Professional Documents
Culture Documents
BASED IPS
Partially adapted from slides of Cisco CCNA Security and Fortinet Network Security Expert
Primary Kinds of IPS
Two primary kinds of IPS
◦ host-based
◦ network-based
Host-based IPS (HIPS)
◦ A combination of anti-virus software, anti-malware software, and firewall
installed on a single host to monitor and analyze suspicious activity
◦ monitor abnormal activity and prevent the host from executing commands
that do not match typical behavior, including
◦ unauthorized registry updates,
◦ changes to the system directory,
◦ executing installation programs,
◦ activities that cause buffer overflows.
◦ participating in a denial-of-service (DoS) attack
◦ being part of an illicit FTP session
◦ To be effective in a network, HIPS must be installed on every host and
support every operating system.
Disadvantage: operates only at a local level and does not have a
complete view of the network
Lecture 4 EIE4118 INTRUSION DETECTION AND PENETRATION TEST 2
Network-based IPS Sensors
A network-based IPS can be a dedicated or non-dedicated IPS device.
Host-based IDS/IPS must be integrated with a network-based IPS to ensure a robust
security architecture.
Deployed at designated network points in the following ways, sensors detect
malicious/unauthorized activity in real time and can take action when required:
◦ Deployed on a router
with IPS feature
◦ Deployed on a
firewall device with
IPS feature
◦ Deployed on a switch
with IPS feature
◦ Deployed as a
standalone device,
such as a Cisco IPS
4300 Series Sensor
Sandboxing
◦ Isolating unknown
or potentially
malicious codes to
fully execute all
functions before
allowing the traffic
into the network.
◦ Sandboxing can
detect zero-day
exploits that other
security solutions
cannot identify.
Meets protocol
requirements and
signatures?
Default action
Signature Triggers
The signature trigger signals an intrusion or security policy violation.
◦ Analogy: In a burglar alarm system, the trigger could be a motion detector that
senses the movement of an individual entering a room.
Honey pot- • Distract and confuse • Need dedicated honey pot server
based attackers • Server can be compromised and
• Collect real info should not be trusted
about attack
Summary Alerts
◦ Some IPS solutions enable the administrator to generate summary alerts. A
summary alert is a single alert that indicates multiple occurrences of the
same signature from the same source address or port.
Predefined Custom
F-SBID(--KEYWORD VALUE;)
Event Correlation
◦ It correlates attacks and other events that are happening simultaneously
at different points across a network. Having IPS devices derive their time
from a Network Time Protocol (NTP) server enables all alerts generated
by the IPS to be accurately timestamped. A correlation tool can then
correlate the alerts.