|
Network
Intrusion Detection System
(NIDS)
Monitors all network traffic
passing on the segment where the agent is installed, reacting to any
anomaly or signature based activity. Basically this is a
packet sniffer with attitude. They analyse every
packet for suspected nefarious activity, most will also look for anomalies within the
protocol
Network Intrusion
Prevention System (NIPS)
Network IPS sit inline on the
network, statefully analyzing packet content and block certain packets
that match a signature and alert on others. It is sometimes
easier to explain what isn't an IPS for instance products that just block
by port such as routers and many firewalls. Furthermore, the IPS
must block the packet and not just use TCP resets, spoof reject packets
from border devices or update border devices to shun addresses.
Attack Mitigation Systems
The main
definition between NIPS and Mitigators would be Mitigators are designed to
do one specific job - detect and mitigate against DOS/DDOS attacks and
bilateral effects of worm activity. NIPS are designed to detect malicious
traffic and drop the packet/stream. NIPS are not always necessarily good
at mitigating DOS/DDOS attacks. Mitigators generally do not have the
signature coverage to provide good NIPS functionality. NIPS are like IDS
but in-line. Mitigators are like firewalls but designed to detect and
prevent DOS attacks rather than enforce policy.
HoneyPots
Honeypots are a highly flexible
security tool with differing applications for security. They don't fix a
single problem, instead they have multiple uses, such as prevention,
detection, or information gathering. Honeypots all share the same
concept, a security resource that should not have any production or
authorized activity. This makes them very simple to use. There
are two general types of honeypots, production and research.
Production honeypots are easy to use, capture only limited information,
and used primarily by companies or corporations. Research honeypots
are complex to deploy and maintain, capture extensive information, and
used primarily by research, military, or government organizations
|
|
Host Intrusion
Prevention System (HIPS)
Host
Based IDS (HIDS) / Event Log Viewers
This kind of IDS monitors
event logs from multiple sources for suspicious activity. Host IDS
are best placed to detect computer misuse from trusted insiders and those
who have infiltrated your network.
File
Integrity Checkers
When a system is compromised an attacker
will often alter certain key files to provide continued access and prevent
detection. By applying a message digest (cryptographic hash) to key files
and then checking the files periodically to ensure the hash hasn’t
altered a degree of assurance is maintained. On detecting a change an
alert will be triggered. Furthermore, following an attack the same files
can have their integrity checked to assess the extent of the compromise.
Hybrid
IDS: Non-Promiscuous with Event Log Viewer
OBSOLETE PAGE see HIPS
Taking delegation of IDS to
host one stage further, combining Network Node IDS and Host IDS in a
single package. In my experience whilst this solution gives maximum
coverage, consideration should be given to the amount of data and
cost. Many networks reserve hybrid IDS for critical servers.
Network
Node IDS
OBSOLETE PAGE see
HIPS
Switched and/or hi-speed networks have brought with them a problem, many
network IDS are unreliable at high speeds, dropping a hi percentage of the
network packets. Switched networks often prevent a network IDS from
seeing passing packets promiscuously. Network Node IDS delegate the
network IDS function down to individual hosts alleviating the problems of
both hi-speeds and switching
|
