In this chapter is to provide the study and review about Intrusion Detection System and Intrusion Prevention System which have done by expert and professor. According to (Tony Bradley, 2004), intrusion detection system (IDS) is to monitor traffic and monitor for suspicious activity. And it will give alerts to network administrator and the system. And IDS also will respond to malicious traffic by taking action to block the user or the IP address from accessing to the network. According to (Ameya Talwalkar, Symantec Manager of Intrusion Prevention Systems), Intrusion Prevention System (IPS) is a protection technology to provide security of the network. It is the front line to defence against malware, Trojans, Dos attacks, malicious code transmission, backdoor activity and blended threats. The next section will present the details of Intrusion Prevention System (IPS). Figure 1.1 is the flowchart of the key points in literature review about IPS and IDS.
Which are better to prevent threats
Figure 1.1: Classifying the literature review
2.2 Intrusion Prevention System (IPS)
There are some benefits have been justified Intrusion Prevention System as a breakthrough in the computer security. According to (Neil Desai, 2003), the main supporting idea on technical side of Intrusion Prevention System is inline network-based system. Besides that, there also have another variation of IPS which is called Layer 7 switches that have include detection and migration of Distributed Denial-if-Service attack (DDoS) and Denial-of-Service attack (DoS) based on awareness of the traffic. Every Intrusion Prevention System will generate alert based on policy or signature and they also will initiate a response which have been programmed into the system. These aleart will happen as a result for a signature match or violation of uniqueness.
Secondly, according to (Benjamin Tomhave, 2004) there have a reports have identifies most of the Intrusion Detection System also have been include Intrusion Prevention System capabilities. It given a good defines set of signature or policies. So it makes sense for Intrusion Detection System work with Intrusion Prevention System capabilities. At the end, a successful deployment and the return on the investment will directly relate to how well to manage the solution and how well the network has been design.
Thirdly, according to (Joel Esler, Andrew R.Baker, 2007) stated that Intrusion Prevention System are more in defence. It has been design to detect malicious packets inside the normal traffic and stop intrusions dead. And automatically block all the unwanted traffic before it bring any damage to the system rather than giving alert before or after the malicious packets have been delivered.
Fourthly, Intrusion Prevention System has been added to existing firewall and antivirus solution. According to (Karen Scarfone, Peter Mell, 2007) Intrusion Prevention System is to monitor traffic and automatically drop the packets which has included malicious, scrutinizing suspicious sessions or taking other actions in immediate real time response to an attack. A good Intrusion Prevention device will check all inbound and outbound traffic. It can check on all types of packets and performs many type of detection analysis, which is a not only individual packet. It also needs to check on traffic pattern, view each of the transaction in the context of the packets come before and after.
Lastly, Intrusion Prevention System product should take the advantages and implement some new detection technique and offer other type of intervention method. According to (Joel Esler, Andrew R.Baker, 2007) Intrusion Prevention System products should provide multiple modes of operation for user to choose, so they can become more confident in the product or change their network security policies.
There are two types of ISP which are HIPS and NIPS. Host-based Intrusion Prevention (HIPS) is an application which monitors a single host for suspicious activity. Network-based Intrusion Prevention (NIPS) is to analyze protocol activity on the entire network. The next section will discusses about HIPS and NIPS.
2.2.1 Host-based Intrusion Prevention System (HIPS)
According to (Dinesh Sequeira, 2002), Host-based Intrusion Prevention System is a software program install on individual system such as laptop, workstations or servers. When it detected an attack, the Host-based Intrusion Prevention System will block the attack at network interface level or tell the application or operating system to prevent the attack.
Secondly, according to (NSS Group, 2004) Host-based Intrusion Prevention Systems relies on agents installed directly on the system being protected. Host-based Intrusion Detection Systems are binds closely with the operating system kernel and services, monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as records them. It may also monitor data streams and the environment specific to a particular application (file locations and Registry settings for a Web server) in order to protect these applications from generic attacks which signature has not yet exists in the database.
Lastly, according to (Neil Desai, 2003) Host-based Intrusion Prevention Systems are used to protect both servers and workstations through software that runs between the system’s applications and OS kernel. The software can be reconfigured to determine the protection rules based on intrusion and attack signatures. The Host-based Intrusion Prevention Systems will catch suspicious activity on the system and then, depending on the predefined rules, it will either block or allow the event to happen.
At the next section, we will discuss about Network-based Intrusion Prevention (NIPS) and intrusion detection system (IDS).
2.2.2 Network-based Intrusion Prevention System (NIPS)
Network Intrusion Prevention Systems (NIPS) are totally operating on a different concept which serves the purpose to build hardware or software platforms that are designed to analyze, detect, and report on security related events. Network Intrusion Prevention Systems are designed to inspect traffic and based on their configuration or security policy, they can drop malicious traffic as well as prevent the network from being contaminated with malicious data such as virus and worms. Network-based Intrusion Protection System able to detect malicious packets which are design to overlook by firewall filtering rules. Intrusion Prevent System is not a replacement for firewall but it is one part in the intelligent firewall. It is used to increase system specific or network wide security. The advantages of Network-based Intrusion Prevention System discussed as follows:
– NIPS reduce Constant Monitoring
– NIPS is an inline network device
– NIPS perform deep packet inspection
– NIPS as a tool to prevent attacks
Tony Bradley, (2004), [Online] http://netsecurity.about.com/cs/hackertools/a/aa030504.htm [Accessed 5th March 2004]
Jonathan Hassell, (2005), [Online] http://searchenterprisedesktop.techtarget.com/news/column/0,294698,sid192_gci1089830,00.html [Accessed 19th May 2005]
Neil Desai, (2003), [Online] http://www.symantec.com/connect/articles/intrusion-prevention-systems-next-step-evolution-ids [Accessed 27th February 2003]
Benjamin Tomhave, (2004), [Online] http://docs.google.com/viewer?a=v&q=cache:ZlxT5m72JZwJ:falcon.secureconsulting.net/papers/218-Research-Paper-FINAL.pdf+Benjamin+Tomhave+2004+IPS+article&hl=en&gl=my&pid=bl&srcid=ADGEEShEwpU07d-WvGPhlP3rIASlIyrH0CbGBjGBseUptTNHYRFqaApljgqESo9QEftMQHf3CApOji91saq_gEj-ZlLMXx3aPBS6SckaoJrzVwPiZBwTQ6gcpoHaH0ER-l4_ygilLw9a&sig=AHIEtbS-NuLUg635h_DHoKW8qafXwRwJUw [Accessed 10th November 2004]
Joel Esler, Andrew R.Baker, (2007), Snort IDS and IPS Toolkit, [Online] http://books.google.com.my/books?id=M9plZZxJB_UC&pg=PR3&dq=Snort+IDS+and+IPS+Toolkit:+IDS+and+IPS+toolkit&hl=en&ei=_yDETK7iDM34cYK6la4F&sa=X&oi=book_result&ct=book-preview-link&resnum=2&ved=0CDYQuwUwAQ#v=onepage&q=Snort%20IDS%20and%20IPS%20Toolkit%3A%20IDS%20and%20IPS%20toolkit&f=false [Accessed 1st February 2007)
Karen Scarfone, Peter Mell, (2007), Guide to Intrusion Detection and Prevention Systems (IDPS) , [Online] http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf [Accessed February 2007]
NSS Group, (2004), Intrusion Prevention Systems (IPS), [Online] http://hosteddocs.ittoolbox.com/BW013004.pdf [Accessed January 2004]
Dinesh Sequeira (2002), Intrusion Prevention System A?A?aˆsA¬” SecurityA?A?aˆsA¬A?aˆzA?s Silver Bullet?, [Online] http://docs.google.com/viewer?a=v&q=cache:OK14t-hsmQAJ:www.sans.org/reading_room/papers/%3Fid%3D366+Intrusion+Prevention+Systems:+Security%27s+Silver+Bullet%3F&hl=en&gl=my&pid=bl&srcid=ADGEEShhB2J1ArllgI1mGNhp91RCpNpSf0t7BGUQtWPwmISpe3xmaTI0ym-Bh0Thlq2Gmoq9K6vRKN7xBKphn_fwCgUFaPej_NetBAPccgZXY0wSVyFAlLzsNkMwZjqSdn4XEdxAybct&sig=AHIEtbQqUFej4tL8ln14oplPfky7GGstMA [Accessed 2002]