IDPS Considerations

Grantham University

Introduction

In light of the recent attacks on similar companies in our industry, Mahtmarg Manufacturing will be taking steps to do what is necessary to maintain the security of our client and company information. It has been decided that we shall deploy an Intrusion Detection and Prevention System (IDPS) to prepare and help combat against possible attacks. In the following paragraphs, there will be an overview of the different categories of detection and prevention systems, and my recommendation of which types we should move forward with in order to successfully guard against outside attacks.

Types of IDPSs

To start, an IDPS is a system with the capability to both detect and modify its configuration and environment to prevent intrusions. It works somewhat like a burglar alarm. If a violation is detected, an alarm is activated and a monitoring authority is notified, such as a system administrator. With most IDPSs, system administrators can choose the configuration and level of monitoring. There are four types of IDPSs available that we will be taking a look at:

Host-based IDPS

Network-based IDPS

Signature-based IDPS

Anomaly-based IDPS

Host-based IDPSs (HIDPS), reside on a host and work by configuring and classifying various categories of systems and data files (Whitman & Mattord, 2017). For instance, if the IDPS is configured to report changes to certain folders or files, an administrator would get a message when a change has been made to that file or folder. Also, HIDPSs can monitor several computers simultaneously. This is great, but it could also become troublesome. As many applications frequently modify files, this type of IDPS would need to be precisely configured as to not continually give alarms when there is no need. Yet, it is still a good setup if you have certain things that you want monitored, especially with careful configuration.

Network-based IDPSs (NIPDS), as the name suggests, monitors network traffic. When a predefined condition occurs, the NIPDS alerts the appropriate administrator. NIPDSs looks for patterns of network traffic, like large collections of related traffic that could indicate a DoS attack, or a series of related packets that could indicate a port scan in progress (Whitman & Mattord, 2017). Because of all of the types of network traffic, NIPDSs require much more complex configuration and maintenance than host-based IDPS. NIPDSs do tend to yield many more false positive readings than HIDPSs as they are attempting to read network patters to determine what is normal.

Signature based IDPSs (SIDPS), also known as a knowledge-based IDPS, examines data traffic for something that matches the signatures, which comprise preconfigured, predetermined attack patterns. It works much like an antivirus program. While it can recognize signatures and patterns, just like an antivirus program, the signatures must be continually updates as new attack strategies emerge (Whitman & Mattord, 2017). Also, another flaw with this type of IDPS is that many signatures have a duration pattern attached to them. So, if a hacker takes his time and is methodical in his attack, it’s possible to slip by undetected as the signature doesn’t match the duration factor.

Lastly, there is the anomaly-based IDPS. The anomaly-based IDPS is a behavior-based system. It works by first, collecting data from normal traffic and establishing a baseline. Then, it periodically samples network activity, using statistical methods, and compares the samples to the baseline (Whitman & Mattord, 2017). If any activity falls outside of the parameters, it sets of an alarm. An advantage of the anomaly-based IDPS is that it is able to detect new types of attacks because it’s looking for abnormal activity. But, the downside is that it requires an intense amount of overhead and processing capacity. Also, if the actions of users or systems on the network vary widely, with unpredictable periods, then this IDPS is not suitable.

Based upon the descriptions and pros and cons listed, it thin it would be best to employ a combination of a host-based and a network-based IPDS. As stated, it will require meticulous configuration, but I feel that with both of these in place, it would do us very well in preventing attacks from outside sources.

References