Intrusion Detection and Intrusion Prevention

Intrusion detection and prevention are two broad terms describing application security practices used to mitigate attacks and block new threats.

The first is a reactive measure that identifies and mitigates ongoing attacks using an intrusion detection system. It’s able to weed out existing malware (e.g., Trojans, backdoors, rootkits) and detect social engineering (e.g., man in the middle, phishing) assaults that manipulate users into revealing sensitive information.

The second is a proactive security measure that uses an intrusion prevention system to preemptively block application attacks. This includes remote file inclusions that facilitate malware injections, and SQL injections used to access an enterprise’s databases.

What is an Intrusion Detection System (IDS)

An IDS is either a hardware device or software application that uses known intrusion signatures to detect and analyze both inbound and outbound network traffic for abnormal activities.

This is done through:

  • System file comparisons against malware signatures.
  • Scanning processes that detect signs of harmful patterns.
  • Monitoring user behavior to detect malicious intent.
  • Monitoring system settings and configurations.

Upon detecting a security policy violation, virus or configuration error, an IDS is able to kick an offending user off the network and send an alert to security personnel.

Despite its benefits, including in-depth network traffic analysis and attack detection, an IDS has inherent drawbacks. Because it uses previously known intrusion signatures to locate attacks, newly discovered (i.e., zero-day) threats can remain undetected.

Furthermore, an IDS only detects ongoing attacks, not incoming assaults. To block these, an intrusion prevention system is required.

What is an Intrusion Prevention System (IPS)

An IPS complements an IDS configuration by proactively inspecting a system’s incoming traffic to weed out malicious requests. A typical IPS configuration uses web application firewalls and traffic filtering solutions to secure applications.

An IPS prevents attacks by dropping malicious packets, blocking offending IPs and alerting security personnel to potential threats. Such a system usually uses a preexisting database for signature recognition and can be programmed to recognize attacks based on traffic and behavioral anomalies.

While being effective at blocking known attack vectors, some IPS systems come with limitations. These are commonly caused by an overreliance on predefined rules, making them susceptible to false positives.

Using Incapsula to Bolster Your IPS Configurations

Incapsula intrusion prevention solutions are fully customizable tools that block zero-day and existing web application security threats while reducing false positives.

Incapsula IPS features include:

Web Application Firewall (WAF) – The Incapsula WAF is a cloud-based firewall deployed on your network’s edge. It bolsters your existing IPS through signature, reputational and behavioral heuristics that filter malicious incoming requests and application attacks—including remote file inclusions and SQL injections.

Advanced features, such as access control, dynamic profiling and application-aware technologies help minimize false positives. Meanwhile, global crowdsourcing provides a continually updated database of new threats, thereby ensuring protection from zero-day threats.

Custom rulesIncapRules expands Incapsula WAF capabilities by enabling you to implement your own security and access control policies. This high degree of customization helps minimize false positives while rooting out hidden threats specific to your organization.

Two-factor authentication (2FA) – 2FA is a security process requiring users to provide two means of verification when logging into an account, such as a password and one-time passcode (OTP) sent to a mobile device. It bolsters intrusion prevention by adding an extra layer of protection to your application’s sensitive data.

Incapsula allows you to deploy two-factor authentication gateways for any URL in your web application. This solution is fully customizable, letting you choose your verification method and easily manage a database of approved users. It can also be configured in seconds and requires no code changes or additional integration.

Two Factor AuthenticationTwo factor authentication helps to prevent intrusions by requiring users to provide two means of verification when logging into an account.

Backdoor protection – IDS configurations typically identify backdoors based on known malware signatures. At best, it’s a halfway measure, as most perpetrators obfuscate the code and alias of their backdoor shells to avoid all recognition.

Incapsula Backdoor Protection solves this problem by intercepting connection requests to hidden backdoor shells, instead of simply scanning for code signatures. Since the nature of such requests can’t be disguised, monitoring them enables quick identification of backdoors within your system.