What is the difference between a network intrusion detection system and a network intrusion prevention system quizlet?

Active device

Operates in-line to the network

Monitors all traffic, sends alerts, and drops or blocks the offending traffic

Great for DoS based attacks

Drawbacks:
False positives can drop legit communication

Upgrade to remove ads

Only ₩37,125/year

Intrusion Detection and Prevention Systems or IDS/IPS. IDS or IPS systems operate by monitoring network traffic and analyzing it

Terms in this set (28)

Note 10: IDS and IPS systems

They look for matching behavior or characteristics that would indicate malicious traffic.

Note 2: difference between an IDS and an IPS system

IDS is only a detection system. When an attack is detected, the IDS will only log an alert.

Note 3: IPS can perform responsive prevention action

IPS system can adjust firewall rules on the fly, to block or drop the malicious traffic when it's detected.

Note 4: IDS and IPS dual based

IDS and IPS system can either be host based or network based.

Note 5: NIDS are Networked based

In the case of a Network Intrusion Detection System or NIDS, the detection system would be deployed somewhere on a network, where it can monitor traffic for a network segment or sub net.

Note 10: Host base Intrusion Detection System

A host based intrusion detection system would be a software deployed on the host that monitors traffic to and from that host only. It may also monitor system files for unauthorized changes.

Note 20: NIDS and Firewalls Part 1

NIDS systems resemble firewalls in a lot of ways. But a firewall is designed to prevent intrusions by blocking potentially malicious traffic coming from outside, and enforce ACLs between networks.

Note 25: NIDS and Firewalls Part 2

NIDS systems are meant to detect and alert on potential malicious activity coming from within the network.

Note 26: NIDS and Firewalls Part 3

Plus, firewalls only have visibility of traffic flowing between networks they've set up to protect. They generally wouldn't have visibility of traffic between hosts inside the network.

Note 26: NIDS location is important

So, the location of the NIDS must be considered carefully when you deploy a system. It needs to be located in the network topology, in a way that it has access to the traffic we'd like to monitor.

Note 30: Port Mirroring Part 1

port mirroring functionality is found in many enterprise switches. This allows all packets on a port, port range, or entire VLAN to be mirrored to another port, where NIDS host would be connected.

Note 35: Port Mirroring Part 2

With this configuration, our NIDS machine would be able to see all packets flowing in and out of hosts on the switch segment. This lets us monitor host to host communications, and traffic from hosts to external networks, like the internet.

Note 36: Port Mirroring Part 3

The NIDS hosts would analyzed this traffic by enabling promiscuous mode on the analysis port. This is the network interface that's connected to the mirror port on our switch, so it can see all packets being passed, and perform an analysis on the traffic.

Note 40: NIDS host must have at least two network interfaces

a NIDS host must have at least two network interfaces. One is for monitoring an analysis, and a separate one is for connecting to our network for management and administrative purposes.

Note 45: Popular NID Systems

Some popular NID or NIP systems are Snort, Suricata, and Bro NIDS, which you can read about more in the supplementary readings.

Note 50: NIPS and NIDS ave different placement Part 1

Placement of a NIP system or Network Intrusion Prevention system, would differ from a NIDS system. This is because of a prevention system being able to take action against a suspected malicious traffic.

Note 55: NIPS and NIDS ave different placement Part 2

In order for a NIPS device to block or drop traffic from a detected threat, it must be placed in line with the traffic being monitored. This means, that the traffic that's being monitored must pass through the NIPS device.

Note 60: NIDS/Passive and NIPS/Active

A NIDS device is a passive observer that only watches the traffic, and sends an alert if it sees something. A NIPS device, monitors traffic, but can take action on the traffic it's monitoring, usually blocking or dropping traffic.

Note 70: Signature based detection

The detection of threats or malicious traffic is usually handled through signature based detection, similar to how antivirus software detects malware. Signatures are unique characteristics of known malicious traffic.

Note 80: Common Signatures

They might be specific sequences of packets, or packets with certain values encoded in the specific header field.

Note 90: Signature based detection improve detection speed

This allows Intrusion Detection and Prevention Systems from easily and quickly recognizing known bad traffic from sources like botnets, worms, and other common attack vectors on the internet.

Note 94: Signatures must be developed for attacks to be detected

targeted attacks might not be detected by a signature based system, since they're might not be signatures developed for these cases.

Note 96: Custom Rules provide Flexibility

it's also possible to create custom rules to match traffic that might be considered suspicious, but not necessarily malicious. This would allow investigators to look into the traffic in more detail to determine the badness level.

Note 96: Custom Rules provide Flexibility Part 2

If the traffic is found to be malicious, a signature can be developed from the traffic, and incorporate it into the system.

Note 98: NIDS responses are configurable

What actually happens when a NIDS system detects something malicious is configurable, but usually the NIDS system would 1. log the detection event along with a full packet capture of the malicious traffic.

Note 98: NIDS responses are configurable Part 2

2. An alert would also usually be triggered to notify the investigating team to look into that detected traffic.

Note 99: NIDS Alerts

Depending on the severity of the event, the alert may just email a group, or create a ticket to follow up on, or it might page someone in the middle of the night if it's determined to be a really high severity and urgent.

Note 100: NIDS Alerts Part 2

These alerts would usually also include reference information linking to a known vulnerability, or some more information about the nature of the alert to help the investigator look into the event.

Sets with similar terms

Ch. 7 IDS - Intrusion Detection System

49 terms

Danelle_Hennings

1.1 Implement security configuration parameters on…

33 terms

JC314787

Security+ SYO-501: 2.0 Technologies and Tools

100 terms

jmettsjr

chapter 7 security

29 terms

cwc39452

Sets found in the same folder

History of Computing - Binary

5 terms

bur2233mesePLUS

Week 2 Practice Quiz

2 terms

bur2233mesePLUS

System Hardening - Intro to Defense in Depth

3 terms

bur2233mesePLUS

Quiz - What is an Operating System

6 terms

bur2233mesePLUS

Other sets by this creator

Harmonal Analysis

2 terms

bur2233mesePLUS

Practice Excercises

11 terms

bur2233mesePLUS

Chord Progressions

12 terms

bur2233mesePLUS

Scales

13 terms

bur2233mesePLUS

Other Quizlet sets

Financial Management Ch 8-11

52 terms

Sunnie_G

Biochem Methods Quiz 3

51 terms

ousooner12

C&E Test 1 Study Guide

14 terms

Ciara_Blanks

Anesthesiology: Lecture 10: Blood Gas An…

56 terms

tembo4444

Related questions

QUESTION

46. What name is given to an access control method that bases access control approvals on the jobs the user is assigned?

15 answers

QUESTION

When looking at the password-auth file on a Fedora system, you notice part of the syntax that says dcredit=3. What is the significance of this part of the configuration?

10 answers

QUESTION

consists of application software that is configured for the firewall application and runs on a general-purpose computer

3 answers

QUESTION

LDAP is an internet protocol for accessing distributed directory services. If this port is open, it indicates that Active Directory or Exchange may be in use. What port does LDAP use?

8 answers

What is the difference between an intrusion detection system and an intrusion prevention system?

What is the difference between IDS and IPS quizlet?

Which type of intrusion detection system can also block attacks quizlet?

Which network device is easiest for an attacker to take advantage of to capture and analyze packets?