black and white circuit board
Tue Nov 15

IDS vs. IPS: All You Need to Know

In terms of networking security, it’s likely that we have often heard about firewalls. However, in reality, the use of a firewall alone is often not enough to overcome various threats from the internet.

Some forms of access, such as web and email, are indeed allowed to pass by the firewall which can be a security hole. Call it Email Phishing or Cross-site Scripting (XSS) which is a method often used by hackers when targeting a web server.

In fact, these threats do not always come from outside, but can also originate from the inside network. There are some cases where the preinstalled applications in a system may have been infected or compromised.

How could it be? There are a number of reasons why this might occur. For example, an application may have a bug that has not been fixed for a long time that allows the unauthorized to exploit it and attach a malicious script to be used for the hacker’s sake.

In the business world, things like this definitely could have disastrous effects on the entire business due to potential huge losses, whether it comes from a financial perspective or affecting the overall public trust towards the company.

Because of these reasons, the network security system in a company generally uses a layered security system, one of which uses IDS and IPS.

What is IDS and IPS?

**IDS (Intrusion Detection System) **

IDS is a security mechanism that is used to do monitoring on both inbound and outbound networks and usually designed to let the administrator know if intrusion, network breach, or threat had happened. IDS is passive, meaning the IDS can’t handle the attack by itself. Because of this, IDS usually works with IPS. As soon as suspicious incoming traffic is detected, it will be forwarded to the IPS for handling.

IPS (Intrusion Prevention System)

While IDS purpose is mainly upon detection and doing passively, IPS is the system that takes action while network breach is happening. In this regard, IPS works actively to stop any malicious activity and take action to prevent further damage.

How does it work?

Signature-Based

Using signature-based, the IDS compares the suspect packets with already available packet signatures. In a lower level, it makes use of byte pattern digits 0’s and 1’s. In reality, the attack may have a very distinct signature from what has been known. Thus, the most plausible approach is to have the signatures updated regularly.

Anomaly-Based

Detecting intrusion can also be done by comparing traffic with normal baseline activity. In case of anomaly occurrence, the traffic will be going outside the normal baseline, triggering an alert. Due to the need to know the normal network activity, artificial intelligence techniques are often used that make use of neural networks to gain a greater advantage.

Types of Intrusion Detection System

NIDS (Network-based IDS)

Placed in a strategic position, NIDS is able to observe or monitor all devices that are in a network as well as its subnets. The traffic received by the NIDS is then compared with a library of known threats. While on the realtime scanning it found a match with a known threat, the system will send an alert to the administrator that an intrusion attempt has been detected. Examples of NIDS are Snort and Suricata.

HIDS (Host-based IDS)

IDS is placed on a host to monitor activities that occur on that host. HIDS will monitor all incoming and outgoing traffic within a host. In case of anomaly occurrence or suspicious activity, HIDS will send alerts to the administrator. Examples of HIDS are OSSEC and Wazuh.

PIDS (Protocol-based IDS)

This type of IDS is usually installed directly on the web server, so IDS is expected to be able to directly analyze suspicious activities that may be carried out by end users. PIDS works by monitoring HTTP/HTTPS streams. Unfortunately, the use of PIDS can greatly affect performance on the web server which can suffer overall user experience.

APIDS (Application Protocol-based IDS)

A protocol’s behavior and state is dynamically monitored by APIDS. Unlike PIDS, APIDS are usually placed between the web server and the database considering that there are so many attacks aimed at a web database like SQL injection.

Conclusion

Although the combination of IDS and IPS offers a higher level of security, in a system, these technologies have not been widely adopted, especially the home user.

Regarding this matter, various opinions were raised. Starting from the steep learning curve it requires, the massive use of data encryption today so they don’t see it as something that is really necessary, until personal data which seems less important than business data, which is why things like this will just make things more complicated than they will be beneficial.

However, it is all up to you whether you want to use it or not. If you do, always remember to do it at your own risk. Know your stuff well before going deeper as you may break things down if you are not doing it properly.

You might like

How to Use Google Cache to Find Sensitive Content

Learn what Google Cache is, how it works, why it can reveal sensitive content, and how you can stop your web pages from being cached by Google. Read now to secure your website!
Prototype Pollution: How Hackers Can Exploit It to Attack Your Website

Learn what prototype pollution is, how it works, and how to exploit it in different web applications. See the real-world examples of prototype pollution exploitation and the tools and techniques used by hackers. Don't miss this article if you want to master prototype pollution attacks and secure your web apps. Click to read more!