Intrusion Detection and Prevention
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> We've looked at auditing,
00:00
we've conducted vulnerability assessments
00:00
to look for weaknesses.
00:00
We conducted 10 tests to
00:00
determine if those weaknesses could be exploited.
00:00
We've reviewed our logs to look for abnormal activity.
00:00
Let's now move into talking about
00:00
intrusion detection systems that will provide
00:00
lifetime monitoring so that we can
00:00
detect malicious activity as it happens.
00:00
In this section we're going to look at
00:00
intrusion detection, and I'll add,
00:00
we'll also look at intrusion prevention systems,
00:00
IDS and IPS.
00:00
We'll talk about the various types
00:00
of intrusion detection,
00:00
and then we'll talk about some of
00:00
the components that make it work.
00:00
Intrusion detection systems,
00:00
do just that,
00:00
they monitor the network,
00:00
looking for suspicious activity.
00:00
IDS are passive devices.
00:00
They do not terminate an attack.
00:00
They simply document an attack has happened.
00:00
They can be configured to alert
00:00
an administrator or login entry in the file,
00:00
but they just detect.
00:00
The reality of an IDS is
00:00
it really is just a glorified sniffer.
00:00
What does a sniffer do?
00:00
Well, it captures traffic on
00:00
the network and it's able to do
00:00
so because it has a network card
00:00
that's in promiscuous mode.
00:00
Remember, promiscuous mode allows the interface to
00:00
collect all traffic regardless
00:00
of who the traffic is addressed for.
00:00
If you take that sniffer and add an analysis engine,
00:00
now you have an intrusion detection system.
00:00
The sniffer clicks the traffic.
00:00
The analysis engine provides
00:00
a valuation of the traffic, either being good,
00:00
bad, or indifferent, and
00:00
that becomes an intrusion detection system.
00:00
Mention as far as configuration goes and
00:00
>> we talked about this back in the networking chapter,
00:00
>> but don't forget that when you plug
00:00
a sniffer or an IDS into a port on a switch,
00:00
by default, no traffic is likely coming out that port.
00:00
If you're doing this as an administrator,
00:00
there's a mode that you can implement on
00:00
the port called port span,
00:00
also could be called port mirroring.
00:00
That's going to allow you to view
00:00
all traffic passing through the switch,
00:00
as opposed to just
00:00
the traffic coming through a particular port.
00:00
Now our two main categories of
00:00
intrusion detection or intrusion prevention,
00:00
I feel like I have to mention that,
00:00
HIDs, which are host based
00:00
and NIDs which are network based.
00:00
You could also have HIPs with
00:00
your host based intrusion prevention systems,
00:00
NIPs, network based intrusion prevention systems.
00:00
The big difference is
00:00
your IPS systems can terminate the attack.
00:00
They could send a TCP reset
00:00
to the host that has originated the attack,
00:00
or they could communicate with the firewall
00:00
>> and have the firewall closed specific ports.
00:00
>> An IPS is active system where
00:00
on an IDS is going to be reactive.
00:00
The reality is today,
00:00
most of the systems you buy provide both functions.
00:00
Why buy an IDS,
00:00
if I can have one that prevents
00:00
the attack or at least terminates the attack.
00:00
But on the exam,
00:00
if they specifically say, IDS,
00:00
think detection, and a lot of times they'll use IDS/IPS.
00:00
That'll tell you it has both active and passive features.
00:00
My two types, host based and network based.
00:00
The host based systems just
00:00
specifically examine what's going
00:00
on on a particular host.
00:00
This is simply software that you
00:00
install on a particular host.
00:00
It can monitor things
00:00
>> like registry access, local login.
00:00
>> It can monitor how much traffic
00:00
is coming to its own network interface,
00:00
but it's just examining
00:00
the single computer on which it's installed.
00:00
Now, a network based IDS is
00:00
usually what we're talking about when we say IDS,
00:00
that's the one that acts like
00:00
a sniffer with an analysis engine.
00:00
Because that's able to capture traffic for
00:00
an entire segment of the network, evaluate it,
00:00
and then the analysis engine is going to
00:00
provide the decision on whether or
00:00
not the traffic is good or bad.
00:00
In order for this traffic to be
00:00
collected on a network segment,
00:00
because, you've got to have that interface.
00:00
That interface is going to be where your sensor is.
00:00
This is what's going to collect the traffic.
00:00
It's called the data collector also, if you will.
00:00
Now, for your network device,
00:00
you may have multiple sensors on the network,
00:00
you may have a single one.
00:00
If you have a host system,
00:00
your sensor or your data collector is going to
00:00
be your local network interface.
00:00
Again, you have an analysis engine.
00:00
We'll have to talk about the different types
00:00
of analysis engines.
00:00
Basically we have pattern matching or profile matching.
00:00
Many of these systems do use pattern matching,
00:00
which is referred to as often as
00:00
>> signature based system.
00:00
>> We'll talk about that in a minute.
00:00
Other components, there's going to be
00:00
some user interface where
00:00
we can manipulate what's
00:00
collected and we can analyze the data.
00:00
You can see just a little image here on
00:00
the next page that we have this system,
00:00
this is a network based system that has
00:00
multiple sensors collecting traffic from the network.
00:00
It goes through an analysis process of
00:00
comparing the traffic up against known signatures.
00:00
Then of course, there's the user interface that
00:00
>> allows me to evaluate and examined the configurations.
00:00
>> To discuss intrusion detection systems.
00:00
We looked at host based versus network based.
00:00
Then we talked about some of the components
00:00
like the sensor and the analysis engine,
00:00
the user interface, and those different pieces that
00:00
>> make an intrusion detection system or
00:00
>> intrusion prevention system work on a network.
Up Next
Instructed By
Similar Content
