Intrusion detection and prevention systems play an extremely important role in the defense of networks against hackers and other security threats. They sit on the network and monitor traffic, searching for signs of potentially malicious traffic. Learn the use of network intrusion detection and prevention systems as well as the modeling techniques used by IDS/IPS: behavior, signature, anomaly and heuristic.
- [Narrator] Intrusion detection and prevention systems play an extremely important role in the defense of networks against hackers and other security threats. Intrusion detection systems sit on the network and monitor traffic, searching for signs of potential malicious activity. For example, an intrusion detection system might notice that a request bound for a web server contains a SQL injection attack, that a malformed packet is attempting to create a denial of service, that a user's login attempt seems unusual based upon the time of day and prior patterns of activity, or that a system on the internal network is attempting to contact a botnet command and control server.
All of these situations are examples of security issues that administrators would obviously want to know about. Intrusion detection systems identify this situation, and then alert administrators to any issues for further investigation. In many cases, administrators are not available to immediately review alerts and take action, or are simply overwhelmed by the sheer volume of alerts generated by an intrusion detection system. That's where intrusion prevention comes in to play.
Intrusion prevention systems are just like intrusion detection systems, but with a twist. They can take immediate corrective action in response to a detected threat. In most cases, this means blocking the potentially malicious traffic from entering the network. Intrusion detection and prevention systems use two different techniques to identify suspicious traffic. The most common, and most effective method, is called signature detection. This approach works in a manner similar to antivirus software.
Signature based systems contain very large databases with patterns of data, or signatures, known to be associated with malicious activity. When the systems spots network traffic matching one of those signatures, it triggers an intrusion alert. The downside to this approach is that a signature based system cannot detect a previously unknown attack. If you're one of the first victims of a new attack that attack might sneak right past a signature detection system. The upside is that if the signatures are well designed, these systems work very well with a low false positive rate.
Signature detection is a reliable, time tested technology. The second method used by intrusion detection systems is known as anomaly detection. This model takes a completely different approach to the intrusion detection problem. Instead of trying to develop signatures for all possible malicious activity, the anomaly detection system tries to develop a model of normal activity, and then reports deviations from that model as suspicious. For example, an anomaly detection system might notice that a user who normally connects to the VPN from home during the early evening hours is suddenly connecting from Asia in the middle of the night.
The system can then either alert administrators, or proactively block the connection, depending upon the policy configuration. The models developed by these intrusion detection and intrusion prevention systems are often application aware, and understand how to dissect the layer seven protocols in use during a communication. Anomaly detection does have the potential to notice new attack types, but it has a high false positive error rate, and is not widely used by security administrators.
This technology has several different names. When you take the Security Plus exam, know that anomaly detection, behavior detection, and heuristic approaches are the same thing.
Learn about communication and networking best practices, including TCP/IP networking, network security devices, and secure network design and management. Instructor and cybersecurity expert Mike Chapple also includes coverage of converged protocols, network encryption, and wireless networking. You can find Mike's companion study books for this series at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- IP addressing
- Switches and routers
- Content distribution networks
- Designing secure networks
- Specialized networking
- Managing secure networks
- Working with virtualized networks like SDNs
- Detecting and preventing network attaches
- Transport encryption
- Wireless networking
- Host security