Home / Security / IDS/IPS general function

IDS/IPS general function

October 1, 2024

in this blog we talk about the general idea about using and IDS or IPS. let’s recall that IDS/IPS stands for intrusion detection and prevention systems. We give examples of implementations of vendors and leaders of the market.

Table of Contents

scope of an IDS/IPS

let’s start from a basic setup: clients that try to access ressources on hosted server via a network. what we may qualify as intrusion is by experience, by comparison to normal model of function, or some kind of probabiliy… and may concern the whole chain: hosts (operating system, file ressources, etc.) and network ressources

the figure shows a simple IDS/IPS deployment at hosts level (client and server) and network level (appliances in our case)

different approaches

to qualify a system or network activity as an instrusion 3 main techniques are put into action: by exprience (sort of an intelligence), by normalization or by likeliness (kind of probability)

intrusion detection by experience

experiencing an intrusion is a way to model its behavior and systematically identify it. we talk about an intrusion signature kind of indentificator of an already identified intrusion activity. it is sufficient at IDS or IPS level to match patterns of the current traffic per example to the signature to state if the ativity is legitmate or not. we understand that the more the historical data is diverse and important the more the identification of threats is efficient

an intrusion is not a normal activity

in addition to information about intrusion that we gain by experience, we could choose another approach that is based on our deep understang of how our system and network ressources may be used normally. any change or deviation to this way of operation (or standard) should alarm on the possible violation of the security policy.

give it a probability

working by experiencing all the possible threats or qualifying the normal activity maybe very hard to achieve and would take a huge amount of ressources and time to be accurate. meanwhile working by a kind of probability based on some kind of likeliness to be or not to be subject to type of threat may be a rapid way to deploy IDS/IPS to overcome limitations of the other two approches

what to do next

the IDS and IPS systems in addition to be classified based on their scope (host or network) and approach (experience, normality and probability) could also be classified by the action they could have on the system or network. an IDS/IPS system may just alarm about a condition and give hand to another systems, or take effective action (block access, reroute traffic, etc.).

what implementation

another criteria to choose an IDS/IPS system is its implementation: hardware, in clusters, as virtual machine, in the cloud… in path or out of path. because those systems integrate to the whole network, compatibility of function and operation with the other global network parts is required to keep the standard.

being in path mean that the traffic get physically through the system, if the system is not available the network is down; on the other hand, when the system is out of path, the traffic flow is not affected in case of the system fails and other mechanisms are put into play to allow, reroute (bypass the system) or block the flow.

market leaders network and host based systems

network oriented systems

related to the business research insights by 2023 the top ten of IDS and IPS companies are: Checkpoint, Cisco, Corero Network Security, Dell, Extreme Networks, HP, IBM, Juniper Networks, Mcafee and Nsfocus. they’re the leader of a market that is evaluated to 3.2 billion USD where the banking is more demanding (more than the half of the market share).

in the Checkpoint SG (Security Gateway) R70 the inspection is multilayered and framed as following: CoreXL/PSL (Packet Streaming Layer), IPS Unified Streaming, Protocol Analyzer (FTP), CMI (Protections and Context Matching), PM (first, second tier and accelerated paths), CMI final decision. In this processing, the flow is first parsed to the protocol to find out the corresponding context to which protections are available.

host or system oriented systems

concerning the host based IDS and IPS systems, a top 10 ranking is provided by Clear Network: AIDE, BluVector, Checkpoint Quantum, Cisco NGIPS, Fail2Ban, Fidelis Network, Hillstone Networks, Kismet, NSFocus, OpenWIPS-NG…

The AIDE kind of detection and prevention is very specialized to Linux systems (and MacOS) and to the integrity of the files.

Tagged:
atlink'admin

Leave a Reply

802.11 (4) application (2) architecture (4) asm (4) automatisation (2) cagd (3) chd (2) cisco (6) command (5) controller (1) cost (6) coverage (5) debug (10) distance (6) dtls (2) dynamic rrm (5) firewall (2) fortinet (2) ieee (4) igmp (5) igp (8) interference (2) internet (3) ip (2) logique (2) loop (5) mac (3) machine learning (3) meraki (1) model (2) mpls (3) mroute (4) multicast (5) nat (2) ndp (2) network (3) next-hop (5) nurbs (3) osi (6) pat (2) pim (4) poisoning (6) projet (2) qos (2) radio (5) rib (5) rip (5) route (6) router (6) routing (15) rpf (4) rrm (10) security (3) show (5) simulation (2) sla (2) snr (2) solution (2) split-horizon (5) sql (1) ssl (2) ssm (4) static (6) stp (2) summarization (5) tcp (2) translation (1) travail (2) udp (2) vpn (3) vrf (3) wifi (11) wireshark (2) wlan (7) wlc (5)

  • vPC vs VSS
    Si l’objectif “historique” est le même : s’affranchir de la limitation de STP (blocage de ports pour prévenir les boucles), de l’usage des FHRP (HSRP, VRRP) pour équilibrer les liens, d’augmenter les performances en débit et capacité de calcul, d’éliminer les SPOF liés à l’utilisation d’un seul châssis ou stack de switches… les implémentations du
  • D.A.T(er) comme un professionnel, un Architecte…
    Dans ce blog, je présente ce travail sur le DAT ou Dossier d’architecture technique d’un point de vue d’un architecte réseau et services (sécurité, qualité de service, gestion d’infrastructure). Le lien vers le travail complet est: D.A.T(er) comme un professionnel, un Architecte… Le DAT… Le dossier d’architecture technique ou DAT s’inscrit en amont dans le
  • La dRRM du WiFi… en action!
    Ce blog présente le travail que vous pouvez retrouver sous le lien: La dRRM du WiFi… en action!, concernant la gestion des ressources radio dans un réseau wifi. La gestion des ressrouces radio ou RRM qui est au coeur de tout développement ou conception d’architecture wifi (d’entreprise ou publique). La RRM commen processus ou module
  • From router configuration to Excel… a basic how to automate configuration work process!
    comment récupérer une certaine information d’un fichier de configuration (routeur IOS de Cisco par exemple) et la mettre dans un fichier Excel en vue d’un traitement plus avancé ce traitement peut être simplement de comparer cette information de plusieurs sources (du routeur et du pare-feu, par exemple) à titre d’exemple nous souhaitons vérifier que les
  • Protected: An example network from scratch: Internet access
    This content is password protected.
September 2025
M T W T F S S
1234567
891011121314
15161718192021
22232425262728
2930  

Table of Contents

Table of Contents
Copied!