Intrusion Detection System (IDS) monitors network or applications activities for being malicious. Intrusion Prevention System (IPS) identifies malicious activity similarly to IDS, log it, block it, and finally send an intrusion report to an administrator. In other words, IPS is an extension to the IDS funtionality that actively blocks detected cyber attacks by triggering alarms in a system, dropping malicious packets, or even blocking intruder’s IP address.
There two types of IDPS:
Network-based IDPS
Use Network-based IDPS (NIDPS) to detect:
NIDPS is preferable to deploy in a cloud infrastructure.
There are two types of NIDPS based on detection type:
They work more or less the same way performing real-time traffic scan and analysis, logging, protocol analysis, and content detection.
The available open source solutions are: Suricata, Snort, and Bro.
Download rulesets for Snort and Suricata from the EmergingThreats repository.
To improve detection capabilities of your IDPS, purchase the ET Pro ruleset, which provides more frequent updates and extra rules to block targeted attacks such as C&C servers, DoS attacks, botnets, informational events, exploits, vulnerabilities, SCADA network protocols, exploit kit activity, and more.
NIDPS can monitor a network traffic in several ways:
This may affect a network channel throughput and a failure of IDPS may lead to disconnecting an internal network from external resources.
You can use vSwitch Switched Port Analyzer (SPAN) or Remote Switched Port Analyer (RSPAN) for port mirroring.
You can use Tap-as-a-Service (TaaS) - a project developed to introduce the functionality of port mirroring in OpenStack Neutron provisioned networks.
For example, on a compute node.
You can deploy NIDPS:
You can use a standalone open source NIDPS or commercial commercial NGFW, NGIPS, and UTM solutions that include an NIDPS component.
Host-based IDPS
NIDPS do not protect from layer 7 attacks. If an attack exploits an unknown vulnerability, you need to have Host-based IDPS (HIDPS) that monitors a host for suspicious activity by analyzing anomalies occurring within that host.
HIDPS may include: a firewall, exploit prevention module, application control, file integrity monitoring, log monitoring, policy enforcement, and antivirus signature scanner.
The open source OSSEC HIDPS is available for Linux, Solaris, AIX, HP-UX, BSD, Windows, Mac and vSphere/ESXI.
Accelerate IDPS
To sniff more than 1 Gbps channel, use a packet steering solution such as
PF_RING
.
PF_RING
is an open source packet processing framework for Linux
used to provide Direct NIC Access (DNA) to bypass kernel for line
rate RX/TX packet processing. A kernel does not need to use CPU cycles
to process network packets. PF_RING
sends packets directly from NIC
to IDS application bypassing kernel. This is called zero-copy
(ZC, 0-copy)
and helps improving performance of network traffic analysis.
PF_RING also supports 1-copy
mode for non-Intel NICs and wireless
connections. These packets can be injected into a 0-copy
stream.
PF_RING ZC can send packets to a VM with an IDPS installed on it.
The following solutions support PF_RING ZC:
PF_RING supports the NIC adapters 1/10/40/100 Gbit by the following vendors:
See also