I have spent some time researching on Intruder Detection System (IDS) and Intruder Prevention System (IPS) last week. I offered IDS/IPS to detect and prevent network attacks (both onside and outside). There are two types of IDS. Network-based IDS or NIDS or host-based IDS or HIDS. In this research I mainly focused on NIDS. I am going to install IDS/IPS on the honeypot machine (a server mirroring all functionalities of a real server) because honeypot is the point of attraction for attackers. I can capture and store network traffics using Snort (linux-version) on the honeypot server and use latest signatures to identify attacks.
In next few days I am going to deploy the IDS/IDS on the honeypot server.
In addition to above research, I was working on the demo and trying to solve the ASA issue. The problem is when we added the ASA into our network, it sometimes causes problem. For example, it sometime passes the ICMP packets and sometimes gives me "Request Timeout" messages. I reckon the problem is I made a loop in the network somewhere in my configurations. So, solving this problem is going to be my main focus for next couple of days.
Don't you need IPS at various points in the network?
ReplyDeleteHaving multiple IDS/IPS is absolutely ideal. However, in this project I decided to deploy one IDS/IPS for the whole project due to hardware limitations (one linux machine (sensor) for each point in the network).
ReplyDelete