Introduction and difference between Security Firewall Vs IPS - Intrusion Prevention System Vs IDS - Intrusion Detection System
Today I am going to talk about the basics of the security
terminology which include the basic information and the difference of Firewall,
IPS- Intrusion Prevention systems and IDS- Intrusion Detection system.
Network Security
Firewall
As most of you already know about the Firewall whose main purpose is to prevent
or allows traffic between interfaces based on configured rules which it is a
stateful firewall. Stateful Firewall works on the set of rules defined on the
basics of source and destination.
Firewalls often have a network address translation function
to isolate private network addresses from public ones. May inspect traffic for
conformance with proper protocol behavior and drop non-compliant traffic.
There are lot of vendors in this space named as PaloAlto
Networks, Cisco Systems, Checkpoint, Fortinet and many more.
Firewalls often have an optional IDS/IPS component based on
their usually being placed at the optimal network location to see all
interesting traffic that should be subject to further inspection and analysis
as is done by IDS/IPS.
Fig 1.1- Firewall+IPS and IDS |
IPS - Intrusion
Prevention System
Intrusion Prevention System (IPS) is a network threat prevention technology
that inspects network traffic streams to identify and avoid vulnerability
exploits. Vulnerability exploits usually come in the form of malicious inputs
to a target application or service that attackers use to interrupt and gain
control of an application or machine.
Following a successful exploit, the attacker can disable the
target application (resulting in a denial-of-service state), or can potentially
access to all the rights and permissions available to the compromised
application.
The IPS played an important role and placed behind the
firewall which delivers a supportive layer of analysis after done by firewall
in the network. Unlike its predecessor the Intrusion Detection System
(IDS)—which is a passive system that scans traffic and reports back on
threats—the IPS is placed inline (in the direct communication path between
source and destination), actively analyzing and taking automated actions on all
traffic flows that enter the network.
In other words, we can say that a device or application that
analyzes packet headers and enforces policy based on protocol type, source
address, destination address, source port, and/or destination port. Packets that
do not match policy are rejected.
IDS - Intrusion
Detection System
IDS - Intrusion Detection System is a device or application that analyses whole
packets, both header and payload, looking for known events. When a known event
is detected a log message is generated detailing the event.
IDS not prevent the attack from reaching the different assets
(although there are some options to configure it to send RST packets on some
platforms).
It does NOT receives the real traffic from client to server
or server to client, it basically receives a copy from the network device
attached to it (PC, SPAN session, TAP, Packet etc.). I will not talk about the
different types of the IDS used in the network scenario.