Network Intrusion Detection and Prevention – CompTIA Security+ SY0-401: 1.1


IDS and IPS technology can watch for a wide variety of attacks by examining the traffic as it passes through the network in real-time. In this video, you’ll learn about IDS/IPS technology and the identification technologies that they use.

<< Previous Video: VPN ConcentratorsNext: Protocol Analyzers >>


It’s nice to be able to look at every packet that goes through the network and be able to see the details of exactly what’s going by. But there’s a lot of traffic that’s going through our enterprise networks and there’s no possible way that a human being would be able to analyze all of that traffic and be able to find the bad stuff within it. That’s why we created technologies called the Intrusion Detection Systems or Network Based Intrusion Prevention Systems. These systems are designed to do that for us, to watch the traffic go by.

And if it sees something in there, it will detect that a vulnerability or some type of bad traffic is inside those traffic flows. In the case of an IPS, those IPS’s are designed to actually stop that traffic. So it’s looking through all of this traffic going by to identify things that are known exploits against our operating systems, things like buffer overflows, or cross-site scripting. These types of very, very well known vulnerabilities that people try to use to gain access to your system using other means that they should not be.

When we have these IPS and IDS systems on the network, we usually call it an IDS or an IPS because of what it can do when it finds a problem. IDS an intrusion detection system is designed to alarm or alert should it see something bad on the network. But generally, IDS’s can’t stop anything.

And obviously if something bad’s going across your network, you may want the option to be able to stop that traffic. And that’s where IPS’s step in. An intrusion prevention system is designed that whenever it sees something bad on the network, it stops it right there– never gets inside your network, never makes it to the end user, and therefore, makes your network a little bit better from a security perspective.

One of the challenges you have obviously then with IDS’s and IPS’s is identifying things properly. If you have an IPS in place, you’re providing that prevention and you’re dropping those packets. You need to be very, very sure that you’re not dropping legitimate traffic. And that’s a balancing act we as security professionals have all the time. We want to stop the bad stuff, we want to allow the good stuff, and we have to find a happy medium in between the makes everybody happy.

A fundamental technology used in IPS’s and IDS’s is something called a signature-based based match. We want to be able to look at the exact code going over the network. And if we see this code, then we’re going to stop that traffic. Some of these signatures can be very, very detailed.

This is one for a worm, a conficker-a. This is the shell code and I pulled this right from an open source IPS type system called snort. And you can see one of the signatures that used to gather that information. Pretty complex, very, very detailed. In this case, all in hexadecimal. We’re looking for some very specific kinds of data going through.

But once we have these particular signatures in place, we’re just looking for an exact match. If we see anything exactly matching that data going through the network, we’ll stop it right there. Another type of detection is one called an anomaly based detection. This is one where we would have a probe or device on the network looking at what is normal. And it builds a baseline of what it thinks is normal on the network.

If the network or certain aspects of metrics go well above that normal range, it becomes an anomaly. Something that normally you wouldn’t see on the network and it might provide an alarm to you to let you know that this particular thing just happened. We had suddenly a lot more people than normal try to log into the network. We suddenly had huge bandwidth spikes out on our network connection that goes well beyond what we normally might see on our network. So it gives you the security professional a little bit more information. A few more metrics that you can use to start to understand is something wrong going on out there and should I do something about it.

Another method of watching that’s very, very specific is something called a behavior-based technology, one where we’re trying to watch anything that someone might be doing. Did someone log into a server? When they logged into the server, did they run a certain command? After running that command, did they try to perform another certain type of command?

And if we see these things happen one after the other after the other and identify a certain behavior of what someone is doing, maybe then we’d like to get an alert to find out why somebody’s logged into a machine and performing those particular commands. Probably one of the most common beyond the signature-based forms of detection is one called heuristics. And this is really an emerging technology that we’ve had for a number of years and we continue to make it better and better and better.

Heuristics is a bit of artificial intelligence. We’re seeing a type of traffic flow come into the network and we’ll watch it for a little bit and see if it changes. And we’ll try to look for different aspects of the way traffic flows might operate. So we’re applying some intelligence to these traffic flows and then based on what we’re seeing, provide you with more information about whether this particular packet flow is one that contains good types of data or perhaps bad types of data.

Obviously, heuristics is one that is constantly evolving. It’s one that we’re getting better and better with. And occasionally, heuristics can provide us with the wrong types of information too. It really depends on how good that heuristics engine is to be able to check for that.

So obviously for heuristics, you can have widely different qualities of heuristics out there with different products– very, very different from a signature. From a signature match, you know yes or no that absolutely matches the signature. Whereas, heuristics there’s a lot more gray in between, it’s not really a black and white type of situation.