Intrusion Detection System (IDS)

INTRUDERS

There are different types of intruders:

• Masquerader: Not authorized to use computer system penetrates system protection by way of
legitimate user account, usually an outsider.

• Misfeasor: A legitimate user who accesses assets that he is not authorized to, or who is authorized but
misuses his privileges, usually an insider.

• Clandestine user: A user who gains supervisory access to the system, can be either an insider or
outsider.

Intrusion Detection System (IDS)

An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity and
issues alerts when such activity is discovered. It is a software application that scans a network or a
system for harmful activity or policy breaching. Any malicious venture or violation is normally reported
either to an administrator or collected centrally using a security information and event management
(SIEM) system. A SIEM system integrates outputs from multiple sources and uses alarm filtering
techniques to differentiate malicious activity from false alarms.

Although intrusion detection systems monitor networks for potentially malicious activity, they are also
disposed to false alarms. Hence, organizations need to fine-tune their IDS products when they first install
them. It means properly setting up the intrusion detection systems to recognize what normal traffic on
the network looks like as compared to malicious activity.

Intrusion prevention systems also monitor network packets inbound the system to check the malicious
activities involved in it and at once sends the warning notifications.

Classification of Intrusion Detection System:

IDS are classified into 5 types:
Network Intrusion Detection System (NIDS):

Network intrusion detection systems (NIDS) are set up at a planned point within the network to
examine traffic from all devices on the network. It performs an observation of passing traffic on the
entire subnet and matches the traffic that is passed on the subnets to the collection of known attacks.
Once an attack is identified or abnormal behavior is observed, the alert can be sent to the
administrator. An example of an NIDS is installing it on the subnet where firewalls are located in order to
see if someone is trying crack the firewall.

Host Intrusion Detection System (HIDS):

Host intrusion detection systems (HIDS) run on independent hosts or devices on the network. A HIDS
monitors the incoming and outgoing packets from the device only and will alert the administrator if
suspicious or malicious activity is detected. It takes a snapshot of existing system files and compares it
with the previous snapshot. If the analytical system files were edited or deleted, an alert is sent to the
administrator to investigate. An example of HIDS usage can be seen on mission critical machines, which
are not expected to change their layout.

Protocol-based Intrusion Detection System (PIDS):

Protocol-based intrusion detection system (PIDS) comprises of a system or agent that would
consistently resides at the front end of a server, controlling and interpreting the protocol between a
user/device and the server. It is trying to secure the web server by regularly monitoring the HTTPS
protocol stream and accept the related HTTP protocol.

Application Protocol-based Intrusion Detection System (APIDS):

Application Protocol-based Intrusion Detection System (APIDS) is a system or agent that generally
resides within a group of servers. It identifies the intrusions by monitoring and interpreting the
communication on application specific protocols. For example, this would monitor the SQL protocol
explicit to the middleware as it transacts with the database in the web server.

Hybrid Intrusion Detection System :

Hybrid intrusion detection system is made by the combination of two or more approaches of the
intrusion detection system. In the hybrid intrusion detection system, host agent or system data is
combined with network information to develop a complete view of the network system. Hybrid
intrusion detection system is more effective in comparison to the other intrusion detection system.
Prelude is an example of Hybrid IDS.

Detection Method of IDS:

Signature-based Method:

Signature-based IDS refers to the detection of attacks by looking for specific patterns, such as byte
sequences in network traffic, or known malicious instruction sequences used by malware

This terminology originates from anti-virus software, which refers to these detected patterns as
signatures. Although signature-based IDS can easily detect known attacks, it is difficult to detect new
attacks, for which no pattern is available.

In Signature-based IDS, the signatures are released by a vendor for its all products. On-time updating of
the IDS with the signature is a key aspect.

We have to add new signatures mannualy with every update.

Anomaly-based Method:

Anomaly-based intrusion detection systems were primarily introduced to detect unknown attacks, in
part due to the rapid development of malware. The basic approach is to use machine learning to create
a model of trustworthy activity, and then compare new behavior against this model. Since these
models can be trained according to the applications and hardware configurations, machine learning
based method has a better generalized property in comparison to traditional signature-based IDS.

Although this approach enables the detection of previously unknown attacks, it may suffer from false
positives: previously unknown legitimate activity may also be classified as malicious. Most of the
existing IDSs suffer from the time-consuming during detection process that degrades the performance
of IDSs. Efficient feature selection algorithm makes the classification process used in detection more
reliable.

What is an Intrusion Prevention System?

An intrusion prevention system (IPS) is a form of network security that works to detect and prevent
identified threats. Intrusion prevention systems continuously monitor your network, looking for possible
malicious incidents and capturing information about them. The IPS reports these events to system
administrators and takes preventative action, such as closing access points and configuring firewalls to
prevent future attacks. IPS solutions can also be used to identify issues with corporate security policies,
deterring employees and network guests from violating the rules these policies contain.

With so many access points present on a typical business network, it is essential that you have a way to
monitor for signs of potential violations, incidents and imminent threats. Today's network threats are
becoming more and more sophisticated and able to infiltrate even the most robust security solutions.
Difference between IPS and IDS is the action they take when a potential incident has been
detected.

· Intrusion prevention systems control the access to an IT network and protect it from abuse and
attack. These systems are designed to monitor intrusion data and take the necessary action to
prevent an attack from developing.

· Intrusion detection systems are not designed to block attacks and will simply monitor the
network and send alerts to systems administrators if a potential threat is detected.

How Do Intrusion Prevention Systems Work?

Intrusion prevention systems work by scanning all network traffic. There are a number of different
threats that an IPS is designed to prevent, including: Denial of Service (DoS) attack, Distributed
Denial of Service (DDoS) attack, Various types of exploits,Wormsand Viruses.

· The IPS performs real-time packet inspection, deeply inspecting every packet that travels
across the network. If any malicious or suspicious packets are detected, the IPS will carry out
one of the following actions:

· Terminate the TCP session that has been exploited and block the offending source IP address
or user account from accessing any application, target hosts or other network resources
unethically.

· Reprogram or reconfigure the firewall to prevent a similar attack occurring in the future.

· Remove or replace any malicious content that remains on the network following an attack.
This is done by repackaging payloads, removing header information and removing any
infected attachments from file or email servers.

NEED OF INTRUSION DETECTION SYSTEM

In all types of network, security is a primary issue especially in big organizations as they have
very important and confidential data which if get hacked will bring down company’s
profile . Generally, we secure our systems by building firewalls or employ some authentication
mechanisms such as passwords or some encryption techniques which create a protective
covering around them.
 All the above techniques provide a level of security but they cannot give protection against
malicious codes, inside attacks or unsecured modems.

We need more security mechanisms such as IDS because firewalls cannot detect attacks inside
the network since they are mostly deployed at the boundary of the network, and thus only
control traffic entering or leaving the network. But a huge percentage of intrusions may be
from within the network and IDS can monitor and analyze various events in the network and if
the system has been misused it gives immediate report to the administrator.

Virtual Private Network (VPN)

https://www.youtube.com/watch?v=xGjGQ24cXAY GARY

https://www.youtube.com/watch?v=_wQTRMBAvzg

VPN stands for virtual private network. A virtual private network (VPN) is a technology that creates a safe
and encrypted connection over a less secure network, such as the internet. Virtual Private network is a
way to extend a private network using a public network such as internet. The name only suggests that it
is Virtual “private network” i.e. user can be the part of local network sitting at a remote location. It
makes use of tunneling protocols to establish a secure connection.

3 main points to remember--

1. encryption

2. Encapsulation.

3. Tunneling
HOW VPN WORKS?

See this video before reading what is written next to it, it will help you.

https://www.youtube.com/watch?v=yB1KiboEWC4

A VPN tunnel works by encapsulating data in an encrypted data packet. To understand encapsulation, let
us attempt a simple analogy.

If you were a political refugee and your location was confidential for your safety but you needed to
communicate with key people in your home country, how would you do it?

Well, one way would be write the message on a postcard with the address of the final recipient and then
put the postcard into an envelope and post it to a trusted friend in your home country. When your friend
receives it, he opens the envelope, puts a stamp on the postcard and posts it. Thefinal recipient of the
postcard has no knowledge of where the postcard came from since the stamp is local.

The act of putting the postcard into the envelope with its own address is equivalent to encapsulation and
when you do this with data on the Internet, you create a virtual private network tunnel, commonly
called 'VPN tunneling'.

Although this is technically a VPN, it's not really private until you encrypt the contents of the envelope.
Without encryption, we could still hide our identity but what if the final recipient was powerful enough
and had friends in the post office? In this case the post office employee could see the stamp on the
envelope before it reached your friend and leak your location.
To achieve a much higher level of security, you need to encrypt the contents of the postcard inside the
envelope so that only yourself and your friend can decode it. Now if anyone intercepted and opened it
they would have no idea who the postcard was addressed to nor would they understand the contents of
the message.

When your friend receives the envelope he would open it and decrypt the message and forward it to its
final recipient. In the context of a public VPN service, your friend would be the VPN service and the final
recipient would be the website you are browsing.

It is worth noting at this point that the message sent from your friend to the final recipient cannot be
encrypted since the final recipient does not have the decryption key. Equally, when using a VPN service,
the data sent from the VPN service to the destination website cannot be encrypted; however your
private IP address has been replaced with the address of the VPN service so your identity is still masked.

Whilst communicating with your friend, it's as if there is a secure tunnel between the two of you
protecting the contents. This is why it is called a virtual tunnel or more commonly, a VPN tunnel.

The origin of your data are hidden so the websites and servers you visit can’t see where your activity
originated. Rather, the activity appears to originate at the location of the VPN’s server.

The process of encapsulating the data hides its origin, but it isn’t automatically private or secure from
hackers or government surveillance. To achieve a higher level of security, your data must also be
encrypted so if your data is intercepted between your device and the VPN’s server, it can’t be read or
understood.

You have a right to privacy—even when you’re online. And when you use a VPN tunnel to go online, you
protect your online activity and private data from hackers, governments and corporations who want to
watch what you do.

How Does VPN Tunneling Work?

It helps to think of VPN tunneling as a two-fold process of data encapsulation and data encryption.

Data encapsulation: Encapsulation is the process of wrapping an internet data packet inside of another
packet. You can think of this as the outer tunnel structure, like putting a letter inside of an envelope for
sending.

Data encryption: However, just having a tunnel isn't enough. Encryption scrambles and locks the
contents of the letter, i.e. your data, so that it can't be open and read by anyone except the intended
receiver.

VPN protocols
VPN protocols ensure an appropriate level of security to connected systems when the underlying
network infrastructure alone cannot provide it. There are several different protocols used to secure and
encrypt users and corporate data. They include:

IP security (IPsec)

Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

Point-To-Point Tunneling Protocol (PPTP)

Layer 2 Tunneling Protocol (L2TP)

OpenVPN

NEED OF VPN

1. When you're on public Wi-Fi

When you're using a public Wi-Fi network, even one that's password-protected, a VPN is your
best friend. If a hacker is on the same Wi-Fi network, it's actually quite easy for them to snoop
on your data. The basic security that your average coffee shop uses, a WPA2 password, doesn't
actually protect you from others on the network in a robust way.

Using a VPN will add an extra layer of security to your data, ensuring you bypass the coffee
shop's ISP and encrypting all your communication. Hackers will need to find easier prey.

2. When you're traveling

If you're traveling to a foreign country (say, China, where sites like Facebook are blocked), a
VPN can help you access services that may not be available in that country.

Often, the VPN will allow you to use streaming services that you paid for and have access to in
your home country, but for international rights issues aren't available in another. Using a VPN
can make it seem like you're enjoying the service just like you were at home. VPN use sees huge
spikes from non-U.S. countries during events like the Super Bowl and March Madness. Netflix is
always trying to crack down on VPN users, but many VPN providers are continuously adapting
their services in response. It's a bit of a whack-a-mole game, but some VPNs do, in fact, poke
through.
Travelers may also be able to find cheaper airfare when using a VPN, as prices can vary from
region to region.

3. When you're a remote worker or student

Many employers require the use of a VPN to access company services remotely, for security
reasons. A VPN that connects to your office's server can give you access to internal company
networks and resources when you're not in the office. It can do the same for your home
network while you're out and about.

4. When you're a political dissident

Some countries don't have the same protections for press freedom, speech, and expression
that many Western countries have, and a few regimes even take draconian measures to
monitor and take action against those they see as threats to the regime.

It should almost go without saying that for political dissidents, using a VPN (among other
privacy tools) is essential for internet use within an oppressive regime. They're not a catch-all
solution, though, and governments are beginning to crack down on their use.

5. When you just want some privacy

Even in the comfort of your own home, doing your regular internet thing, using a VPN isn't a
terrible idea. Generally, it will keep you from leaving footprints on the web for your ISP to scoop
up.

6. Bypass restrictions

Using a computer at certain locations, such as a school or library, will not offer the full internet,
but rather a filtered, partially censored version. While in some cases this works for the
protection of users, in other cases it can be frustrating when trying to look into a blocked topic.
7. Research without a trace

There are times when some research needs to be done without tipping your hand. For example,
if one company wants to look at the available jobs or policies at a competitor, it would be ideal
to do this without revealing their IP address, especially if this is done from the workplace.

A VPN is an effective cloak in these cases, as the user will be assigned a totally different IP
address, and it can be chosen to be geographically disparate for an additional element of safety.

TYPES OF VPN

Virtual Private Network (VPN) is basically of 2 types:

Remote Access VPN:

Remote Access VPN permits a user to connect to a private network and access all its services and
resources remotely. The connection between the user and the private network occurs through the
Internet and the connection is secure and private. Remote Access VPN is useful for home users and
business users both.

An employee of a company, while he/she is out of station, uses a VPN to connect to his/her company’s
private network and remotely access files and resources on the private network. Private users or home
users of VPN, primarily use VPN services to bypass regional restrictions on the Internet and access
blocked websites. Users aware of Internet security also use VPN services to enhance their Internet
security and privacy.

· Remote access VPN allows a user to connect to a private network and access its services and
resources remotely. The connection between the user and the private network happens through
the Internet and the connection is secure and private.

· Remote Access VPN is useful for business users as well as home users.

· A corporate employee, while traveling, uses a VPN to connect to his/her company’s private
network and remotely access files and resources on the private network.

· Home users, or private users of VPN, primarily use VPN services to bypass regional restrictions
on the Internet and access blocked websites. Users conscious of Internet security also use VPN
services to enhance their Internet security and privacy.
Site to Site VPN:

A Site-to-Site VPN is also called as Router-to-Router VPN and is commonly used in the large companies.
Companies or organizations, with branch offices in different geographical locations, use Site-to-site VPN
to connect the network of one office location to the network at another office location.

· Intranet based VPN: When several offices of the same company are connected using Site-to-
Site VPN type, it is called as Intranet based VPN.

· Extranet based VPN: When companies use Site-to-site VPN type to connect to the office of
another company, it is called as Extranet based VPN.

Basically, Site-to-site VPN create a imaginary bridge between the networks at geographically distant
offices and connect them through the Internet and sustain a secure and private communication
between the networks. In Site-to-site VPN one router acts as a VPN Client and another router as a VPN
Server as it is based on Router-to-Router communication. When the authentication is validated between
the two routers only then the communication starts.

Security Concerns in VPN

1. Logging Policies

Using a VPN to hide your browsing activities becomes pretty pointless if the provider is now the one who
logs them instead of your ISP.

Unfortunately, that’s what happens when you pick a provider who keeps logs. You become exposed to
severe VPN security risks simply because you no longer have control over your privacy.

Usage logs are the most dangerous ones since they track information about what you do on the web
while using a VPN.

Connection logs are a bit more “innocent” since it’s just data about the connection itself, not what you
do with the VPN. However, they’re still not okay since they violate your privacy. Not to mention the
providers who use them are usually the ones who impose bandwidth limits.

A zero-log policy is the best one to go with if you really want to enjoy online freedom and privacy, and
not have to worry about the dangers of VPN logging.

Also, VPNs that don’t support cryptocurrency payments are risky too.

Why?
Because they sometimes might need to log some personal information when you pay for their services
with a credit card or a platform like PayPal. With cryptocurrencies, they don’t need any of it.

2. Data Leaks

A data leak is when you’re using a VPN to hide your traffic and IP address, but they still leak through the
VPN tunnel. IP leaks, DNS leaks, and WebRTC leaks are all good examples of that. If they occur, they
pretty much make using a VPN pointless.

DNS Leak Test

Now, these kinds of leaks can take place because the VPN provider didn’t configure their connections
well. But they can also happen due to browser-related issues.

A decent provider will have safeguards in place to keep you from having your data exposed if something
like this occurs.

If you want to test a VPN connection for leaks, feel free to use our guide.

3. Shady Privacy Policies

The devil is in the details.

A VPN provider can claim they respect your privacy and offer top-notch security in their marketing copy,
while their Privacy Policy tells a completely different story. Usually, that’s where you’ll clearly find out if
the provider also keeps any logs or not.

And depending on the wording in a provider’s Privacy Policy, they might subtly and vaguely mention they
collect user data and share it with third parties (AKA advertisers). Free VPNs are the services that
usually do this.

Why?

To make money, of course. Advertisers will pay handsomely to get their hands on your data, which they
will use to create personalized profiles so that they can spam you with targeted ads.

What’s more, some providers might even display said targeted ads through their VPN clients.

While that might sound like just a minor inconvenience for some of you, think of it this way – what’s the
point in using a VPN service to hide your traffic and data if the provider will just sell it to advertisers?

Don’t forget – the advertisers who buy your data won’t keep it to themselves. If they can make a profit,
they’ll sell it to other third parties. If they don’t even bother doing a background check, some
cybercriminal or scammer might end up getting their hands on your personal information.
All in all, a long, vague, and hard to understand Privacy Policy is a red flag.

4. Poorly-Configured Encryption

If the VPN provider didn’t do their homework, they might have made serious mistakes when configuring
the encryption the VPN will use. In fact, free VPNs are very likely to have faulty encryption.

VPN encryption

What does that mean for you?

That cybercriminals and surveillance agencies might actually manage to intercept your web traffic, and
decrypt it by exploiting or brute-forcing the weak encryption.

A reliable VPN provider won’t have any problem sharing encryption details with their users.

5. Malware Infections

If you’re not careful enough, you might end up dealing with serious VPN risks – like malware being
injected into your device when you download a VPN client, which will start spying on your activities,
spamming you with malicious ads, and stealing your personal and financial details.

If you’re extremely unlucky, you might expose your device to ransomware which will encrypt your data,
and ask for a big ransom in exchange for it.

This isn’t something new, unfortunately. A lot of free VPN services on the Google Play Store were actually
found to be extremely malicious back in 2017.

6. Being Forced to Use PPTP

The PPTP protocol might be fast and convenient, but it’s extremely dangerous to use if you value your
privacy.

Why?

Well, because the NSA already managed to decrypt PPTP traffic some time ago. And cybercriminals know
that, so they’re more likely to target PPTP traffic when they’re looking for victims.

So, a VPN provider that only offers PPTP connections is a very risky choice.

Even if they offer L2TP/IPSec alongside it, things still don’t look good. While L2TP/IPSec is pretty secure,
Snowden has claimed the protocol was deliberately weakened. How much you believe that is up to you,
but keep in mind Microsoft co-developed L2TP with Cisco, and Microsoft was the first member of the
PRISM surveillance program.

Ideally, a VPN provider should allow you to use stronger and safer protocols like IKEv2, OpenVPN, and
SoftEther on top of protocols like PPTP or L2TP/IPSec.

7. The Provider Using Your IP Address as an Exit Node

What does that mean?

Basically, it’s when a VPN provider runs their network off of users’ bandwidth and IP addresses. The
users “volunteer” their bandwidth and IP address for that, but many don’t realize they’re doing it since
they don’t read the provider’s ToS and Privacy Policy.

Having your IP address used as an exit node is dangerous because it pretty much means other VPN users
will be using it when they’re on the web.

So, a cybercriminal or scammer could do illegal stuff on the Internet while using your IP address – like
downloading illegal torrents, DoS/DDoS-ing websites and networks, or sharing child pornography.

It’s not hard to imagine how that could land you in legal trouble.

That mostly sounds like speculation. Surely, VPN providers don’t do stuff like that, right?

Well, not all providers, but it does happen from time to time. A popular free VPN provider was actually
caught turning users’ devices into exit nodes, and selling their bandwidth to third parties too.

8. No Extra Security Features

While a VPN with good encryption and a favorable no-log policy is great, a service that offers even more
security features is even better. We’re talking about stuff like:

DNS leak protection – Even if you test out the connections and don’t see any DNS leaks, it never hurts to
know the VPN provider has measures in place that will prevent a DNS leak from taking you by surprise.

Internet Kill Switches – This type of Kill Switch is vital for protecting your privacy. Basically, if your VPN
connection ever goes down, your web traffic will stop. It will only resume when the VPN is running well
again.

Application-level Kill Switches – Offers you a good way to control which applications can’t use the web
when your VPN connection is down. Very useful for torrent and email apps.

Now, we’re not saying a VPN provider who doesn’t offer features like that isn’t trustworthy. But you’ll
definitely get some nice peace of mind knowing the provider went the extra mile to make sure your
privacy will be safe and sound – even if something goes wrong on their end by accident.