Unit III

IDS

An Intrusion Detection System (IDS) is a security tool that monitors a computer

network or systems for malicious activities or policy violations. It helps detect
unauthorized access, potential threats, and abnormal activities by analyzing traffic
and alerting administrators to take action. An IDS is crucial for maintaining
network security and protecting sensitive data from cyber-attacks.

Intrusion Detection System

A system called an intrusion detection system (IDS) observes network traffic for
malicious transactions and sends immediate alerts when it is observed. It is
software that checks a network or system for malicious activities or policy
violations. Each illegal activity or violation is often recorded either centrally using
an SIEM system or notified to an administration. IDS monitors a network or
system for malicious activity and protects a computer network from unauthorized
access from users, including perhaps insiders. The intrusion detector learning task
is to build a predictive model (i.e. a classifier) capable of distinguishing between
‘bad connections’ (intrusion/attacks) and ‘good (normal) connections’.

Working of Intrusion Detection System(IDS)

 An IDS (Intrusion Detection System) monitors the traffic on a computer
network to detect any suspicious activity.
 It analyzes the data flowing through the network to look for patterns and signs
of abnormal behavior.
 The IDS compares the network activity to a set of predefined rules and
patterns to identify any activity that might indicate an attack or intrusion.
 If the IDS detects something that matches one of these rules or patterns, it
sends an alert to the system administrator.
 The system administrator can then investigate the alert and take action to
prevent any damage or further intrusion.
Classification of Intrusion Detection System(IDS)
Intrusion Detection System are classified into 5 types:
 Network Intrusion Detection System (NIDS): Network intrusion detection
systems (NIDS) are set up at a planned point within the network to examine
traffic from all devices on the network. It performs an observation of passing
traffic on the entire subnet and matches the traffic that is passed on the subnets
 to the collection of known attacks. Once an attack is identified or abnormal
behavior is observed, the alert can be sent to the administrator. An example of
a NIDS is installing it on the subnet where firewalls are located in order to see
if someone is trying to crack the firewall.
 Host Intrusion Detection System (HIDS): Host intrusion detection systems
(HIDS) run on independent hosts or devices on the network. A HIDS monitors
the incoming and outgoing packets from the device only and will alert the
administrator if suspicious or malicious activity is detected. It takes a snapshot
of existing system files and compares it with the previous snapshot. If the
analytical system files were edited or deleted, an alert is sent to the
administrator to investigate. An example of HIDS usage can be seen on
mission-critical machines, which are not expected to change their layout.
Detection Method of IDS
 Signature-Based Method: Signature-based IDS detects the attacks on the
basis of the specific patterns such as the number of bytes or a number of 1s or
the number of 0s in the network traffic. It also detects on the basis of the
already known malicious instruction sequence that is used by the malware.
The detected patterns in the IDS are known as signatures. Signature-based IDS
can easily detect the attacks whose pattern (signature) already exists in the
system but it is quite difficult to detect new malware attacks as their pattern
(signature) is not known.

 Anomaly-Based Method: Anomaly-based IDS was introduced to detect

unknown malware attacks as new malware is developed rapidly. In anomaly-
based IDS there is the use of machine learning to create a trustful activity
model and anything coming is compared with that model and it is declared
suspicious if it is not found in the model. The machine learning-based method
has a better-generalized property in comparison to signature-based IDS as
these models can be trained according to the applications and hardware
configurations.

Advantages

 Early Threat Detection: IDS identifies potential threats early, allowing for
quicker response to prevent damage.
 Enhanced Security: It adds an extra layer of security, complementing other
cybersecurity measures to provide comprehensive protection.
 Network Monitoring: Continuously monitors network traffic for unusual
activities, ensuring constant vigilance.
 Detailed Alerts: Provides detailed alerts and logs about suspicious activities,
helping IT teams investigate and respond effectively.

What is Firewall

A firewall is a network security device, either hardware or software-based, which

monitors all incoming and outgoing traffic and based on a defined set of security
rules accepts, rejects, or drops that specific traffic.
 Accept: allow the traffic
 Reject: block the traffic but reply with an “unreachable error”
 Drop: block the traffic with no reply
A firewall is a type of network security device that filters incoming and outgoing
network traffic with security policies that have previously been set up inside an
organization. A firewall is essentially the wall that separates a private internal
network from the open Internet at its very basic level.

Working of Firewall
Firewall match the network traffic against the rule set defined in its table. Once the
rule is matched, associate action is applied to the network traffic. For example,
Rules are defined as any employee from Human Resources department cannot
access the data from code server and at the same time another rule is defined like
system administrator can access the data from both Human Resource and technical
department. Rules can be defined on the firewall based on the necessity and
security policies of the organization. From the perspective of a server, network
traffic can be either outgoing or incoming.
Firewall maintains a distinct set of rules for both the cases. Mostly the outgoing
traffic, originated from the server itself, allowed to pass. Still, setting a rule on
outgoing traffic is always better in order to achieve more security and prevent
unwanted communication. Incoming traffic is treated differently.

Most traffic which reaches on the firewall is one of these three major Transport
Layer protocols- TCP, UDP or ICMP. All these types have a source address and
destination address. Also, TCP and UDP have port numbers. ICMP uses type
code instead of port number which identifies purpose of that packet.
Packet Filtering Firewall

Packet filtering firewall is used to control network access by monitoring outgoing

and incoming packets and allowing them to pass or stop based on source and
destination IP address, protocols, and ports. It analyses traffic at the transport
protocol layer (but mainly uses first 3 layers). Packet firewalls treat each packet in
isolation. They have no ability to tell whether a packet is part of an existing stream
of traffic. Only It can allow or deny the packets based on unique packet headers.
Packet filtering firewall maintains a filtering table that decides whether the packet
will be forwarded or discarded. From the given filtering table, the packets will be
filtered according to the following rules:

 Incoming packets from network 192.168.21.0 are blocked.

 Incoming packets destined for the internal TELNET server (port 23) are
blocked.
 Incoming packets destined for host 192.168.21.3 are blocked.
 All well-known services to the network 192.168.21.0 are allowed
Stateful Inspection Firewall

Stateful firewalls (performs Stateful Packet Inspection) are able to determine the
connection state of packet, unlike Packet filtering firewall, which makes it more
efficient. It keeps track of the state of networks connection travelling across it, such
as TCP streams. So the filtering decisions would not only be based on defined rules,
but also on packet’s history in the state table.

Software Firewall

A software firewall is any firewall that is set up locally or on a cloud server. When
it comes to controlling the inflow and outflow of data packets and limiting the
number of networks that can be linked to a single device, they may be the most
advantageous. But the problem with software firewall is they are time-consuming.
Hardware Firewall

They also go by the name “firewalls based on physical appliances.” It guarantees

that the malicious data is halted before it reaches the network endpoint that is in
danger.
Application Layer Firewall

Application layer firewall can inspect and filter the packets on any OSI layer, up
to the application layer. It has the ability to block specific content, also recognize
when certain application and protocols (like HTTP, FTP) are being misused. In
other words, Application layer firewalls are hosts that run proxy servers. A proxy
firewall prevents the direct connection between either side of the firewall, each
packet has to pass through the proxy.

Next Generation Firewalls (NGFW)

NGFW consists of Deep Packet Inspection, Application

Inspection, SSL/SSH inspection and many functionalities to protect the network
from these modern threats.
Proxy Service Firewall

This kind of firewall filters communications at the application layer, and protects
the network. A proxy firewall acts as a gateway between two networks for a
particular application.

A proxy firewall works by acting as a gatekeeper between an organization's

internal network and external services like the public internet. It processes requests
by establishing a connection to the requested service on behalf of the user,
scrutinizing the traffic for security threats, and ensuring compliance with network
policies

Limitations of Firewall

o Firewalls cannot stop users from accessing malicious websites, making it

vulnerable to internal threats or attacks.
o Firewalls cannot protect against the transfer of virus-infected files or software.
o Firewalls cannot prevent misuse of passwords.
o Firewalls cannot protect if security rules are misconfigured.
o Firewalls cannot protect against non-technical security risks, such as social
engineering.
o Firewalls cannot stop or prevent attackers with modems from dialing in to or
out of the internal network.
o Firewalls cannot secure the system which is already infected.