see all network traffic.

How do modern recognition systems work?

To ensure a higher attack recognition rate, current Intrusion Detection Systems generally combine both approaches. These hybrid systems are characterized by a central management system that receives the necessary information from both the network-based software and the host-based software. There are three basic components involved in the recognition process:

Data monitoring

The data monitor has the task of collecting and making a first filter to the data necessary to filter intruders. This is the aforementioned data audit , which includes log files of computer systems and security applications, such as CPU capacity, number of active network connections, or number of login attempts. In addition, in hybrid intrusion detection systems, the data monitor also evaluates the data of the TCP / IP connections , such as source and destination addresses and other properties of the data packets sent and received, which it obtains thanks to the sensor. Network-based IDS..


The data monitor sends the collected and previously filtered data stream to the so-called analyzer. It must edit and evaluate the information obtained in real time , otherwise it would not be possible to avoid attacks in time. Consequently, the analysis process places greater demands on the underlying hardware (CPU and memory). Especially in very large business networks, IDS scalability is one of the most complicated processes, but it is also one of the most important tasks to ensure the functionality of the attack stop system. The methods used by the analyzer to evaluate the data are:

  • In case of misuse of the system (misuse detection), the analyzer tries to detect known attack patterns, called signatures (signature) in the data. These are stored in a separate database that is regularly updated. There, each entry also receives information on the severity of the attack. However, the small disadvantage of this method is that while known attack patterns can be clearly identified and evaluated, those that have not been included in the database will be imperceptible to this detection mechanism.
  • The anomaly detection (anomaly detection) is based on a different principle: This method of analysis means that unauthorized access causes abnormal behavior in the system and, therefore, differs from the preset values . Thus, the analyzer can be configured in such a way that it triggers an alarm when the capacity of the CPU or the traffic to the web page exceeds a certain number (static approach). Alternatively, this can also include the time sequence of events in the evaluation (logical approach). Anomaly detection can help detect new and unknown attacks, however, this active reconnaissance method also alerts in case the system is in an unusual state that was not generated by an intruder.

Results report

In the final stage, the Intrusion Detection System informs the network administrator if it has found an attack or suspicious system behavior. Depending on the potential risk, there are different possibilities to notify it. So, for example, a system that needs to defend itself would send

  • an email explaining the nature of the attack,
  • a local alarm as a pop-up window that activates the security console,
  • or an alert message to a mobile device .

The degree of risk obtained in the detection of anomalies is derived from the degree of deviation from the standard value , while the procedure for identifying improper uses in the system, as mentioned above, obtains a classification level within the database of patterns.

The advantages and disadvantages of the intrusion detection system

Its versatile technology allows Instrusion Detection Systems to detect potential attacks that would go unnoticed by a traditional firewall. The IDS software analyzes data packets at the highest layer of the OSI model and, in this way, specifically controls each application executed. Thanks to his approach, systems with anomaly detection can also discover new and flexible attack patterns and thus increase the security of a network. Remember that IDS does not replace firewalls, but rather complements them, since only a combination of these two security components will ensure adequate protection.

Because intrusion detection systems are active components of a network, they are also potential targets for an attack , especially when intruders are aware of their existence. These are especially vulnerable to DoS attacks, that is to say to an overload attack, with which it is possible to deactivate the IDS software in a very short time. In addition, the attacker can also take advantage of the automatic notification function of intrusion detection systems to launch denial of service attacks from the IDS. In particular, an incorrect configuration of anomaly detection can become the Achilles heel of these systems. For example, if the alarm settings are very sensitive, the number of alerts will be too high even without unauthorized access attempts.

In any case, it is necessary to weigh the costs and the cost benefit of these security systems, since not only the IDS software is needed, but also the appropriate hardware environment . Even with powerful network-based open source solutions like Snort, host-based like Samhain, or hybrids like Suricata, you won't avoid taking care of the correct installation, development and maintenance of your IDS.

What is an Intrusion Prevention System?

Intrusion Prevention Systems (IPS) are intrusion prevention systems that go one step beyond intrusion detection systems: once they have found a possible attack, they not only inform the administrator, but also carry out concrete measures and immediate. In this way, they avoid a very long period of time between detecting and fighting the intruder, as can be the case with IDS software. Regarding the analysis method used, there is no difference between the two network protection mechanisms. In the same way as IDS, current IPS software also uses host-based or network-based sensors to record and evaluate system data and network packets.

It is recommended that you individually configure an Intrusion Prevention System to prevent anomaly detection methods from classifying normal user actions as a threat and blocking them. In this way you can implement as many intrusion detection and prevention systems as necessary, with which, basically, you can choose between active blocking or simple monitoring, for example, with open source applications such as the aforementioned Snort and Suricata. You can also consider a system that combines both approaches and even implement two separate systems. This last variant means that filtering and blocking can be done in different hardware environments.

The scope of an IPS software can vary widely, as the free programs DenyHosts and Snort demonstrate.

DenyHost: the simple answer to brute force attacks

The DenyHost tool, written in Python, allows you to establish a host-based Intrusion Prevention System for SSH / SSHD connections that recognizes and stops brute force attacks. To do this, the open source application checks the entries in the authentication logs to identify unsuccessful attempts to access SSH. In case the number of failed attempts allowed from a specific IP address is exceeded, DenyHost will block this IP and put it on a blacklist. In this way, if the attacker continues to use the same IP, access will be denied.

The only requirements to use DenyHost are a UNIX operating system and the Python scripting language, including the ipaddr module, which is included by default in most distributions. You can find the most current versions of the IPS tools in their repository on GitHub. Another possible alternative is the security application, with very similar characteristics, Fail2ban.

Snort: flexible rules for a secure network

In 1998, programmer Martin Roesch released the Snort security tool, though only for UNIX systems. Cisco Systems has been in charge of its development and multiplatform programming under the GPL license since 2013. The American company offers the free tool in various commercial subscription models for private individuals or companies, which, among other things, has a faster update system and additional user support. Snort provides the functions necessary to create powerful network-based Intrusion Prevention Systems. You can download the software and configure it so that it only controls the respective components and, therefore, is the basis of an intrusion detection system.

Snort checks network traffic in real time and uses BASE as a system misuse detection engine. This compares the incoming and outgoing data packets with the registered patterns, which in Snort are known as rules . Cisco Systems updates these rules regularly, including new discovered attack patterns. In the paid versions, customers get those updates more efficiently. Additionally, it is also possible to define your own rules and, in this way, improve the detection capabilities of your Snort system . For more information on the free and commercial use of Snort, visit their website.