what common security system is an idps most like? in what ways are these systems similar? This is a topic that many people are looking for. amritsang.org is a channel providing useful information about learning, life, digital marketing and online courses …. it will help you have an overview and solid multi-faceted knowledge . Today, amritsang.org would like to introduce to you Network Intrusion Detection and Prevention – CompTIA Security+ SY0-501 – 2.1. Following along are instructions in the video below:
Security professionals incorporate a network based intrusion detection system or ids or a network based based intrusion prevention system or ips on their networks. This is designed to watch traffic through the network and if this device identifies an exploit against an operating system that identifies a buffer overflow. A database injection a cross site script.
Its either going to inform you that that happened if youre using an ids or block. The traffic. If youre using an ips and that is the most significant difference between an ids and an ips with an intrusion detection system.
Youll simply receive an alarm or an alert. Whereas an intrusion prevention system has the capability to stop that intrusion before it gets onto your network. There are many different ways to engineer your ips into your network.
One way is to configure. It as a passive monitoring device this means that the ips will receive a copy of the traffic and be able to then make a decision on what to do once its received that information because it is acting as a passive monitor. Its obviously not sitting in the middle of the communication and able to block traffic.
You might have traffic going from one device to another and as its passing through the switch. A copy is sent to the ips. If something is identified in the middle of this communication.
You may be able to have the ips inform you that it saw the intrusion. But obviously the traffic has already passed through your network to the other device. The only possibility that you might have when youre in a passive mode is to be able to send whats called an out of band response.
Its an out of band response. Because the ips is not part of the traffic flow. Its sitting out of the band of the communication.
If traffic does traverse the network and the ips receives a copy and determines that that traffic is malicious it can send a tcp reset frame to both the source of the communication and the destination. This tcp reset will close the session between these two devices and they will no longer be able to send traffic to each other unless they set up another traffic flow between the two devices. This is obviously done after the fact and youre hoping that youre able to stop this communication before much of the malicious state is able to traverse the network.
This also has very limited capabilities. If there are protocols other than tcp for example udp doesnt allow to perform a reset. If this is a udp communication.
Theres no way to stop this communication. If youre sitting in an out of band mode. If a security professional is looking for more control over these traffic flows then theyll probably configure their ips for in line monitoring.
All traffic. Then is going to pass through the ips and the ips is going to make a decision on whether that traffic is allowed through the network or not because the ips is sitting inline. The response to any type of malicious traffic will be to drop this immediately at the ips and not allow it to traverse the network.
There are many different ways to look for malicious traffic going through your ips and not all ips will use all of these methods. One of the most common is a signature based identification where a signature is predefined inside of the ips and its watching for traffic to traverse the network that matches this signature exactly and if it identifies traffic that matches exactly what were seeing it will block that traffic at the ips. Another method of identification is through anomaly based your ips will sit on the network and begin to understand what a normal traffic flow is for your network.
If any traffic comes through that doesnt match the normal flow of traffic.
The anomaly based identification will block it at the ips. The ips may have the capabilities to look for certain behaviors. If a user deletes a file or changes things on a server.
The ips may be configured to look for that behavior and if it occurs it can block it at the ips and some of the more advanced intrusion prevention systems can identify attacks based on heuristics instead of using a specific set of signatures. The ips could be configured with a set of characteristics that might define an attack as traffic is coming through the heuristics can then examine that traffic and make a determination on if an attack is taking place or not an ips makes. The decision on what vulnerabilities to look for and what to do if a vulnerability is found based on a series of rules you define what the ips is looking for based on up to thousands of different rules that might be in this rule base.
The rules are usually grouped together by different characteristics and you can make some broad settings to say anything thats a database injection you may want to block but anything thats malware you may want to send an alert this can really take a lot of time to find exactly the right balance of what youd like to do an intrusion prevention system can create a number of false positives and create a large number of alerts. So you have to find exactly the right number of rules that youd like to look for and be able to configure your ips for the type of traffic that works for you heres a page of ips rules. I took from pf since firewall you can see the signature 105 for example.
Uses tcp. If it identifies port 2589 over a source port thats going to any destination. Port.
Then there is a signature that identifies that as a back door that is created by a malware called dagger and you can see that this goes on and on there are thousands of rules that you can configure and its up to you to enable the rules that are important for you and then determine what the disposition of each one of these rules is going to be a significant challenge you have with intrusion prevention systems. Is that theyre going to give you a lot of alerts and a lot of messages and unfortunately a number of these messages are not going to be accurate. We call these false positives.
Where the system has told us that there has been an intrusion onto the network. But in reality. Its a case of mistaken identity and there was not an intrusion at all if this is a signature based ips then these messages that youre going to receive from the ips are only going to be as good as those signatures.
The more advanced and complex signatures are probably going to provide you with fewer false positives. Unfortunately. It can be very time consuming to go through every single alert and message you get through the ips.
But unless you have a way to research these youll never know which of these alerts are legitimate and which ones are false positives. Sometimes these false positives can create significant problems for example in april 2017. The webroot anti virus began marking certain operating system files in windows as being malicious and it began quarantining parts of the operating system itself.
It also marked facebook and bloomberg sites as phishing sites. Even. Though.
The windows files and these sites were not malicious at all perhaps even worse than a false positive on an ips is a false negative. This is when malicious traffic came through the ips. But the ips did not identify it as malicious.
If this malicious traffic. Did get through the firewall. Then you probably have a machine that has been infected and youll ultimately see that whenever you perform an anti virus scan.
But it sometimes can be difficult to know when this happens. Because you got no messages and no identification of anything malicious. You have no idea that it passed through the ips in some cases you can find industry tests that are done with intrusion prevention systems and anti virus and anti malware where they will send traffic through the software and hardware to see what kind of catch rates.
They can get so that you at least have some way to compare the differences between one ips and another .
Thank you for watching all the articles on the topic Network Intrusion Detection and Prevention – CompTIA Security+ SY0-501 – 2.1. All shares of amritsang.org are very good. We hope you are satisfied with the article. For any questions, please leave a comment below. Hopefully you guys support our website even more.