Overview of Intrusion Detection and Prevention
Introduction to intrusion detection and prevention

Intrusion detection is the ability to detect attacks against a network and send logs to a management console and provides the following defense mechanism .

  • Detection – Identifies malicious attacks on network and host resources.

On the other hand, Intrusion prevention is the ability to stop attacks against the network and should provide the following active defense mechanisms:

  • Detection – Identifies malicious attacks on network and host resources.
  • Prevention – Stops the detected attack from executing.
  • Reaction – Immunizes the system from future attacks from a malicious source.

Either technology can be implemented as a network level, host level, or both for maximum protection.

Response Options
When a signature match is found, the IDS or IPS may perform the following actions:

  • Alarm – Sends alarms to an internal or external log and then forwards the packet through.
  • Reset – Sends packets with a reset flag to both session participants if TCP forwards the packet
  • Drop – Immediately drops the packet
  • Block – Denies traffic from the source address of the attack
NOTE:

It is recommended to use the drop and reset actions together to ensure that the attack is terminated.