HANDLING INTRUTION ATTACK USING IDS AND IPS
In this paper one technology will be discussed to handle intrusions in a network. The technology is called IDPS, namely Intrusion Detection and Prevention Systems. This IDPS can be divided into two, namely IDS and IPS. IDS is used to only detect intrusions while IPS can be used also to stop intrusion. Both IDS and IPS are of two types, host-based and network-based. This article will also discuss the detection methods used by IDPS, and the components used.
The use of the internet today is a necessity that cannot be avoided anymore. With the internet, things will become easier. But behind all the conveniences and benefits of the internet, there are also problems that follow. In recent years, security problems have become the main focus in the world of computer networks, this is due to the high suspicious threat (suspicious threat) and attacks from the Internet. Information Security is one of the keys that can affect the level of Reliability (including performance and availability) of a network. To overcome the problem of network and computer security there are many approaches that can be done. One way is to use the IDS system (Intrution Detection System) and IPS (Intrusion Prevention System).
IDS (Intrution Detection System) is a system that monitors network traffic and monitors suspicious activities in a network system. If suspicious activities are found related to network traffic, the IDS will alert the system or network administrator. In many cases the IDS also responds to abnormal traffic / anomalies through the blocking of users or IP (Internet Protocol) addresses that make efforts to access the network.
IPS (Intrusion Prevention System) is a system that combines firewall and IDS functions with proportional functions. This technology can be used to prevent attacks that will enter the local network by checking and recording all data packets and recognizing packets with sensors, once the attack has been identified, IPS will deny access (block) and record (log) all identified data packets. So IPS acts like a firewall that will allow and block combined with IDS that can detect packets in detail. IPS uses the signatures of packets to detect traffic activity on networks and terminals, where the detection of incoming and outgoing packets (inbound-outbound) can be prevented as early as possible before damaging or gaining access to the local network. So early detection and prevention are the emphasis of this IPS.
IDS and IPS are generally known as IDPS (Intrusion Detection and Prevention Systems). Usually in a hardware device has IDS or IPS functions. Figure 1 shows the division of IDPS functions. There are two types of IDS, namely NIDS and HIDS. IPS also has two types, namely NIPS and HIPS.
NIDS (Network based IDS)
All traffic flowing to a network will be analyzed to find out whether there have been attempted attacks or infiltrations into the network system. NIDS are generally located in important network segments where servers are located or at the “entrance” of the network. Ideally all traffic originating from outside and within the network is scanned, but this method can cause bottlenecks that disrupt access speeds across the network.
HIDS (Host based IDS)
This type of IDS is placed on a stand-alone host or equipment in a network. A HIDS monitors packets originating from inside or from outside on only one device and then warns users or network system administrators of suspicious activities detected by HIDS. The position of HIDS in a network can be seen in Figure 2.
NIPS (Network based IPS)
NIPS, also referred to as “In-line proactive protection,” holds all network traffic and inspects suspicious behavior and code. Because using the in-line model, high performance is a crucial element of the IPS device to prevent bottlenecks on the network. The position of NIPS in a network can be seen in Figure 3.
From the definitions and classifications of IDS and IPS that have been outlined, there are fundamental differences between IDS and IPS. The difference is that IDS is not in-line on the network, or in other words IDS “only” monitors the network by means of “connected” or “tap” to the network. Whereas IPS is in-line in the network. So that when there is a suspicious attack or access, the IPS can immediately close the access.
IDPS has 3 methods for detecting, namely signatured-based, anomaly-based, and stateful protocol analysis. These three methods can be used at the same time or as a part.
This method is done by comparing the signatures of each packet to identify the possibility of intrusion. This method is effective if IDPS detects known threats, but it is not effective if the threat is new or unknown by IDPS. The notion that is known in this context is unprecedented. This method is the simplest method, because it only compares data packets, then is registered using a comparison operation. The disadvantage is that this method cannot track events that occur in more complex communication.
This method is used by comparing activities that are being monitored with activities that are considered normal to detect irregularities. In this method, IDPS has a profile that represents the normal behavior of users, hosts, network connections and applications. The profile is obtained from the results of monitoring the characteristics of an activity within a certain time interval. The advantage of this method is that it is effective in detecting unknown threats, for example when the network is attacked by a new type of intrusion. While the disadvantages of this method are in some cases, it will be difficult to obtain accurate detection in more complex communication.
Stateful Protocol Analysis
This method actually resembles anomaly-based, which compares existing profiles with ongoing activities to identify irregularities. However, unlike Anomaly-Based Detection which uses a host profile, Stateful Protocol Analysis uses a broader profile that can specify how a special protocol can be used or not. The meaning of “Stateful” here is that the system at IDPS can understand and track situations in network, transport and application protocols. The advantage of this method is that it can identify unexpected sets of commands such as issuing the same command over and over. While the drawback is the possibility of a clash between the protocol used by IDPS with the general protocol used by the operating system, or in other words it is difficult to distinguish between client and server implementations on protocol interactions.
There are several types of components in IDPS as described below:
Sensor or Agent
Function to monitor and analyze activities. Sensors are usually used by IDPS to monitor networks, including Network-Based, Wireless, and Network Behavior Analysis technologies. Whereas Agent is usually used IDPS for Host-Based technology.
Management Server is a centralized device that functions to receive information from Sensors or Agents and then manage it. In this context there is the term correlation, which equates information from multilevel sensors or agents, such as finding events that are caused by the same IP address. Management Server is available in both hardware and software.
Database Server is a place to store information recorded by Sensors, Agents, and Management Servers.
Console is a program that provides an interface to IDPS users and administrators. Some consoles are used only for IDPS administration, such as configuring sensors or agents. But there are also several consoles that are used for administration and monitoring.