The term IPS ( Intrusion Prevention System ), which replaces the “traditional” IDS or makes a distinction between them, increasingly resonates .
An IPS is a prevention / protection system to defend against intrusions and not only to recognize and report on them, as most IDS do. There are two main features that distinguish an IDS (network) from an IPS (network):
The IPS is placed online within the IPS network and not only passively listens to the network as an IDS (traditionally placed as a port tracker in the network).
The IPS has the ability to immediately block intrusions, regardless of the transport protocol used and without reconfiguring an external device. This means that the IPS can filter and block packets in native mode (by using techniques such as dropping a connection, dropping offensive packets, blocking an intruder, etc.).
we will see an example of how to configure the IDS / IPS SNORT, this is the one that is being used in operating systems such as LINUX, although there is also a version for Windows.
HOW AN IDS WORKS
The main methods used by N-IDS to inform and block intrusions are:
Reconfiguration of external devices (firewalls or ACLs on routers): Command sent by the N-IDS to an external device (such as a packet filter or a firewall) to reconfigure immediately and thus block an intrusion. This reconfiguration is possible by sending data explaining the alert (in the package header).
Sending an SNMP trap to an external hypervisor: Sending an alert (and details of the data involved) in the form of an SNMP datagram to an external console such as HP Open View Tivoli, Cabletron, Spectrum, etc.
Sending an email to one or more users: Sending an email to one or more mailboxes to report a serious intrusion.
Attack log: Alert details are stored in a central database, including information such as date log, intruder IP address, destination IP address, protocol used and payload.
Storage of suspicious packages: All original captured packages and / or packages that triggered the alert are saved.
Opening an application: An external program is launched that performs a specific action (sending an SMS text message or issuing an audible alarm).
Sending a “ResetKill”: A TCP alert packet is constructed to force the termination of a connection (only valid for intrusion techniques that use the TCP transport protocol).
Visual notification of an alert: An alert is displayed on one or more of the management consoles.
An IPS is a prevention / protection system to defend against intrusions and not only to recognize and report on them, as most IDS do. There are two main features that distinguish an IDS (network) from an IPS (network):
The IPS is placed online within the IPS network and not only passively listens to the network as an IDS (traditionally placed as a port tracker in the network).
The IPS has the ability to immediately block intrusions, regardless of the transport protocol used and without reconfiguring an external device. This means that the IPS can filter and block packets in native mode (by using techniques such as dropping a connection, dropping offensive packets, blocking an intruder, etc.).
we will see an example of how to configure the IDS / IPS SNORT, this is the one that is being used in operating systems such as LINUX, although there is also a version for Windows.
HOW AN IDS WORKS
The main methods used by N-IDS to inform and block intrusions are:
Reconfiguration of external devices (firewalls or ACLs on routers): Command sent by the N-IDS to an external device (such as a packet filter or a firewall) to reconfigure immediately and thus block an intrusion. This reconfiguration is possible by sending data explaining the alert (in the package header).
Sending an SNMP trap to an external hypervisor: Sending an alert (and details of the data involved) in the form of an SNMP datagram to an external console such as HP Open View Tivoli, Cabletron, Spectrum, etc.
Sending an email to one or more users: Sending an email to one or more mailboxes to report a serious intrusion.
Attack log: Alert details are stored in a central database, including information such as date log, intruder IP address, destination IP address, protocol used and payload.
Storage of suspicious packages: All original captured packages and / or packages that triggered the alert are saved.
Opening an application: An external program is launched that performs a specific action (sending an SMS text message or issuing an audible alarm).
Sending a “ResetKill”: A TCP alert packet is constructed to force the termination of a connection (only valid for intrusion techniques that use the TCP transport protocol).
Visual notification of an alert: An alert is displayed on one or more of the management consoles.
google 3462
ReplyDeletegoogle 3463
google 3464
google 3465
google 3466