Network Intrusion Detection and Prevention

Types of Intrusions

Network intrusion detection and prevention systems can detect several types of intrusions, including:

• Unauthorized access to network resources
• Malicious software attacks
• Distributed denial-of-service (DDoS) attacks
• Data theft and exfiltration

 Intrusion system types

Host-based intrusion detection and network-based intrusion detection are the two primary types of intrusion detection systems (IDSs). Host-based intrusion, as its name suggests, detects any unusual behaviour on a single host (computer). Like any other piece of software, like an antivirus programme, the host-based IDS can be installed on the computer. The network-based IDS, on the other hand, operates at the network level and watches the network traffic for any odd behaviour. A network-based IDS can keep an eye on every device connected to a network at this level.

Tools for Network Security

Physically separating a computer from the outside world is the simplest approach to making it secure. Due to the way most businesses operate today, this is almost impossible. Our environments and networks are getting more complicated all the time. To preserve the environment, the network’s devices must be secured. You must comprehend the fundamental security principles of network security tools in order to secure devices. The physical security measures needed to create the protection present on most networks are covered in this section’s introduction to security concepts.

HIDS and NIDS

Intrusion-detection system is known as IDS. Systems for detecting intrusions are created to evaluate data, spot threats, and react to the intrusion. IDSs differ from firewalls in that they can spot unauthorised activity, whereas firewalls manage the information that enters and exits the network. IDSs are made to detect assaults happening inside the network as well as at the line separating private and public networks. IDSs can be divided into two categories: host-based and network-based. As the names imply, host-based IDSs (HIDSs) look at the information that originates on particular machines, whereas network-based IDSs (NIDS) look at information transmitted between machines. Here are the fundamentals:

NIDSs track the traffic flow and look for any packets that may have gotten past the firewall but are prohibited for a variety of reasons. DoS attacks and unauthorised user access are best detected by them.

HIDSs keep track of communications host-by-host and work to weed out harmful information. These IDSs are effective at spotting unwanted file changes and user activities.

To provide a genuinely secure environment, NIDSs and HIDSs should be utilised in conjunction. IDSs are spread throughout the network. They can be put inside buildings or in between firewalls. IDSs come in a wide variety of forms, each with a unique set of capabilities, so before deciding to use one, make sure it will fit the demands of your business.

System for Network Detection and Prevention

NIPSs, or network intrusion-prevention systems, are occasionally seen as an extension of IDSs. Like many other network protection devices, NIPSs can be either hardware- or software-based. With intrusion prevention, threats are really stopped rather than just detected, which is how it differs from intrusion detection. Software for detecting intrusions is reactive; it searches for configuration flaws and notices attacks as they happen. The assault typically occurs and damages the network or PC by the time a warning is sent. NIPS are made to run in real-time alongside traffic flows and stop attacks. Similar to a Layer 2 bridge, an inline NIPS operates. It is located halfway between the rest of the network and the systems that need to be safeguarded. Because the majority of NIPS solutions can look at application layer protocols like HTTP, FTP, and SMTP, they prevent machines from being damaged by assaults that signature-based technologies cannot identify.

Remember that for a NIPS to work effectively, the sensors need to be physically in line. The network now has more single points of failure as a result. Utilizing fail-open technology is an excellent method to avoid this problem. As a result, if the device malfunctions, it just affects a portion of the network rather than the entire system.

Firewalls

A firewall is a device inserted into computers and networks to assist in preventing unauthorised access from the outside world. Hardware, software, or a combination of the two can make up its composition. The network’s first line of defence is a firewall. The configuration of firewalls is crucial, especially for large businesses where a breached firewall might result in disaster in the form of negative press or a lawsuit, which would affect not just the company but also the businesses it does business with. A firewall is a great investment for smaller businesses because they typically lack a full-time technical staff and an infiltration may quickly force them out of business. All things considered, a firewall is a crucial component of your security, but you shouldn’t rely only on it to safeguard your network.

Firewalls come in three primary categories:

1. Firewall with Packet-filtering

Typically, a packet-filtering firewall is a router. On the basis of IP addresses, ports, or protocols, packets can be screened. They function at Layer 3 of the OSI model, which is the network layer. Since packet-filtering solutions still permit packets to enter the network independent of the communication pattern within the session, they are typically regarded as less secure firewalls. As a result, the system is vulnerable to DoS assaults. They are a good first line of defence even though they are the simplest and least secure. Their primary benefit is speed, hence they are occasionally employed before other kinds of firewalls to carry out the initial filtering pass.

2. Firewall with proxy services and two different kinds of proxies –

• Circuit-level entry point
• Gateway for applications

Firewalls with proxy services act as intermediaries between the network and the Internet. They prevent the computers on the network from directly accessing the Internet and mask the internal addresses from the public. The packets must pass a set of rules in order to enter or exit this form of firewall. It accepts all packets, changes the IP address on the outgoing packets to its own address, and then modifies the address on the incoming packets to the desired destination. The two primary types of proxies are as follows:

A circuit-level gateway checks the validity of the requested session by observing the TCP packet flow at the OSI session layer (Layer 5). In circuit-level architecture, DoS attacks are identified and stopped when a security device rejects suspicious requests.
Application-level gateways inspect all traffic to determine which protocols at the OSI application layer (Layer 7) are authorised. File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol are examples of this type of communication (HTTP). Although application-specific filtering increases transmission overhead, it is more secure than packet filtering.

3. Firewall with stateful inspection

All forms of firewalls come together to form a stateful-inspection firewall. In order to process data from the application layer, this firewall uses algorithms. It can defend against IP spoofing because it is aware of the connection status. It offers more security features and stronger security controls than packet filtering, but because of this, it also has a larger attack surface and is more difficult to maintain.

 

Additional Firewall Factors

Administrators should take into account other factors while creating a firewall solution for network intrusion detection and prevention in addition to the fundamental firewall components. Network, remote-access, and authentication policies fall under this category. Access control, logging, and intrusion notification are further services that firewalls can offer.

 

Proxy servers

Similar to a proxy-level firewall, a proxy server functions as a middleman between the network and the Internet. Proxy servers are employed for logging, caching, and security purposes. The proxy server processes filtering requirements and examines its local cache for previously downloaded web pages when it receives a request for Internet service. Web page response times are quicker as a result of local storage, and Internet traffic is significantly decreased. The web cache can also be used to prevent employees from accessing content on websites like peer-to-peer networks, social media, or pornography. This kind of server is useful for rearranging online information so that it is compatible with mobile devices. It also offers greater bandwidth utilisation due to the fact that it keeps all of your request results in storage for a while.

Filters for Internet content

Internet content filters analyse content from browsers and applications to a list of terms, words, and phrases. The content of numerous Internet activities and applications, including instant messaging, email, and office documents, can be filtered by this kind of software. Only violations found in the specific applications indicated for the filtering application will be reported by content filtering. In other words, if a user chooses to use open Office instead of Microsoft Office, the information will not be filtered by the application. Data is compared against a software-contained database as part of the process of Internet content filtering. If there is a match, the data can be handled in a number of ways, such as filtering, capturing, or blocking the content and quitting the programme. Vista’s Parental Controls are an instance of this kind of software.

The content being viewed must be inspected by an agent on each workstation in order to use content filtering. If the content data breaches the predetermined policy, a screenshot of the offending portion of the screen is saved on the server together with relevant details about the violation. A violation stamp indicating the user, time, date, and application may be present. This data can be examined later. The organisation may find it easier to concentrate on content that contravenes policy if they use a prepared database of precise vocabulary. Words used in the medical field might be found, for instance, in a database of sexually explicit material. Applications that filter content allow words that are used in a medical context to get through the filter without being flagged as inappropriate. An organisation can keep an eye out for unlawful transfers of confidential information using the same concept.

At the operating system level, content filtering is incorporated such that it can track actions like accessing files in Windows Explorer. It can be used to keep an eye on and prevent the disclosure of private or sensitive information belonging to the company. In order to offer sufficient documentation for forensic investigations and legal proceedings, content filtering uses screen captures of each infraction along with time-stamped data. The database for content monitoring does not need to be updated every day as it does for antivirus and antispyware programmes. The content screening process requires “training,” which is a drawback. For instance, the terminology needs to be entered and established in the database in order to filter non-pornographic content.

 

Analyzers for Protocols

By obtaining data at the packet level from across the network, protocol analysers assist you in troubleshooting network problems. These programmes intercept packets and translate the data into a usable form for examination. Unlike packet analysers, protocol analysers are capable of more. They are helpful in numerous other aspects of network management, including keeping an eye on the network for unforeseen, unwanted, and pointless traffic. A protocol analyser, for instance, can tell you whether pointless protocols are running on the network if it is operating poorly. To monitor signs that could cause you issues, you can filter particular port ranges and categories of traffic. Numerous protocol analysers can be used to record live traffic and perform offline analysis while running on various platforms. Software For the creation of USB devices and the study of USB traffic, USB protocol analysers are also available.