From the course: CompTIA Security+ (SY0-701) Cert Prep

Network intrusion detection and prevention

From the course: CompTIA Security+ (SY0-701) Cert Prep

Start my 1-month free trial

Network intrusion detection and prevention

- [Instructor] Intrusion detection and prevention systems play an extremely important role in the defensive networks against hackers and other security threats. Intrusion detection systems sit on the network and monitor traffic, searching for signs of potentially malicious traffic. For example, an intrusion detection system might notice that a request bound for a web server contains a SQL injection attack, a malformed packet is attempting to create a denial of service, a user's login attempt seems unusual based upon the time of day and prior patterns, or that a system on the internal network is attempting to contact a botnet command and control server. All of these situations are examples of security issues that administrators would obviously want to know about. Intrusion detection systems identify this type of situation and then alert administrators to the issue for further investigation. In many cases, administrators are not available to immediately review alerts and take action, or they're simply overwhelmed by the sheer volume of alerts generated by an intrusion detection system. That's where intrusion prevention comes into play. Intrusion prevention systems are just like intrusion detection systems, but with a twist. An intrusion prevention system can take immediate corrective action in response to a detected threat. In most cases, this means blocking the potentially malicious traffic from entering the network. And intrusion detection systems can make mistakes. There are two different types of errors caused by these systems, and monitoring those errors is an important part of security analytics. False positive errors occur when the system alerts administrators to an attack, but the attack does not actually exist. This is an annoyance to the administrator who wastes time investigating the alert, and it may lead to administrators ignoring future alerts. False negative errors occur when an attack actually takes place, but the intrusion detection system doesn't notice it. Intrusion detection and prevention systems use two different technologies to identify suspicious traffic. The most common and most effective method is called signature detection. This approach works in a manner similar to antivirus software. Signature-based systems contain very large databases with patterns of data or signatures that are known to be associated with malicious activity. When the system spots traffic matching one of those signatures, it triggers an intrusion alert. This approach is known as rule-based detection. The downside to this approach is that a signature-based system cannot detect a previously unknown attack. If you are one of the first victims of a new attack, it will sneak right past a signature detection system. The upside is that if the signatures are well-designed, these systems work very well with a low false positive rate. Signature detection is reliable, time-tested technology. The second method is known as anomaly detection. This model takes a completely different approach to the intrusion detection problem. Instead of trying to develop signatures for all possible malicious activity, the anomaly detection system tries to develop a model of the trend of normal activity and then report deviations from those trends as suspicious. For example, an anomaly detection system might notice that a user who normally connects to the VPN from home during the early evening hours is suddenly connecting from Asia in the middle of the night. The system can then either alert administrators or block the connection depending upon the policy that's set. The models developed by these intrusion detection and prevention systems are often application aware and understand how to dissect the layer 7 protocols in use during a communication. Anomaly detection does have the potential to notice new attack types, but it has a high false positive error rate, and therefore it's not widely used by security administrators. This technology has several different names. When you take the exam, know that anomaly detection, behavior detection, and heuristic approaches are the same thing. There are also differences in the way that intrusion prevention systems are set up and configured on the network. Let's talk about two different approaches, inline and out-of-band. In an inline deployment, the intrusion prevention system sits directly on the network path and all communications must pass through it on the way to their final destination. In this approach, the IPS can block suspicious traffic from reaching its final destination. While this approach allows an active response, it also adds the risk that an issue with the IPS can disrupt all network communications because the inline IPS is a single point of failure. In an out-of-band deployment, the IPS is not in the network path, but it sits outside the flow of network traffic where it can still monitor traffic. It's connected to a span or tap port on a switch, which allows it to receive copies of all traffic sent through the network to scan, but it can't disrupt the flow of traffic. This approach is also known as passive mode because the IPS can still react by sending commands to block future traffic from offending systems, but it cannot stop the initial attack from entering the network because it only learns about that traffic after it has been sent.

Contents