CCNA Security 210-260 Certification Guide
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Intrusion detection system  

An intrusion detection system (IDS) is a monitoring system that passively monitors incoming and outgoing network traffic for suspicious attacker activity. An IDS is a module that can alert network devices, but it cannot stop attacks from happening. Generally, an IDS is configured in promiscuous mode because it cannot block the attacks, but only send alerts:

   

One major question you may have is how different is an IPS from a firewall that can also do deep-packet inspection? Well, the answer is that an IPS can identify traffic patterns that might match an attack, while a firewall can do an inspection on a per-packet basis, thereby they would not be intelligent enough to detect an attack. So, in any secure network, an IPS complements a firewall.

The different IPS and IDS identification methods are discussed here:

  • Signature-based: The IPS verifies the traffic pattern against a database of well-known attacks referred to as signatures. If a particular traffic pattern matches the signature, it will trigger the signature.
  • Policy-based: In this method, the IPS identifies any traffic outside the defined policy as malicious and blocks it.
  • Anomaly-based: This method depends on a traffic baseline that is created based on observations made over a certain period of time.
  • Reputation-based: This is a method that correlates all the different attacks across the globe and tries to verify the traffic pattern using that correlated database.
  • HIPS: A host-based IPS is used on an inpidual machine instead of the entire network. This might be equivalent to an antivirus, but can analyze the attacks with a higher capability than an antivirus. This is of course operating system-dependent.
上一章目录下一章