Dec 14, 2022
I would like to straighten the defense of the web application by talking about Intrusion Detection and Prevention Systems (IDS and IPS) as the third member of this security trio defense: WAF, RASP, and IDPS. In the previous articles, I talked about security defense technology Runtime Application Self-Protection (RASP) and Web Application Firewall (WAF).
Intrusion Detection Systems and Intrusion Prevention Systems are used to detect intrusions and, if the intrusion is detected, to protect from it.
First, I will focus on explaining the differences between the WAF, RASP, and IDPS.
I have already explained in previous articles the difference between WAF and RASP. Still, I will introduce IDPS and show you exactly why a combination of this trio is the best security choice.
Summary: IDPS is used to detect intrusions and protect from them. WAF will detect and block attacks based on rules, patterns, algorithms, etc. RASP detects the application runtime behavior using algorithms.
To better understand why it is important to use both systems, we need to know what each of them does and doesn't do and how combining them gives more effective protection. Each of those systems has its own types, which will be explained below.
Location and Range
These two types of security systems operate in different locations and have different ranges.
· IDS works across the enterprise network in real-time by monitoring and analyzing network traffic.
· IPS works in the same network location as a firewall by intercepting network traffic.
· IPS can use IDS to expand the range of monitoring.
By knowing this and using both IDPS, you can cover more range.
Host-based IDS and IPS
There are a few types of IDS and IPS. I will mention them so you can know which one targets what, but there is plenty of online documentation for more information.
Host-based IDS (HIDS) is used for protecting individual devices. It is deployed at the endpoint level. It checks network traffic in and out of a device, and it can examine logs and running processes. HIDS protects only the host machine. It does not scan complete network data. Similar to this type, IPS has its own Host-based IPS (HIPS). HIPS is deployed on clients/servers, and it monitors the device level as well.
Network-based IDS and IPS
Network-based IDS (NIDS) works on monitoring the entire network. It looks out at every network device and analyzes all the traffic to and from those devices. On the other side, IPS has its own type, called Network-based IPS (NIPS), deployed within the network infrastructure. It monitors the complete network and, if needed, tries to protect it.
**NIDS and NIPS are very important to network forensics and incident response because they compare incoming traffic to malicious signatures and differentiate good traffic from suspicious traffic.
IPS also has Wireless IPS (WIPS) type that monitors radio waves (wireless LAN) for unauthorized access points, which you can use to automate wireless network scanning. Techtarget site provided ways of using WIPS in enterprise in this article. Check it out!
Protocol-based intrusion detection systems (PIDS) and Application protocol-based intrusion detection systems (APIDS)
Both protocol-based systems are the type of IDS. They both monitor traffic to and from devices. The only difference is that PIDS monitors one server and APIDS group of servers.
Network behavioral analysis (NBA)
Network behavioral analysis (NBA) is the type of IPS that looks for unexpected behavior within patterns of a network itself.
IDS and IPS modes
IDS is generally set to work in inline mode. As for IPS, it is set to work in the network behind the firewall. It can operate in both modes: as an end host or in inline mode.
According to softwaretestinghelp.com, the list of most used IDS tools is this:
· SolarWinds Security Event Manager
· Security Onion
· Open WIPS-NG
· McAfee Network Security Platform
· Palo Alto Networks
For more info regarding pricing, pros, cons and features of these tools checkout the softwaretestinghelp site.
Also, spiceworks.com provided the list of the most used IDPS tools:
· AirMagnet Enterprise
· Amazon Web Services (AWS) GuardDuty
· Azure Firewall Premium IDPS
· Cisco Secure IPS (NGIPS)
· Darktrace Enterprise Immune System
· IBM Intrusion Detection and Prevention System (IDPS) Management
· Meraki MX Advanced Security Edition
· NSFocus Next-Generation Intrusion Prevention System
For more info regarding pricing, pros, cons and features of these tools check out the spiceworks site. This research will also help you choose the right IDPS solution based on these tools' features.
There is a modern type of technology that combines IDS and IPS with firewalls called Next-Generation Firewall (NGFW) or Unified Threat Management (UTM).
· Standard firewall features (packet filtering, stateful inspection, and VPN awareness)
· Integrated Intrusion Prevention (IPS)
· Application awareness of threats
· Detect and block risky apps
· Threat intelligence
· Upgrading security features (such as future information feeds)
· New techniques that help to address new security threats
Researchers for nomios site have gathered information and made a list of the top 5 vendors for NGFW in 2022. Also, they gave suggestions on what you should look for when choosing the right NGFW tool. Check it out!
You should combine IDS and IPS because of three things: response, protection, and impact. If you decide to use IDS, the testing will stop at the detection phase but using IPS based on settings and policy testing will also include the prevention. Because IPS reacts immediately, it gives a certain layer of protection aside from detecting malicious activity. However, there are false positives possible using IPS that will end up shutting your network.
Organizations often set up Integration Detection Systems to handle the logs and notifications/alerts, routers, firewalls, and servers to fight threats.
A better solution would be using a combination of IDPS and setting it up when planning security. In the future, when the organization grows and needs better protection, it will be possible to use IDS/IPS solutions for additional networks, servers, or devices.
Also, depending on the organization's security needs and cost restrictions, NGFW can be a good choice too!
Cover photo by krakenimages
#IPS #IDS #IDPS #NGFW
CVE-2023–23752: Joomla Unauthorized Access VulnerabilityMohammad Hussam Alzeyyat March 24, 2023
Apache Zero Days - Apache Spark Command Injection Vulnerability (CVE-2022-33891)Mudassar Zafar March 22, 2023
CVE-2022-44666: Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerabilityj00sean (https://twitter.com/j00sean) March 01, 2023
KeePass Passwords Theft CVE-2023-240550Youssef Muhammad March 01, 2023
CVE-2022–44267: Denial Of Service in ImageMagickMohammad Hussam Alzeyyat February 28, 2023