Chapter 4 Flashcards
Intrusion detection systems (IDSs) monitor:
a network and send alerts
when they detect suspicious events on a system or network.
Intrusion prevention systems (IPSs) react:
to attacks in progress and prevent them from
reaching systems and networks.
A host-based intrusion detection system (HIDS) is:
additional software
installed on a system such as a workstation or server.
A host-based intrusion detection system (HIDS) provides:
protection to
the individual host and can detect potential attacks and protect critical
operating system files.
The primary goal of any IDS is to
monitor traffic.
For a HIDS, traffic passes through:
the network interface card (NIC).
Many host-based IDSs have expanded to:
monitor application activity on
the system.
monitor the server application
You can install a HIDS on different:
Internet facing servers, such as web servers, mail servers, and database servers.
A HIDS can help detect:
malicious software
(malware)that traditional antivirus software might miss.
A network-based intrusion detection system (NIDS) monitors:
activity
on the network.
An administrator installs NIDS sensors or collectors on:
network devices such as routers and firewalls.
NIDS sensors or collectors gather:
information and report to a central monitoring server hosting a NIDS console.
A NIDS is not able to:
detect anomalies on individual systems or
workstations unless the anomaly causes a significant difference in network traffic.
decrypt encrypted traffic.
The NIDS provides overall:
monitoring and
analysis and can detect attacks on the network.
Most
switches support:
port mirroring, allowing administrators to configure the switch to send all traffic received by the switch to a single port.
After configuring a port mirror, you can use it as a:
tap to send all switch data to a sensor or collector, and forward this to a NIDS.
it’s possible to
configure taps on routers to:
capture all traffic sent through the switch and
send it to the IDS.
The decision on where you want to place the sensors depends on:
what you want to measure.
If you want to see all attacks on your network, put a sensor on:
the Internet side