Network Intrusion Detection and Prevention 2.1

Question 1

NIDS (Network-based Intrusion Detection System)

Answer 1

Designed to detect, log, respond. Works in real time and after the fact. Alerts against exploits against the OS, applications, etc. Detects if there is a buffer overflow, cross site scripting and vulnerabilities. Only provides alerts/alarms. These are software systems but in large systems, requires dedicated hardware.

Question 2

NIPS (Network-based Intrusion Prevention System)

Answer 2

Stops intrusions before they get into the network. Overflows, x-site scripting, vulnerabilities, etc. Can receive a copy of your network traffic to tell you if bad traffic has come through. “Can automatically respond to certain events”, via a defined set of rules.

Question 3

Out-of-Band Response

Answer 3

If the IPS recognizes malicious traffic, it will send a message to the switch telling it to reset the connection with the malicious traffic. This is after the fact however because the traffic was already allowed through. It can not reset UDP connections.

Question 4

Inline Monitoring/In-Band Response

Answer 4

IPS/IDS sit in line between the firewall and the core network switch. If it identifies malicious traffic, the connection is dropped at the IPS. This causes an In-Band Response.

Internet || Firewall || IPS || Core Switch

Question 5

Identification Technologies

Answer 5

Signature based technology. It looks for a perfect match of known malicious code. It also can detect anomaly’s or certain behaviors of code. Additionally it can use artificial intelligence to identify potential malicious code. This is subject to creating false positives/negatives however.

Question 6

IPS rules

Answer 6

You determine block/allow/send alerts etc.