Intrusion
Detection Systems
Intrusion
Detection or Intrusion Prevention Systems ?
Intrusion Detection Systems form a small but critical piece of the computer security jigsaw, alerting to intrusions and attacks aimed at computers or networks. They're not the computer security panacea. But, they are your eyes and ears, essential in knowing whether you are under attack.
Intrusion Prevention Systems take this concept to the next level and sit inline blocking the packets you tell them to based on signatures as per the IDS. They can be highly effective as a defensive tool but need to be configured with great care and attention in stages.
First these need to
monitor all network traffic passing on the segment where the agent is installed, reacting to any anomaly or signature based activity. Basically this is a packet sniffer with attitude. They
analyze every packet for suspected nefarious activity, most will also look for anomalies within the protocol.
Intrusion Prevention Systems sit inline on the network, statefully analyzing packet content and block certain packets that match a signature and alert on others. It is sometimes easier to explain what isn't an IPS for instance products that just block by port such as routers and many firewalls. Furthermore, the IPS must block the packet and not just use TCP resets, spoof reject packets from border devices or update border devices to shun addresses.
|
