Intrusion Detection and Prevention Systems – CompTIA Network+ N10-006 – 1.1

Securing a network requires vigilance on the network and on each host. In this video, you’ll learn about network-based and host-based intrusion detection and intrusion prevention systems.

<< Previous Video: Common Network DevicesNext Video: Content Filters >>

When you’re trying to protect your network, it’s nice to have devices that can watch all of the traffic that’s going in and out of your network. In this video I’m going to give you an overview on network intrusion detection and network-based intrusion prevention devices.

When we’re discussing network-based intrusion detection or intrusion prevention, we’re talking about systems that we commonly call NIDS or NIPS. It’s common to hear these referred to as an IDS or an IPS system where we just assume the network piece is at the beginning of that.

These go beyond what you would find with a firewall. An intrusion detection or intrusion prevention system is designed to look into the data itself. They could stop operating system exploits. They can look at application vulnerabilities. They can stop buffer overflows or identify cross-site scripting. These are designed to get into the details of what’s going on in the network communication, and allow or deny based on particular rules.

Although the functionality is similar between an intrusion detection system and an intrusion prevention system, the ultimate goal is different. And intrusion detection system can identify these vulnerabilities and buffer overflows and database injections that might be coming through our network. But it can only identify them and alarm or alert you that’s occurred.

An intrusion prevention system can not only see that this particular vulnerability is passing through the network, but it can actually stop it before it traverses the network. That’s the difference between a detection and a prevention, is that a detection can see it. But a prevention can actually stop it.

As you can imagine, a device that’s on your network and looking at all the traffic going by and only taking out the bad traffic, has got to use a number of different techniques to identify the good from the bad.

One of these techniques is a signature type of technique, where the device is looking for a very specific flow of traffic in a very specific data stream. And if it sees this very specific type of data going by, it identifies that as a known signature, and can then act on that information. You’re looking for a perfect match of data going by. So this is a very precise and very specific signature.

Another type of identification technology is one based on an anomaly. These devices can watch what’s normal over time. And then if anything changes, it can then identify that change, and then allow or block based on the rules you’ve associated with something associated with that anomaly.

Another common way to identify this is based on a behavior. If somebody is accessing a particular share on the network, you may identify that particular behavior as something bad and choose to allow or disallow that communication.

And, perhaps, one of the more advanced functions for identification would be heuristics, where artificial intelligence is used to identify something that might be bad. There might not be a specific signature. There might have never been something in the past that we can compare this with. But the intrusion prevention system is designed to look for things that are very unusual. And if it finds something unusual, it will then stop it based on these heuristics.

There are a number of ways to implement an IDS or an IPS. One of the easiest ways is through software. There’s open source software, like Snort, that you can load onto a computer, and have that perform the intrusion detection capabilities. Or even add multiple interface cards to the computer and have intrusion prevention functionality as well. There’s also live CDs available so you can literally download a Snort machine, install it onto your device, and be up and running very, very quickly.

When you get into larger environments, you need more speed. And that speed comes in the form of hardware. You would have these specialized appliances that are designed to be intrusion detection or intrusion prevention systems. And they are usually designed around an enterprise. Where there’s high availability, you could have multiple devices, you could have them participate on the network so that if you lose one intrusion prevention system, the other one is able to take over. And they can even send all of their logs and information to a centralized syslog consolidation device.

We’ve also taken this network-based intrusion prevention and brought it down to our desktop through something we call host-based intrusion prevention. This is something that we used to run as individual applications. These days it’s very common to see it integrated into an anti-virus or an anti-spyware application that’s running right on your desktop.

These generally protect you based on signatures. So you have to make sure that you’re downloading and updating these signatures so that the application knows exactly what all the latest threats and vulnerabilities might be.

But these can also protect you based on certain activities. Since it’s running on your desktop, it can look to see what’s happening in your operating system. And if certain files are being touched or changed, it can tell you, and identify them, and stop that particular function from infecting your machine.