Difference Between IDS and IPS
Both IDS/IPS read network packets and compare the contents to a database of known threats. The primary difference between them is what happens next. IDS are detection and monitoring tools that don’t take action on their own. IPS is a control system that accepts or rejects a packet based on the ruleset.
IDS requires a human or another system to look at the results and determine what actions to take next, which could be a full time job depending on the amount of network traffic generated each day. IDS makes a better post-mortem forensics tool for the CSIRT to use as part of their security incident investigations.
The purpose of the IPS, on the other hand, is to catch dangerous packets and drop them before they reach their target. It’s more passive than an IDS, simply requiring that the database gets regularly updated with new threat data.
Way to detect an Intrusion:-
Types of IDS :-
- Host based Intrusion :- It is normally deployed for the protection specific host machine and it works closely with the operating system kernel of the host machine. It creates a filtering layers and filter out any malicious application call to the OS.
- File system monitoring
- Log file analysis
- Connection analysis
- Kernel level detection
- Network based Intrusion :- It works as in line with the perimeter edge device or same specific segment of overall network. It is only capable of generating an alert of an attack.
What firewall do ?
- Defend resources
- Validate access
- Manage and control network traffic
- Record and report on events
- Act as an intermediary
What is Honeypots ?
Honeypots are those devices or system that are deployed to trap attacker attempting to gain unauthorized access to the system or network as they are deployed in an isolated environment and being monitored.
What is Evasion ?
Evasion is a technique intended to send the packet that isaccepted by the end system which is rejected by the IDS . Evasion techniques are intended to exploit the host. An IDS that mistakenly rejects such a packet misses its contents entierly.
Some techniques of evasion are :
- Fragmentation Attack : – It is the process of splitting the packet into fragments.
- Denial of service attack :- To perform Dos attack on IDS an attacker may target CPU exhaustion techniques to overload the IDS .
- Obfuscating :- It is the encryption of payload of a packet destined to target .
- Unicode Evasion – It is a techniques in which attacker unicode to manipulate IDS .
#Unicode is basically a character encoding , it can avaoid signature matching and alerting the IDS.