Scribd
Upload
99 views

Module 152.5 - Lesson - Network Instrusion Detection and Prevention Systems

Here are some suggestions I would provide AtlanTech to help limit network access and prevent future breaches: Implementing an intrusion prevention system (IPS) like Suricata would be a good first step. An IPS monitors network traffic and can actively block threats in real-time, preventing intrusions from succeeding. Given the recent breach, implementing an IPS as soon as possible is important. For additional security, I would recommend using a multilayered approach. The IPS provides a first line of defense, but adding further layers of security could help block threats the IPS may miss. Some additional layers could include a next-generation firewall to filter traffic and block malicious IPs/domains, regularly patching systems and applications, enabling multi-factor

Uploaded by

Solomon
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
99 views

Module 152.5 - Lesson - Network Instrusion Detection and Prevention Systems

Here are some suggestions I would provide AtlanTech to help limit network access and prevent future breaches: Implementing an intrusion prevention system (IPS) like Suricata would be a good first step. An IPS monitors network traffic and can actively block threats in real-time, preventing intrusions from succeeding. Given the recent breach, implementing an IPS as soon as possible is important. For additional security, I would recommend using a multilayered approach. The IPS provides a first line of defense, but adding further layers of security could help block threats the IPS may miss. Some additional layers could include a next-generation firewall to filter traffic and block malicious IPs/domains, regularly patching systems and applications, enabling multi-factor

Uploaded by

Solomon
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

IDS/IPS

OPNsense Module 05
Network Intrusion Detection and Prevention Systems
Module 03 Objective:

❑ Students will be able to configure a NGFW for NIDS/NIPS to


support the business security posture.
IDS
&
IPS
CBT Nuggets , (Apr 15, 2020). IDS vs IPS: Which to Use and When [Video]. YouTube https://www.youtube.com/watch?v=wQSd_piqxQo&t=1s
OPNsense Module 05
Network Intrusion Detection and Prevention Systems

Intrusion Detection System


What is:
Intrusion Detection System?

❖ An Intrusion Detection System (IDS) is a


software application or hardware appliance that
monitors traffic moving in networks and through
systems in an effort to search for suspicious
activity and known threats.
IDS
❖ Alerting information will generally include
information about the source address of the
intrusion, the target or victim’s address, and the
type of attack suspected.
What is:
Host Intrusion Detection System?

❖ A Host Intrusion Detection System (HIDS) lives


on and monitors a single host. It might monitor
traffic, but it also monitors the activity of
clients on that computer.

❖ For example, a HIDS might alert the


administrator if a video game is accessing
private files it should not be accessing and that
have nothing to do with its operations. When
HIDS detects changes in the host, it will
compare it to an established checksum and
alert the administrator if there is a problem.
What is: (continued)

Network Intrusion Detection System?

❖ A Network Intrusion Detection System (NIDS)


monitors packets that move in and out of a
network or a subset of a network. It could
monitor all traffic, or just a selection of traffic
to catch security threats.

❖ A NIDS compares potential intrusions to known


abnormal or harmful behavior. This option is
preferred for enterprises, as it is going to
provide a much broader coverage than
host-based systems.
What is: (continued)

Network Intrusion Detection System?


A Signature-based IDS relies on a

Type

preprogrammed list of known attack
behaviors. These behaviors will trigger the
alert. These “signatures” can include, for
example, subject lines and attachments on
emails known to carry viruses. A carry virus is
similar to antivirus software (the term
of
“signature-based” originates with antivirus
software).
Detection
A Signature-based IDS is popular and effective but
is only as good as its database of known
signatures.
What is: (continued)

Network Intrusion Detection System?


❖ An Anomaly-based IDS begins with a model of
normal behavior on the network, and then alerts
an admin anytime it detects any deviation from
that model of normal behavior.
Type
❖ An Anomaly-based IDS begins at installation with
a training phase, where it “learns” normal
behavior. Artificial intelligence (AI) and machine
of
learning have been very effective in this.

❖ An Anomaly-based IDS is better at detecting new


and unrecognized attacks; however, they can set
Detection
off false positives.
OPNsense Module 05
Network Intrusion Detection and Prevention Systems

Intrusion Prevention System


What is:
Intrusion Prevention System?
❖ Technically, all intrusion prevention
begins with intrusion detection. But
security systems can go one step
further and act to stop ongoing and
future attacks. When an IPS detects an
attack, it can reject data packets, give
commands to a firewall, and even
sever a connection.

❖ IDS and IPS are similar in how they are


implemented and operate. IPS can also
be network- or host-based.
What is:
Host Intrusion Prevention System?
❖ A Host Intrusion Prevention System (HIPS) is
a proactive security measure that stops
malicious activities from happening to the
software and network systems of the host.
❖ It is a structure that you put up to protect a
single host. It uses a more sophisticated way
to stop anyone from getting into your
computer system.
What is:
Network Intrusion Prevention System?
❖ Protecting the confidentiality, integrity, and
availability of the network is a NIPS top
priority.

❖ To a large extent, it prevents unauthorized


users from accessing the network and causing
disruptions in service. It creates a physical
barrier to increase the network's intelligence
and capability to determine the intention of
the traffic by analyzing protocols to identify
unusual activities. As a result, NIPS serves as a
defensive barrier against hacks, viruses, and
Trojan horses.
OPNsense Module 05
Network Intrusion Detection and Prevention Systems
IDS vs. IPS
One major
difference is that
IDS will sit to the
side of a
network,
whereas IPS will
sit inline.
IDS vs. IPS - Feature Comparison

I I
D P
S S
Eyes vs. Hands
Which
Would you want to only use your
eyes or your hands? one
❖ The obvious answer is that you
would rather use both. You need
should
good detection, as well as the
actual capability to do you use? 
something about it.
OPNsense Module 05
Network Intrusion Detection and Prevention Systems
What is SURICATA?
❖ Suricata is a free and open source, and a
mature, fast, and robust network threat
detection engine.

❖ The Suricata engine is capable of real-time


intrusion detection, inline intrusion
prevention (IPS), network security monitoring
(NSM), and offline pcap processing.

❖ Suricata inspects the network traffic using


powerful and extensive rules and signature
language, and has powerful Lua scripting
support for detection of complex threats.
What is SURICATA? (continued)

❖ IDS / IPS - Suricata implements a complete


signature language to match known threats,
policy violations, and malicious behaviour.
Suricata will also detect many anomalies in the
traffic it inspects. Suricata is capable of using
the specialized Emerging Threats Suricata
ruleset and the VRT ruleset.

❖ High Performance - A single Suricata instance


is capable of inspecting multi-gigabit traffic.
The engine is built around a multi threaded, Features
modern, clean, and highly scalable code base.
There is native support for hardware
acceleration from several vendors and through
PF_RING and AF_PACKET.
What is SURICATA? (continued)

❖ Automatic protocol detection - Suricata will


automatically detect protocols such as HTTP
on any port, and apply the proper detection
and logging logic. This greatly helps with
finding malware and CnC channels.

❖ NSM: More than an IDS - Suricata can log


HTTP requests, log and store TLS certificates,
and extract files from flows and store them to
disks. The full pcap capture support allows Features
easy analysis. All this makes Suricata a
powerful engine for your Network Security
Monitoring (NSM) ecosystem.
Configure
SURICATA

LS111 Cyber Security Education, (Feb 20, 2022). Suricata IDS/IPS Installation on Opnsense - Virtual Lab Building Series: Ep3 [Video]. YouTube
https://www.youtube.com/watch?v=TPKLu4a3A4E
Additional Documentation
❑ https://suricata-ids.org/docs/

❑ https://suricata-ids.org/features/all-features/

❑ https://docs.opnsense.org/manual/ips.html
Module 5 Summary
An Intrusion Detection System (IDS) only DETECTS intrusions. It
is installed as part of an out-of-band management system. While
it is used to sample data for intrusions, it is not intended to
inspect every packet that traverses the network.

An Intrusion Prevention System (IPS) also DETECTS intrusions,


but it also PREVENTS intrusions. It is installed as part of an inline
management system, and is used to inspect every packet that
traverses the network.

IDS / IPS Solutions can be used in tandem with each other. They
can be placed on the host, the network, or both:

❖ HIPS / NIPS - Host / Network Intrusion Detection System.

❖ HIDS / NIDS - Host / Network Intrusion Detection System


Case Study
AtlanTech contacts you once more in a panic. Malicious actors managed to breach
the network. AtlanTech is concerned about possible sensitive data breaches, and
you are tasked with providing guidance to quickly resolve the problem and
implement a solution to prevent it from happening again.

AtlanTech stated that they do not want to have to go through logs to find a breach.
What are some potential solutions for limiting network access?
Do you think that suggestion should be multilayered? If so, what suggestions do
you have?

You might also like