-IDS (Intrusion Detection System) 침입 탐지 시스템
It detecting abnormal activation on network like misuse(rule-based), anomaly(statistical) detection. Collect, reduct and filter, detect, and act.
네트워크 상의 이상을 감지하는 시스템으로, 규칙 기반 오용탐지, 통계 기반 이상 탐지로 나뉜다. 데이터를 수집하고 필터링한 뒤 탐지하고 대응하는 시퀀스를 가진다. 방화벽보다 능동적이며 침입에 대한 추적이 가능하지만 즉각 대응이 어렵다.
+Aggressive than the FW
+Tracking
- Does not act immediately.
>Rule based (misuse detection): save the patterns like system log, network info, well-known method on the DB
+ Less false positive.
- Keep update the list and could not detect new one.
>Statiscal (anomaly detection): collect normal action and detect on user action that is not a normal
+Could detect unknown acttion
+Easier to manage the DB than rule-based
-Take times to detect
-Hard to judge the normal action
-Highly false positive.
>Host-based IDS
Working on the host. Logging and tracking users on the OS who doing what.
-Could not detect all-round network
-Decline host performance
>Network-based IDS
Auditing and logging(TCP dump) network resources at the stand-alone from the network.
+Hide from outside because it does not have IP address
-If the packet is encrypted, can not detect the intrusion.
-Affect performance from network traffic condition.
-IPS (Intrusion Prevention System): IDS + FW 침입 방지 시스템
Active security system to minimize damage from attack. IDS just detect the abnormal situation and IPS decide the security policy using the data from IDS. And also observing network traffic. The module can see, analyze the packet, and the other module decide the act like FW. Signiture-based and Heuristic method like IDS.
공격에 대한 피해를 최소화하기 위해 만들어진 시스템으로 IDS의 탐지 기능과 FW의 차단 기능을 모두 가지고 있다. IPS 또한 네트워크 트래픽을 감시한다. 따라서 IDS와 달리 즉각적인 대응이 가능하며 Zero Day Attack에 대한 대책이 될 수 있다.
+ Acting immediately.
>Signature based
Detect same as IDS rule-based detection
>Heuristic based
Anomaly detection and prevention
>Host IPS
SW based IPS installed on the server.
>Network IPS
HW based and independent from the host.
-Firewall 방화벽
On L3/L4, using IP and Port information beside IDS and IPS covoring L3 to L7.
방화벽은 Access Control List를 통해 트래픽에 대한 보안 정책을 설정한다. IDS나 IPS와 달리 L3/L4에서 동작한다.
Location of FW
-Screening Router
-Single homed host
-Dual homed host
-Screened host gateway
-Screened subnet
-Could not defense virus and bringing network overhead
-Weakness on internal attack, bypass, and new type attack
>Packet filtering
+Fast and good performance.
-Can be bypassed to manipulate the source and destination's address and port
>Statefull
+More secure than packet filtering because it using packet status data
-Status data could be lost because of DDoS attack which occurs status table overflow
>NAT
Static, Dynamic NAT and PAT
>Proxy FW
Application level proxy FW and Circiut level FW
-Web Firewall 웹 방화벽
On L7, observing with string data in the http(Request and Response message) which is decoded at the lower layer. Control the access with ACL(Rule set based) which has IP and PORT. Checking the URL
L7에서 동작하며 하위 계층에서 복호화된 실질적인 데이터에서 HTTP 메세지를 분석, 대응이 가능하다. URL 단위 탐지와 파일에 대한 제어 기능도 포함한다.
