Intrusion Detection & Prevention Systems
We Solve IT provide advanced, multi-configurable Intrusion Detection and Prevention Systems that help you to monitor and manage inbound and outbound traffic activity, providing a highly effective layer of defence against automated and in-person attack vectors attempting to gain access to your infrastructure.
- Observe potentially malicious activity that may compromise your infrastructure
- Monitor attacks originating from inside your business systems
- Detect traffic anomalies as well as misuse
- Create policies and rules for handling suspicious activity across your network
- Receive alarms and reports on traffic behaviour for faster reactions to potential threats before they become a danger to your business
Intrusion Detection and Prevention Systems (IDS / IPS) inspect your inbound and outbound network activity, monitoring for and identifying behaviour patterns that might indicate an attack from someone attempting to access or otherwise compromise your infrastructure. IDS/IPS solutions can be either network or host located, scanning systems-wide or individual traffic.
IDS/IPS work in a variety of ways. Misuse detection is where the information is gathered and the data compared to a database to check for known attack patterns. This is a reactive method, rather like antivirus, and is dependent on the knowledgebase used being comprehensive. Anomaly detection works by looking at traffic according to defined behaviour rulesets, discovering activity that falls outside of the acceptable patterns. IDS/IPS can also be configured to be either passive - where information is simply logged and the administrator alerted - or reactive - the user is logged off the network or the firewall updated to halt the suspected activity from the source.
IDS/IPS provides an additional layer to a firewall, which tend to be a rigid method of combatting external attacks whereas IDS/IPS provide more intelligence to systems security through evaluating suspicious behaviour from within as well as outside the infrastructure, flagging up issues as it works.
Types of Network threats:
Address Resolution Protocol Spoof: ARP attacks look for MAC addresses when IP address is already known within a network. A host will broadcast an ARP packet within the network to ask for the MAC address of the host identifed by a specific IP address. Where an ARP request is done outside the infrastructure resulting traffic is re-directed to another location and the information may be of use to the attacker.
Buffer Overflow attacks: If an application or a process is made to attempt to hold more information in a buffer than it was intended to store, the resulting data overflow can contain malicious code created to cause damage to a user’s machine or files.
CGI Attacks: An external attack on a host running CGI script which, if executed, can allow the attacker access to the host
DoS/DDoS attacks: A well known attack vector where servers are flooded with connection requests to the extent that access is denied to users. This can be done from a central location - a DoS attack - or from a number of host machines which are then set to simultaneously launch DoS attacks from various locations.
Http obfuscation. An attack on a web server using obfuscated URL characters to attampt to provide unauthorised access for the attackers.
ICMP Storms. A large volume of ICMP echoes may signal malicious scans for IP addresses etc.
IP Fragmentation. Where a program captures and modifies exiting traffic heading for a specific host, and therefore perpetuating an attack.
OS Fingerprinting attacks. Determining the operating systems within devices, using their vulnerabilities to then help research a network before launching an attack.
Ping to Death. Sending a ping to a targeted device with a packet that is exceptionally large, causing the recipient to fall over
Port Scanning. A probing of ports on an individual or range of host to determine which may be open, which then provides information for vulnerability exploits.
Server Message Block (SMB) Probe.: The SMB protocol is mainly used to provide shared access to devices such as printers or serial ports etc. A SMB attack is used where the protocol is used across different subnets over the internet.
SMTP DoS attacks. A crude but at times effective attack where erroneous email addresses are flung at a server to put it under strain
SSL Evasion. Where an attack goes inside an encrypted tunnel to try and avoid inspection by the security layers deployed by an organization
SYN Flood attacks. An attack where a server receives a flood of communication requests but no further traffic, therefore committing memory resources allocated for the packet requests