Post on 28-Dec-2015
Intrusion PreventionNetwork Security
Evan Roggenkamp
Summary Intrusion Detection Intrusion Prevention Types: NIPS, WIPS, NBA, HIPS Typical Components Overview
Common Detection Methodologies Signature-Based Detection Anomaly-Based Detection Stateful Protocol Analysis
IDPS TechnologiesTypical components of an IDPS solution are as follows: Sensor or Agent Management Server Database Server Console
Network BasedTypical components of Network Based IDPS are as follows: Appliance Software Only Sensors Information Gathered Detection Capabilities
Examples of Network-Based Intrusion Detection Tools
Snort (runs on Unix, Linux, Windows) RealSecure (Unix, Linux, Windows) Symantec Intrusion Detection (Unix, Linux)) Dragon (Unix and Linux) Network Flight Recorder (NFR) (Unix, Linux, Windows)
Inline
Passive
Network-Based IDPS Architecture
Wireless IDPS Typical Components are the same as network-based IDPS: Console,
Database, Servers (optional), management servers, and sensors.
Wireless sensors: Dedicated Fixed Mobile Bundled with AP Bundled with Wireless Switch Sensor Locations Information Gathered Detection Capabilities
Wireless IDPS Architecture
Network Behavior Analysis Typical Components are Sensors and Consoles, with some
products offering management servers (analyzers). Sensors Information Gathered Detection Capabilities
NBA Architecture
Host-Based IDPS Typical Components Agent Locations & Host Architectures Detection Capabilities
Host-Based IDPS Architecture
Performance Requirements Configuration and tuning Performance VS Detection Appliance-Based No open standards
Design and Implementation Reliability Interoperability Scalability Security
Sources http://
csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf http://
www.symantec.com/connect/articles/intrusion-prevention-systems-next-step-evolution-ids
Wikipedia http://
www.sfisaca.org/events/conference04/presentations/E21-Intrusion-Detection-and-Intrusion-Prevention.pdf