Detection vs. Prevention – CompTIA Security+ SY0-401: 3.6

Should you detect, or should you prevent? In this video, you’ll learn the advantages and disadvantages for implementing these security techniques.

<< Previous Video: ReportingNext: Vulnerability Scanning Overview >>


When we think about protecting our assets, we’re often in a position where we need to consider adding a technology solution and a non-technology-based solution. And a good example of detection versus prevention comes in to play when you’re trying to protect a certain area of your organization. A good example is when you’re trying to decide, do I put a camera here, or do I put a physical guard a physical person in place?

Obviously, a camera is very easy to install. It’s relatively inexpensive to do this. But it is very difficult to proactively prevent somebody from doing something. A camera isn’t going to stop someone from walking down the hallway. And occasionally, you don’t even recognize the camera’s there. You don’t even think that there may be a camera in place watching what we’re doing. So it’s not a very good deterrent of keeping people out of a certain area. It is extremely valuable, of course, after the event. You’ll be able to see exactly what happened in a room, in a hallway. All of that is saved for later.

If you have a guard in place, that’s a completely different posture. It is now a physical person who can interact with the people walking down a hallway, going into a room. And it allows you to proactively prevent certain things from occurring. And obviously, there are disadvantages to this as well. It’s a lot of cost to have a person in place. You have to pay a salary. You have to make sure that person is there. You have to staff, perhaps 24 hours a day, seven days a week. But it does have a personal impact. And when you’re trying to decide, do I allow people through and simply detect that they’re there, or do I actively prevent people from doing something? We now have a better idea of which solution to have there.

In many cases we may have both. We may need an immediate, proactive, stop people from going in a room. But we might also want a way to go back over time to last week, to last month, to last year, and see who went in and out of that room. And who did we sign in, who did we sign out, to back up perhaps what a guard was there being able to do themselves. You’ve now got decisions to make, not from just a person perspective, but there are also a number of technology solutions that we should consider also, when it comes to detecting versus preventing.

A very common technology solution when you’re trying to detect the bad guys coming in to your network, is an intrusion detection system. We’ve talked about these before. You have people out on the internet that are using resources in your environment. You’ve also got your end users in your environment that are accessing resources on the internet. And the traffic is flowing back and forth through your routers and your switches in your environment. And a lot of information is passing. We have multi-megabit, in some cases gigabit connections, out to the internet.

There certainly is a lot of information flowing through the very fast networks we have today on the inside of our network. Intrusion detection systems were built to be able to watch all of that. These are usually devices that are put off to the side. Information is copied off to the intrusion detection system. Usually it’s done through a built-in system, inside of the switch, that allows us to send a copy off to a separate port. Sometimes it’s a physical tap, where you are connecting right in to the middle of a connection and simply sending a copy of that data to the intrusion detection system.

One of the challenges, of course, though, with intrusion detection is that is only detecting and alerting on these things. There are some intrusion detection systems that have some limited capabilities in actually stopping that traffic. But because we’re getting a copy, or a mirror of the traffic, that is a very anemic way to try to control information. It really is just there to alert you.

And the idea is the intrusion detection system would see someone communicating to a server. And someone from the internet is trying to take advantage of a known vulnerability on that server. Maybe it’s something that is not patched through the Microsoft operating system. Maybe it’s a vulnerability in the database, someone trying to do database injection. The intrusion detection system would see that. Because it’s seeing all of the traffic going back and forth. And then the intrusion detection system can then inform you and let you know that at this date and time, I logged in event that occurred, that this particular IP address from the internet was accessing this particular web server, and they perform this particular vulnerability attack. They went after the database injection. They went after a known vulnerability in that Microsoft operating system. And having that in place can at least give you a list of what has occurred over time back and forth over your network.

These days, our threats are happening much more rapidly. We have a lot of traffic going back and forth. And we want to be able to stop these problems as they are occurring. Instead of having an intrusion detection system, we have mostly moved these days to intrusion prevention systems. These prevention systems go directly in-line. So all of the traffic flowing in and out of the network, or even inside of the network, has to go through and IPS.

The IPS is now responsible for identifying any of these problems when they might occur. If someone from the internet is trying to take advantage of a known Microsoft operating system vulnerability, the IPS will see it, and because it’s in-line, it will stop it. So even though the bad guy sends the traffic through, the IPS identifies that traffic and right then, drops the packets. They never continue through the network. Someone can try to do a database injection. The IPS recognizes database injections, is able to stop it right there.

Obviously being in-line is a very critical piece. There’s usually redundancy and fault tolerance associated with the IPS implementation. And IPS systems must be able to keep up with the speeds and still understand all of the different vulnerabilities and signatures that it needs to be able to stop the traffic.

But now you’ve got options. You have the ability to simply report on what’s going on with intrusion detection. Or you’ve got the ability to go actively in-line and stop these vulnerabilities from going through our network with intrusion prevention systems.