Difference Between IDS and IPS

Difference Between IDS and IPS

image.jpeg image.png

 Both IDS/IPS read network packets and compare the contents to a database of known threats. The primary difference between them is what happens next. IDS are detection and monitoring tools that don’t take action on their own. IPS is a control system that accepts or rejects a packet based on the ruleset.

image.png

 IDS requires a human or another system to look at the results and determine what actions to take next, which could be a full time job depending on the amount of network traffic generated each day. IDS makes a better post-mortem forensics tool for the CSIRT to use as part of their security incident investigations.

image.png

 The purpose of the IPS, on the other hand, is to catch dangerous packets and drop them before they reach their target. It’s more passive than an IDS, simply requiring that the database gets regularly updated with new threat data.

Way to detect an Intrusion:-

image.png

 Signature -based

image.png

 Anomally based

image.png

 Policy based

image.png

 Reputation based

Types of IDS :-

      1. Host based Intrusion :- It is normally deployed for the protection specific host machine and it works closely with the operating  system kernel of the host machine. It creates a filtering layers and  filter out any malicious application call to the OS.

      • File system monitoring
      • Log file analysis
      • Connection analysis
      • Kernel level detection

    1. Network based Intrusion :- It works as in  line with the perimeter edge  device or same specific segment of overall network. It is only capable of generating an alert of an attack.

image.png

What firewall do ?

      • Defend resources
      • Validate access
      • Manage and control network traffic
      • Record and report on events
      • Act as an intermediary

 

What is Honeypots ?

Honeypots are those devices or system that are  deployed to trap attacker attempting to gain unauthorized access to the system or network as they are deployed in an isolated environment  and being monitored.

image.png

What is Evasion ?

Evasion is a technique intended to send the packet that isaccepted by the end system which is rejected by the IDS . Evasion techniques are intended to exploit the host. An IDS that mistakenly rejects such a packet misses its contents entierly.

image.png

Some techniques of evasion are :

      1. Fragmentation Attack : – It is the process of splitting the packet into fragments.
      2. Denial of service attack :-  To perform Dos attack on IDS an attacker may target CPU exhaustion techniques to overload the IDS .
      3. Obfuscating :- It is the encryption of payload of a packet  destined to target .
      4. Unicode Evasion –  It is a techniques in which attacker unicode to manipulate IDS .

#Unicode is basically a character encoding , it can avaoid signature matching and alerting the IDS.

By Xcheater

Leave a Reply

Your email address will not be published. Required fields are marked *