Intrusion detection and prevention systems
Systems of detection of invasion (intrusion-detection system, IDS) can warn about the beginning of the attacks to network. There are also intrusion prevention systems (intrusion-prevention systems, IPS) which not only warn, but also undertake attack blocking measures (a rupture of connection or accomplishment of a script). Modern software and hardware solutions combine functionality of two types of systems, their consolidation is called sometimes by IDPS (IDS and IPS).
IDPS are divided into systems working at the level of network at the level of a host and hybrid. Network IDPS (the Network-based of IDPS, NIDPS) analyze network traffic regarding suspicious activity. Such systems have access to all traffic in a segment and differ in a distributed architecture, having sensors (program or hardware) which send it to the management console. Examples of software solutions: Snort, Outpost, Bro.
Hardware solutions are proposed by producers of network equipment which build in the modules which are responsible for detection and an intrusion prevention the solutions. For example, Cisco and Juniper Networks. Check Point, IBM also propose solutions of this sort.
For wireless networks of a system of protection include IDPS in addition to the built-in RADIUS server and support 802.1X, for example Check Point VPN-1 Edge Appliance or Cisco Wireless LAN Security Solution.
There are end-to-end systems ensuring safety, management and monitoring of the wireless networks consisting of thousands of nodes which include IDS and IPS. The example is AirDefense Enterprise from AirDefense company.
Magic square for NIPS (Gartner, Feb. 2008)
So-called firewalls of the next generation are also presented at the market (next-generation firewall, NGFW). These are products which combine traditional functionality with a possibility of an intrusion prevention. The main plus of such solutions – reduction of delays at traffic handling since analysis and processing of a packet is made once. IDPS at the level of a host (Host-based IDPS, HIDPS) are traced by parameters of a specific node, such as magazines of applications and OS, system calls, changes at the file system level. Such systems allow to reveal: the malware which is not authorized increases in privileges, network attacks, violation of integrity of files. Representatives of this class: AIDE, FCheck, Integrit, Samhain and OSSEC.
See Also
Links
- Intrusion Detection Systems List and Bibliography
- Quadrant for Network Intrusion Prevention System Appliances, 1H08