IDPS
Purpose
The IDPS object is representing Intrusion Detection and Protection System functionality providing payload inspection, like for instance offered by a Web Application Firewall.
The intention is to connect the IDPS to every Application that is protected by IDPS functionality, which makes the IDPS have the role of a HIDS rather than a NIDS. (NIDS functionality is instead defined by the PayloadInspection defense property of ConnectionRules.)
The IDPS object extends from the Application object which means that all properties and connections for an Application object are also valid for an IDPS object.
Connections
Application
An Application object can be connected to an IDPS object in three ways; AppProtection, AppExecution (appExecutedApps --> hostApp) and AppExecution (hostApp --> appExecutedApps).
AppProtection
A connection between an application and an IDPS defines that the application is protected by an solution for intrusion detection and prevention, like for instance web application firewall functionality.
Apache protected by a WAF solution.
AppExecution
The two AppExecution options are for defining which parent application the IDPS (application) is hosted by. An IDPS object is actually inheriting its functionality from the Application object which means that it has all the properties of an application but is also capable of protecting other applications. However, the operating system it is running on (hosted by) can in turn have vulnerabilities and be compromised.
Like with the parent/child application relation, connect from the parent (OS) to the child (IDPS) and select AppExecution (appExecutedApps --> hostApp).
The Snort IDPS is running on a Debian machine.
ConnectionRule
Please see the Application section.
Data
Please see the Application section.
Group
Please see the Application section.
Identity
Please see the Application section.
Network and NIDS functionality
The IDPS connects to Network via ClientAccess or Network Exposure, like the Application object does. Please note that this represents from which network the IDPS is possible to connect to (administrative interface) and not NIDS (Network Intrusion Detection System) functionality. The NIDS functionality is instead defined as a property to ConnectionRules via their PayloadInspection defense property.
Nested IDPS objects
IDPS objects can be nested both allowing them to host other IDPS objects but also to protect other IDPS objects. This is likely, in practice, a bit if a corner case.
RoutingFirewall
Since an IDPS is an Application, it can be hosting and hosted by a RoutingFirewall object. However, the following is the recommended way to model a firewall.
The IDPS is not protecting the firewall traffic, but instead protecting the Firewall OS, since it is acting as a HIDS.
System
Please see the Application section.
Properties
AttackSteps
| Attack step name | Attack step purpose |
|---|---|
| The same attack steps applied for IDPS ad for Application. | Please see the Application section. |
Defenses
| Defense name | Defense purpose |
|---|---|
| Effectiveness. | The effectiveness defense property is added to the IDPS compared to the Application. It is representing the likelihood of the IDPS identifying incoming payloads and blockiong them from affecting the Applications the IDPS is connected to. This property can be used to represent for instance how accurate the payload signature definitions of the IDPS are. |
| Disabled | Please see the Application section. |
| SupplyChainAuditing | Please see the Application section. |
Updated over 1 year ago