Intrusion detection and prevention systems (IDS/IPS)
Who is the guardian of your network?
The Intrusion Detection System (IDS) monitors the traffic passing through the network and reports it if any suspicious action is observed. Just like a security guard in an organization who observes the movement of people and the activities they perform and reports suspicious behavior so that the organization can prevent that criminal behavior if necessary. If over time we notice the existence of vulnerable points for intrusion in software systems, until this problem is solved, we need to use Intrusion Prevention System (IPS) to prevent the abuse of that security weakness. Of course, intrusion prevention systems should naturally be able to detect intrusion; For this reason, they are sometimes called Intrusion Detection and Prevention System (IDPS). Due to the existence of a wide range of software systems, the emergence of new attacks, the existence of insecure configurations, the lack of use of an intrusion detection and prevention system, and late security updates in IT systems, until the security problems are resolved, to the people who are monitoring and exploiting They are the vulnerability of computer networks, it gives enough opportunity for abuse.
Basically, in the field of network security, any attempt to create or gain unauthorized access to the information of a person or organization is considered intrusion. "
Intrusion and intrusion detection
In order to prevent unauthorized access or disrupt the access of others to organizations' information as an intangible and valuable asset, it is necessary to provide the security of the technology used to transfer and manage this information. The first task to prevent penetration is to create barriers to access information, which are designed with this purpose in the current communication and information technology products called firewalls.
However, despite the access barriers, there is still a possibility that over time some faulty routines and security weaknesses of the system will emerge and people can access information and resources without permission despite the access barriers. These weak points in routines can be formed for various reasons such as complexity, impossibility of follow-up, multiple steps, dependence on human supervision, etc.
For example, in banking systems, the existence of some complex procedures can create the weakness that some bank resources are misused for their own benefit. Or, for example, in the post office, the client's request to send or receive a letter is such that the person responsible for handling the request mistakenly gives one person's letter to another person.
In order to detect intrusion in an organization after discovering faulty administrative procedures (attack patterns) that provide unauthorized access to resources, until the opportunity to change the administrative system is provided, only by matching the requests of the clients with the discovered patterns, it is possible to identify We will have a suspicious request to infiltrate the system. In addition, if there is a specific behavioral pattern among all clients, it is possible to identify an intrusion by observing unusual behaviors.
As an example to better understand the concept of intrusion prevention system, it is possible to imagine a person infiltrating a postal center in order to gain unauthorized information on postal packages. How to detect this person's intrusion into the post office? Probably by one of the following methods:
Knowledge of the weak points of the system that can cause abuse. For example, inaccuracy in authentication documents (taking copies of documents without being careful about their originals)
Placing filters to detect these types of requests that lead to intrusion. For example, the employees of the post office should be asked to check some things in the process of handling the requests of the clients.
Observing and identifying abnormal behaviors in clients. For example: how it interacts with office employees
Failure to comply with the order of requests
Making an unrelated request
Intrusion Prevention System (IPS)
Similar to the above example, an intrusion detection and prevention system, or an intrusion prevention system (IPS) for short, is a network device that is placed in an organization's network, and can detect intrusions into a network, generally by detecting a number of pre-defined attack patterns. , recognize and prevent this intrusion. Of course, today, with the aim of simplifying and reducing costs, UTM devices (such as Parsgate) also include IPS capabilities. Thus, in one device, IPS can be used in an integrated manner with other security features such as firewall, VPN and application control.
Also read:
What is UTM and why should we use it?
In the use of intrusion prevention systems, timely updating of attack patterns (also called "attack signatures" or "attack signatures") is very important, because with the rapid evolution of technology, new attacks are discovered and new ways to penetrate systems that were previously They were considered safe and can be found. Therefore, if the IPS system does not recognize these new attack patterns, it cannot detect new attacks. This is exactly the same as antiviruses, which are practically useless if they are not updated.
So one of the criteria for evaluating IPS manufacturers is whether they regularly update their database of IPS attack patterns. Do they provide online updating of this database for their customers? Does the attack pattern database of the product in question cover all important and known attacks or not?