Active device Show
Operates in-line to the network Monitors all traffic, sends alerts, and drops or blocks the offending traffic Great for DoS based attacks Drawbacks: Upgrade to remove ads Only ₩37,125/year
Review terms and definitions
Focus your studying with a path
Take a practice test
Get faster at matching terms Intrusion Detection and Prevention Systems or IDS/IPS. IDS or IPS systems operate by monitoring network traffic and analyzing it Terms in this set (28)Note 10: IDS and IPS systems They look for matching behavior or characteristics that would indicate malicious traffic. Note 2: difference between an IDS and an IPS system IDS is only a detection system. When an attack is detected, the IDS will only log an alert. Note 3: IPS can perform responsive prevention action IPS system can adjust firewall rules on the fly, to block or drop the malicious traffic when it's detected. Note 4: IDS and IPS dual based IDS and IPS system can either be host based or network based. Note 5: NIDS are Networked based In the case of a Network Intrusion Detection System or NIDS, the detection system would be deployed somewhere on a network, where it can monitor traffic for a network segment or sub net. Note 10: Host base Intrusion Detection System A host based intrusion detection system would be a software deployed on the host that monitors traffic to and from that host only. It may also monitor system files for unauthorized changes. Note 20: NIDS and Firewalls Part 1 NIDS systems resemble firewalls in a lot of ways. But a firewall is designed to prevent intrusions by blocking potentially malicious traffic coming from outside, and enforce ACLs between networks. Note 25: NIDS and Firewalls Part 2 NIDS systems are meant to detect and alert on potential malicious activity coming from within the network. Note 26: NIDS and Firewalls Part 3 Plus, firewalls only have visibility of traffic flowing between networks they've set up to protect. They generally wouldn't have visibility of traffic between hosts inside the network. Note 26: NIDS location is important So, the location of the NIDS must be considered carefully when you deploy a system. It needs to be located in the network topology, in a way that it has access to the traffic we'd like to monitor. Note 30: Port Mirroring Part 1 port mirroring functionality is found in many enterprise switches. This allows all packets on a port, port range, or entire VLAN to be mirrored to another port, where NIDS host would be connected. Note 35: Port Mirroring Part 2 With this configuration, our NIDS machine would be able to see all packets flowing in and out of hosts on the switch segment. This lets us monitor host to host communications, and traffic from hosts to external networks, like the internet. Note 36: Port Mirroring Part 3 The NIDS hosts would analyzed this traffic by enabling promiscuous mode on the analysis port. This is the network interface that's connected to the mirror port on our switch, so it can see all packets being passed, and perform an analysis on the traffic. Note 40: NIDS host must have at least two network interfaces a NIDS host must have at least two network interfaces. One is for monitoring an analysis, and a separate one is for connecting to our network for management and administrative purposes. Note 45: Popular NID Systems Some popular NID or NIP systems are Snort, Suricata, and Bro NIDS, which you can read about more in the supplementary readings. Note 50: NIPS and NIDS ave different placement Part 1 Placement of a NIP system or Network Intrusion Prevention system, would differ from a NIDS system. This is because of a prevention system being able to take action against a suspected malicious traffic. Note 55: NIPS and NIDS ave different placement Part 2 In order for a NIPS device to block or drop traffic from a detected threat, it must be placed in line with the traffic being monitored. This means, that the traffic that's being monitored must pass through the NIPS device. Note 60: NIDS/Passive and NIPS/Active A NIDS device is a passive observer that only watches the traffic, and sends an alert if it sees something. A NIPS device, monitors traffic, but can take action on the traffic it's monitoring, usually blocking or dropping traffic. Note 70: Signature based detection The detection of threats or malicious traffic is usually handled through signature based detection, similar to how antivirus software detects malware. Signatures are unique characteristics of known malicious traffic. Note 80: Common Signatures They might be specific sequences of packets, or packets with certain values encoded in the specific header field. Note 90: Signature based detection improve detection speed This allows Intrusion Detection and Prevention Systems from easily and quickly recognizing known bad traffic from sources like botnets, worms, and other common attack vectors on the internet. Note 94: Signatures must be developed for attacks to be detected targeted attacks might not be detected by a signature based system, since they're might not be signatures developed for these cases. Note 96: Custom Rules provide Flexibility it's also possible to create custom rules to match traffic that might be considered suspicious, but not necessarily malicious. This would allow investigators to look into the traffic in more detail to determine the badness level. Note 96: Custom Rules provide Flexibility Part 2 If the traffic is found to be malicious, a signature can be developed from the traffic, and incorporate it into the system. Note 98: NIDS responses are configurable What actually happens when a NIDS system detects something malicious is configurable, but usually the NIDS system would 1. log the detection event along with a full packet capture of the malicious traffic. Note 98: NIDS responses are configurable Part 2 2. An alert would also usually be triggered to notify the investigating team to look into that detected traffic. Note 99: NIDS Alerts Depending on the severity of the event, the alert may just email a group, or create a ticket to follow up on, or it might page someone in the middle of the night if it's determined to be a really high severity and urgent. Note 100: NIDS Alerts Part 2 These alerts would usually also include reference information linking to a known vulnerability, or some more information about the nature of the alert to help the investigator look into the event. Sets with similar termsCh. 7 IDS - Intrusion Detection System49 terms Danelle_Hennings 1.1 Implement security configuration parameters on…33 terms JC314787 Security+ SYO-501: 2.0 Technologies and Tools100 terms jmettsjr chapter 7 security29 terms cwc39452 Sets found in the same folderHistory of Computing - Binary5 terms bur2233mesePLUS Week 2 Practice Quiz2 terms bur2233mesePLUS System Hardening - Intro to Defense in Depth3 terms bur2233mesePLUS Quiz - What is an Operating System6 terms bur2233mesePLUS Other sets by this creatorHarmonal Analysis2 terms bur2233mesePLUS Practice Excercises11 terms bur2233mesePLUS Chord Progressions12 terms bur2233mesePLUS Scales13 terms bur2233mesePLUS Other Quizlet setsFinancial Management Ch 8-1152 terms Sunnie_G Biochem Methods Quiz 351 terms ousooner12 C&E Test 1 Study Guide14 terms Ciara_Blanks Anesthesiology: Lecture 10: Blood Gas An…56 terms tembo4444 Related questionsQUESTION 46. What name is given to an access control method that bases access control approvals on the jobs the user is assigned? 15 answers QUESTION When looking at the password-auth file on a Fedora system, you notice part of the syntax that says dcredit=3. What is the significance of this part of the configuration? 10 answers QUESTION consists of application software that is configured for the firewall application and runs on a general-purpose computer 3 answers QUESTION LDAP is an internet protocol for accessing distributed directory services. If this port is open, it indicates that Active Directory or Exchange may be in use. What port does LDAP use? 8 answers What is the difference between an intrusion detection system and an intrusion prevention system?An IDS is designed to only provide an alert about a potential incident, which enables a security operations center (SOC) analyst to investigate the event and determine whether it requires further action. An IPS, on the other hand, takes action itself to block the attempted intrusion or otherwise remediate the incident.
What is the difference between IDS and IPS quizlet?What is the main difference between the implementation of IDS and IPS devices? A) An IDS uses signature-based technology to detect malicious packets, whereas an IPS uses profile-based technology.
Which type of intrusion detection system can also block attacks quizlet?An intrusion prevention system (IPS) can block attacks, but it doesn't divert it. A proxy server can filter and cache content from web pages, but doesn't divert attacks.
Which network device is easiest for an attacker to take advantage of to capture and analyze packets?Chapter 7 RQ's. |