3 – Intrusion Detection System andFirewalls 10 [30]

IDS: What is not an IDS?, Infrastructure of IDS, Classification of IDS, Host-based IDS, Network based
IDS, Anomaly Vs Signature Detection, Normal Behavior Patterns-Anomaly Detection, Misbehavior Signatures-
Signature Detection , Parameter Pattern Matching, Manage an IDS.
Malicious Software, Safeguards, Firewalls, Packet-Filtering Firewalls, State full Inspection Firewalls,
Proxy firewalls, Guard, Personal Firewalls, Limitations of Firewalls.

Intrusion detection (ID) is the process of monitoring the events

occurring in a computer system or network and analyzing them for signs of
intrusions.

An intrusion detection system (IDS) is a system that monitors

network traffic for suspicious activity or policy violations and just
issues alerts when such activity is discovered. IDS are software or hardware
products that automate the monitoring and analyzing process.

The IDS on finding any malicious activity in the network, it typically

reports either to an administrator or collects the information centrally using
a security information and event management (SIEM) system.

Components of IDS

High-level Interpreted Counter Measures Reactions to Events

Events

Analysis Storage

Events

Raw Event Source

 An IDS receives raw inputs from sensors. It saves those inputs,

analyze them, and take some controlling action.
 All the activities both intrusion, and non-intrusion are stored in the log
file in the form of Raw event.
 The IDS will read the raw events from the log and extracts the events
of interest related to intrusion and stores them in storage for future
reference.
 These events are analyzed and based on the analysis, intrusion action
is detected.
 Once the intrusion is detected, appropriate countermeasure (remedial
action) is chosen according to the policy and proper reaction is taken
to the event to reduce such intrusion in future.

15CS62T Page 1 of 10
3 – Intrusion Detection System andFirewalls 10 [30]

Functions of Intrusion Detection System

1. Monitoring users and system activity.

2. Auditing system configuration for vulnerabilities &
misconfigurations.
3. Assessing the integrity of critical system and data files.
4. Recognizing known attack patterns in system activity.
5. Identifying abnormal activity through statistical analysis.
6. Managing audit trails & highlighting user violation of policy or
normal activity.
7. Installing and operating traps to record information about
intruders.
8. Identifying whether the intrusion attack is from inside or outside.

What is not an IDS? IDS is different from

1. Network Monitoring System in which complete vulnerability to any

DoS attack across the congested network.
2. Vulnerability assessment tools that check for bugs and flaws in
Operating System and network services.
3. Anti-virus software which detects malicious software, virus, worms,
logic bombs are very similar to IDS and often provide effective
security breach detection.
4. Firewalls, VPS, SSL, S/MIME.

Taxonomy used in intrusion detection

1. Intrusion: a series of concatenated activities that pose threat to
the safety of IT resources from unauthorized access to specific
computer or a domain.
2. Incident: violation of system security policy rules that may be
identified as a successful intrusion.
3. Attack: failed attempt to enter the system (no violation
commited).
4. Modeling of intrusion: A time-based modeling of activities that
compose an intrusion. The intruder starts his attack with an
introductory action followed by auxiliary ones to proceed to
successful access.

Type of Attacks
1. Active Attack
2. Passive Attack

15CS62T Page 2 of 10
3 – Intrusion Detection System andFirewalls 10 [30]

Infrastructure of IDS

Prevention
Simulation
IDS Tasks Intrusion Monitoring
Protected Systems Monitoring
Analysis
Notification
Intrusion Detection
Additional IDS Infrastructure
Response Notification
Response
Refer given QA’s….

Classification of IDS

Intrusion Detection
Sys

Host Based IDS Network Based IDS

Online Offline

Host based IDS is restricted to intrusion detection of the host system

only. It can examine the log of network traffic coming into and leaving out of
the host system and it will remain unaware of the intrusions happening in
the network. HIDS normally work in real time and can be operated in
periodic mode with back up log.
The network based IDS can monitor whole network for the possible
intrusions. And it cannot find which system is being involved in this act.
When compared to licensing costs HIDS will cost more than NIDS
(provided they are commercial software’s).

Whatever may be the type of IDS used, they typically consists of

several specialized components working together. They are Traffic collector,
Analysis Engine, Signature database and User interface with Reporting.
These all collectively work to perform the task of IDS.

Intrusion Detection Methods

1. Signature-based IDS: refers to the detection of attacks by looking for

specific patterns, such as byte sequences in network traffic, or known
malicious instruction sequences used by malware. This terminology
originates from anti-virus software, which refers to these detected

15CS62T Page 3 of 10
3 – Intrusion Detection System andFirewalls 10 [30]

patterns as signatures. Although signature-based IDS can easily detect

known attacks, it is difficult to detect new attacks, for which no
pattern is available.
2. Anomaly-based: Anomaly-based intrusion detection systems were
primarily introduced to detect unknown attacks, in part due to the
rapid development of malware. The basic approach is to use machine
learning to create a model of trustworthy activity, and then compare
new behavior against this model. Although this approach enables the
detection of previously unknown attacks, it may suffer from false
positives

The main advantage of anomaly detection is it has the capability to

detect previously unknown attacks or new types of attacks.
The limitation of anomaly detection is an alarm is generated any time
if traffic or activity deviates from the defined “normal” traffic patterns or
activity.

15CS62T Page 4 of 10
3 – Intrusion Detection System andFirewalls 10 [30]

Firewall is a network security system that monitors and controls

incoming and outgoing network traffic based on predetermined security
rules. A firewall typically establishes a barrier between a trusted internal
network and untrusted external network, such as the Internet.

A firewall is a boundary or a wall to keep intruders from attacking the

network. The firewall is network device that is in between a private network
and the internet. The firewall is configured to inspect network traffic that
passes between the network and the internet. One can assign rules or
protocols to the firewall to allow data to be shared. If the protocol isn’t
included in the approved list it would destroy or discard the packet of data
and deny it from entering the network.

When a private network is connected to the internet it allows the

people to access information from external sources .when the network is
connected to the internet it also allow external uses to enter the private
network and steal information from the network. To prevent unauthorized
access organizations has firewalls to protect them.

Firewalls are often categorized as either network firewalls or host-

based firewalls. Network firewalls filter traffic between two or more networks
and run on network hardware. Host-based firewalls run on host computers
and control network traffic in and out of those machines.

Firewalls

Host Based Firewalls Network Firewalls

Firewalls

Packet Filtering Firewalls Application/ Proxy Firewalls Personnel Firewalls

Stateful Inspection Firewalls Guards

15CS62T Page 5 of 10
3 – Intrusion Detection System andFirewalls 10 [30]

Firewall History

Packet filter: The first reported type of network firewall is called a

packet filter. Packet filters act by inspecting packets transferred between
computers. When a packet does not match the packet filter's set of filtering
rules, the packet filter either drops (silently discards) the packet, or rejects
the packet (discards it and generate an Internet Control Message Protocol
notification for the sender) else it is allowed to pass. Packets may be filtered
by source and destination network addresses, protocol, source and
destination port numbers.

The firewall technology was first incorporated in 1988 by engineers at

Digital Equipment Corporation (DEC), who developed filter systems known
as packet filter firewalls. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin
continued their research in packet filtering and developed a working model
for their own company based on their original first generation architecture.

Second-generation firewalls perform the work of their first-generation

predecessors but operate up to layer 4 (transport layer) of the OSI model.
This is achieved by retaining packets until enough information is available to
make a judgment about its state

Third generation firewall works on application layer. The key benefit

of application layer filtering is that it can "understand" certain applications
and protocols (such as File Transfer Protocol (FTP), Domain Name System
(DNS), or Hypertext Transfer Protocol (HTTP)). This is useful as it is able to
detect if an unwanted application or service is attempting to bypass the
firewall using a protocol on an allowed port, or detect if a protocol is being
abused in any harmful way.

Network layer firewalls, also called packet filters, operate at a relatively

low level of the TCP/IP protocol stack, not allowing packets to pass through
the firewall unless they match the established rule set. The firewall
administrator may define the rules; or default rules may apply. The term
"packet filter" originated in the context of BSD operating systems.

Network layer firewalls generally grouped in two sub-categories, stateful &

stateless.

Packet Filtering Firewall

It is a firewall technique used to control network access by

monitoring outgoing and incoming packets and allowing them to pass or
halt based on the source and destination Internet Protocol (IP) addresses,
protocols and ports. Filtering rules are based on information contained in
the network packet.

15CS62T Page 6 of 10
3 – Intrusion Detection System andFirewalls 10 [30]

1. Source IP Address: IP address of the system that originated the IP

packet.
2. Destination IP Address: IP of the system the IP packet is trying to
reach.
3. Source and destination transport-level address: the transport-level
port number
4. IP protocol filed.
5. Interface: for router with three or more ports, which interface of the
router the packet came from or which interface of the router the
packet is destined for.

The packet filter is typically set up as a list of rules based on matches

to the fields in the IP or TCP header. If there is a match to one of the rules,
that rule is invoked to determine whether to forward or discard the packet. If
there are no set rules then default action is taken on the packet.

Stateful Inspection Firewalls

It is also known as dynamic packet filtering, is a firewall technology
that monitors the state of active connections and uses this information to
determine which network packets to allow through the firewall.

It is a network firewall that tracks the operating state and

characteristics of network connections traversing it. The firewall is
configured to distinguish genuine packets for different types of connections.
Only packets matching a known active connection are allowed to pass the
firewall.

Application / Proxy Firewall

It is a network security system that protects network resources by
filtering messages at the application layer. A proxy firewall may also be
called an application firewall or gateway firewall.
Proxy firewalls are considered to be the most secure type of firewall
because they prevent direct network contact with other systems. (Because a
proxy firewall has its own IP address, an outside network connection will
never receive packets from the sending network directly.) Having the ability
to examine the entire network packet, rather than just the network address
and port number, also means that a proxy firewall will have extensive logging
capabilities.
The goal of the proxy approach is to create a single point that allows a
security-conscious programmer to assess threat levels represented by
application protocols (like HTTP, FTP, SMTP etc) and put error detection,
attack detection and validity checking in place.

15CS62T Page 7 of 10
3 – Intrusion Detection System andFirewalls 10 [30]

The added security offered by a proxy firewall has its drawbacks,

however. Because a proxy firewall establishes an additional connection for
each outgoing and incoming packet, the firewall can become a bottleneck,
causing a degradation of performance or becoming a single point of failure.
Additionally, proxy firewalls may only support certain popular network
protocols, thereby limiting which applications the network can support.

Advantages of using firewalls based on packet filtering

 Low cost.
 Packet filters make use of current network routers.
 Makes Security Transparent to End-Users.
 Easy to install.
 Packet filters make use of current network routers. Therefore
implementing a packet filter security system is typically less
complicated than other network security solutions.
 High speed
 Packet filters are generally faster than other firewall technologies
because they perform fewer evaluations.

Disadvantages of using firewalls based on packet filtering

 Packet filters do not understand application layer protocols.
 Packet filters does not offer any value-added features, such as HTTP
object caching, URL filtering, and authentication because they do not
understand the protocols being used.
 Packet filtering routers are not very secure.
 Can’t discriminate between good and bad packet
 New rules may be needed to be added if an employee needs special
requirements to connect to the internet.
 Difficulty of setting up packet filtering rules to the router
 There isn’t any sort of user based Authentication.
 Packet filter cannot authenticate information coming from a specific
user.

Advantages of Using a Firewall

 A Company network or a home computer will have number of
advantages when using a firewall.
 They are more cost effective than securing each computer in the
corporate network since there are often only one or a few firewall
systems to concentrate on.

15CS62T Page 8 of 10
3 – Intrusion Detection System andFirewalls 10 [30]

 There are some firewalls which are able to detect viruses, Trojans,
worms and spyware etc.

Disadvantages of Using a Firewall

 Even if a firewall helps in keeping the network safe from intruders, but
if a firewall is not used properly it would give a false impression to you
that the network is safe. The main disadvantage of a firewall is that it
cannot protect the network from attacks from the inside.
 They often cannot protect against an insider attack.
 Firewalls cannot protect a network or pc from viruses, Trojans, worms
and spyware which spread through flash drives, potable hard disk and
floppy etc.
 They may restrict authorized users from accessing valuable services.
 They do not protect against backdoor attacks.
 They cannot protect the network if someone uses a broadband modem
to access the internet.

Limitations of firewall
1. The main disadvantage of a firewall is that it cannot protect the
network from attacks from the inside. They often cannot protect
against an insider attack.
2. Firewalls cannot protect a network or pc from viruses, Trojans, worms
and spyware which spread through flash drives, potable hard disk and
floppy etc.

Firewall
A firewall is a hardware and/or
software which functions in a
networked environment to block
unauthorized access while permitting
authorized communications.
IDS
An Intrusion Detection System (IDS) is a
software or hardware device installed on
the network (NIDS) or host (HIDS) to
detect and report intrusion attempts to
the network.

A firewall can block an unauthorized An IDS can only report an intrusion; it

access to network (E.g. A watchman cannot block it (E.g. A CCTV camera which
standing at gate can block a thief) can alert about a thief but cannot stop it)

A firewall cannot detect security IDS is fully capable of internal security

breaches for traffic that does not pass by collecting information from a variety
through it (E.g. a gateman can watch of system and network resources and
only at front gate. He is not aware of wall- analyzing the symptoms of security
jumpers) problems

15CS62T Page 9 of 10
3 – Intrusion Detection System andFirewalls 10 [30]

Firewall doesn’t inspect content of IDS keeps a check of overall network

permitted traffic. (A gateman will never
suspect an employee of the company )

No man-power is required to manage An administrator (man-power) is

a firewall. required to respond to threats issued by
IDS

Firewalls are most visible part of a IDS are very difficult to be spotted in a
network to an outsider. Hence, more network (especially stealth mode of IDS).
vulnerable to be attacked first. (A
gateman will be the first person attacked
by a thief!!)

1. Explain infrastructure of IDS with a neat diagram.

2. Describe the classification of IDS.
3. Define IDS? List the functions performed by Intrusion Detection System.
4. Explain the need for firewalls.
5. Describe malicious software and its types.
6. List the types of firewalls.
7. Mention the limitations of firewalls
8. Write a note on network based IDS
9. Write a note on host based IDS.
10. Write a note on Anomaly detection and signature detection.
11. Describe misbehavior signatures – signature detection with its 10 disadvantages.
12. Explain Packet Filtering Firewall and its importance.
13. Explain host-dependent programs and host-independent programs.
14. Explain Proxy Firewall with a neat diagram.

15CS62T Page 10 of 10