5.9: IDS and IPS (Doshi)

Question 1

What is an IDS?

Answer 1

Device or software application that monitors a network (network based IDS) or monitors a system (host based IDS) for intrusive activities

Question 2

is IDS a substitute for firewall?

Answer 2

No, it complements the function of a firewall.

Question 3

Monitoring activities : Network based IDS vs Host based IDS

Answer 3

Network based IDS monitors activities on identified network.

Host based IDS monitor activities on a particular single system or host

Question 4

False positive rate : Network based IDS vs Host based IDS

Answer 4

The False positive rate (wrong alarm) is HIGH for network based IDS

False positive rate (wrong alarm) is LOW for hot based IDS

Question 5

What does each IDS detect

Answer 5

Network based is better for detecting attack from outside

Host better for detecting attack from insider.

Question 6

What do network based IDS check for

Answer 6

They check for attacks on irregular behavior by inspecting the contents and header information of all packets moving across the network

Question 7

what do host based IDS check for

Answer 7

They can detect activity on host computer such as deletion of files, modification of program

Question 8

Components of an IDS:

Answer 8

Sensors/ analyzers/Administrative console/ user interface

Question 9

What does a sensor do?

Answer 9

Collects the data (in the form of network packets, log files) AND SEND IT TO ANALYZER

Question 10

What does an anlayzer do?

Answer 10

It analyzes the data and determine the intrusive activity

Question 11

User interface?

Answer 11

Enable user to view results and take necessary action

Question 12

Administrative control:

Answer 12

To manage the IDS rules and functions

Question 13

Types of IDS:

Answer 13

Signature based/ statistical based/ Neural network

Question 14

Signature based IDS

Answer 14

Intrusion is identified based of known type of attacks. Such known patterns are stored in form of signature.

Question 15

Statistical based

Answer 15

Determine (known and expected) behavior of the system. Any activity which falls outside the scope of normal behavior is flagged as intrusion

Question 16

Neural network

Answer 16

It’s similar to statistical IDS, but with added self-leaning functionality. IT monitors the general pattern of activities and create a database

Question 17

Limitation of IDS

Answer 17

Cannot detect application level vulnerabilities
Back doors into application
Cannot detect encrypted traffic

Question 18

Network IDS placed between internet and firewall

Answer 18

It will detect all the attack attempts (whether or not they enter the firewall).

Question 19

Network IDS placed between firewall and the corporate network

Answer 19

It will detect only those attempts which enter the firewall ( cases where the firewall failed to block the attack).

Question 20

IPS vs IDS

Answer 20

IDS only monitors and records the intrusion activities

IPS Detects and prevents intrusions

Question 21

Challenges in implementation of IPS

Answer 21

Threshold limits that are too high or too low will reduces the effectiveness of IPS.
IPS may itself become a threat when attackers send commands to large number of host protected by IPS to make them dysfunctional.

Question 22

Which IDS creates its own database?

Answer 22

Neural Network

Question 23

Which IDS system is effective in detecting fraud?

Answer 23

Neural Network

Question 24

Which IDS generates MOST false positives (false alarms)?

Answer 24

Statistical based IDS

Question 25

In any given scenario, out of all three IDS (i.e. (i) signature (ii) statistics and (iii) neural network), neural network

Answer 25

creates its own database.

Question 26

Of all three IDS (i.e. (i) signature (ii) statistics and (iii) neural network), neural network is more effective

Answer 26

in detecting fraud

Question 27

)In any given scenario, out of all three IDS (i.e. (i) signature (ii) statistics and (iii) neural network), statistical based IDS generates

Answer 27

most false positives (false alarms).

Question 28

In any given scenario, out of four components of IDS (i.e. (i) sensor (ii) analyzer (iii) admin console and (iv) user interface) sensor collects

Answer 28

the data and send to analyzer for data analysis.

Question 29

In any given scenario, MOST important concern of IDS implementation is that

Answer 29

attacks not identified/detected by IDS.