Page 68 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 68
Information Security and Privacy
Notes In systems, PIDS and APIDS are used to monitor the transport and protocols illegal or
inappropriate traffic or constructs of language (say SQL). In a host-based system, the sensor
usually consists of a software agent, which monitors all activity of the host on which it is
installed. Hybrids of these two systems also exist.
1. A network intrusion detection system is an independent platform which identifies
intrusions by examining network traffic and monitors multiple hosts. Network Intrusion
Detection Systems gain access to network traffic by connecting to a hub, network switch
configured for port mirroring, or network tap.
An example of a NIDS is Snort.
2. A Protocol-based Intrusion Detection System (PIDS) consists of a system or agent that
would typically sit at the front end of a server, monitoring and analyzing the
communication protocol between a connected device (a user/PC or system). For a web
server this would typically monitor the HTTPS protocol stream and understand the HTTP
protocol relative to the web server/system it is trying to protect. Where HTTPS is in use
then this system would need to reside in the “shim” or interface between where HTTPS is
un-encrypted and immediately prior to it entering the Web presentation layer.
3. An Application Protocol-based Intrusion Detection System (APIDS) consists of a system or
agent that would typically sit within a group of servers, monitoring and analyzing the
communication on application specific protocols.
Example: In a web server with database this would monitor the SQL protocol specific to
the middleware/business-login as it transacts with the database.
4. A Host-based Intrusion Detection System (HIDS) consists of an agent on a host which
identifies intrusions by analyzing system calls, application logs, file-system modifications
(binaries, password files, capability/acl databases) and other host activities and state.
An example of a HIDS is OSSEC.
5. A hybrid intrusion detection system combines two or more approaches. Host agent data
is combined with network information to form a comprehensive view of the network.
An example of a Hybrid IDS is Prelude.
Self Assessment
Fill in the blanks:
9. An ........................... gathers and analyzes information from various areas within a computer
or a network to identify possible security breaches, which include both intrusions and
misuse.
10. A ........................... system is an independent platform which identifies intrusions by
examining network traffic and monitors multiple hosts.
5.6 Intrusion Prevention System
An Intrusion Prevention System is a network security device that monitors network and/or
system activities for malicious or unwanted behavior and can react, in real-time, to block or
prevent those activities.
Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious
code or attacks. When an attack is detected, it can drop the offending packets while still allowing
62 LOVELY PROFESSIONAL UNIVERSITY
