Hi and welcome to Sigh Bury My name's Anthony and I'm gonna local subject matter expert for Network Plus. And today we're gonna be talking about basic network security appliances. So let's take a look and talk about some of our different security appliances, which could be in place on our network. Now, two of our most common security appliances are going to be an I. P. S or an ideas.
Now I, P s stands for intrusion prevention system
and an I. D. S stands for an intrusion detection system.
An I. P. S is going to be an active system that sits on our network and intercepts network traffic, analyzes it and stops network traffic that it deems and malicious or deems to be harmful.
And I D s, on the other hand, is a passive system, and I d s doesn't stop network traffic. It sends it, sets alerts, it sends us messages that lets us know if something occurred. But an I. D. S is not going to stop something that's in progress. It's just going to be a reactive type, passive scanning and system.
We're gonna have to go in later, and we're gonna have to check and see if we can fix what it alerted us to.
However, an I p s is going to be something that is actively in session and is actively functioning on our network. So just as a this is an example, and I ps would need to sit on our network and intercept traffic much like a firewall. Does it have to be in between? And it would have
point A and point B, and traffic would have to be directed through it for it to stop it.
And I d. S, however, can do consider anywhere on our network work can receive mirrored copies of traffic. All it has to do is sit somewhere on our network off off our network, maybe on a mirrored port, maybe on a span port, and receive copies of the data that's already gone from point A to point B and then analyzes this data and gives us the results.
Depending on our situation and depending on our security posture,
we may use an I. P. S if we need to absolutely make sure that we stop stop it before it happens. But if we can't, if we don't have that luxury if we If we need to value our network traffic and our network through put more than we weaken, then we can have with an I p. S and we say Okay, well, it's sending too many false positives.
It's dropping too much traffic.
Let's just set up an I. D. S and then let the idea see the traffic. And then we'll go through the logs as we can, and then address issues as we can, but we need to have that traffic through. So we're just gonna have the i. D. S be passive and not be an active I PS. So an I p s or an I D s can be based off of
can detect malicious traffic. Comtech
issues with our different traffic based on a couple different a couple of different
skating mechanisms. But our two main skating mechanisms are going to be behavioral bit, behavior based or signature based.
Now, when we're talking about behavior based scanning, we're talking about skating on traffic, skating on files and folders that is going to be here. Ristic, which is means it's going to be based on activity based on some sort of rule. So if we're skating traffic and we have an I d S r I P s, it's scanning some network traffic
and it says, Hey, wait a second.
I recognize this sequence is pat of packets as support scans. Ah, typical port scan. Or I recognize this sequence sequence of packets as someone trying to establish a malicious connection where this is a sea, this packet and this is a commonly used port for a malicious software and
are such a port 4444
That's a common commonly used port for medicine for medicine, like, well, the default port for medicine point not Cyril, the most commonly used port but the default port for medicine. So we tagged that and say, Hey, this is this may be malicious. You might want to take a look at that
based on some behavior based on some rules of thumb. If it sees a file and it wants to take a look at that file, Ah, behavior based file scan would be one that says, OK, what does this file want to do? Does it want to change the registry? One is they want to bring up, make a pop up, Come up. Doesn't want to open a new fur.
Doesn't wanna open or delete a file.
What is this trying to do and what if what it's trying to do, seem suspicious than we flag it, or then we delete it or move it to quarantine. So that's behavior based. We're basing it. Based on what something does. We're basing it based on activity or suspicious actions.
Signature based is actually based on a hash of of a pre established hash of malicious code. So signatures are developed by company, the company that issues the I i ps or I d. S to us. And they say that we've identified
these. We've identified all of this malware.
We found this malware in the wild. It was samples were sent to us and we took this malware. We took a section of the critical code for the Mauro toe work, and we put it through an algorithm and created a string of has created a hash for it, sort of like a fingerprint for the malware
and our signatures. All of these different fingerprints are going to be put in our I. P s or I. D. S is dictionary and as they scan our files, they put them scene through the same algorithm. And if any of those files have the same fingerprint is what matches in our dictionary, it flags them is militias. So our signature based
scanning is based off of fingerprint
behavioral based here. Six scanning is based on actions some, sometimes our behavior behavioral based here. Six. Gaining won't catch things that our signature based wood and sometimes our signature based, won't catch things that our behavior based would. Because malware can be very easily changed or modified, the code can be re written.
And if it's something that has never been seen before,
then a signature based scan is not gonna catch it because there's no fingerprint available for it. As if someone, this is the first time if it's the first time someone's been arrested the first time someone's been caught doing something they don't have, and they don't have fingerprints in the system. They have to get a fingerprint before they'll be in the system.
But this this malware that a signature base that we have signatures for,
has already been arrested has already been caught once, so we have fingerprints for it
now, the other, the other. Definitely The other distinction between our I. D s and I P s is
will be if our I d S r I. P. S is our network based or host based
network a network based idea. So I ps is goingto watch network traffic. So this will be a device or a This is gonna be a device that may sit on our network. Maybe in all, a singular only one device that all it does is sit on our network
and act as an I. D. S. Or maybe a role that we install on A servers in another computer
that it sits on our network and it watches the network traffic. So it looks for specific activity that is going around on our network.
So it may, as we may establish what our network normally looks like. And then if it notices an increase in a certain type of traffic or notices an increase or sudden sudden oddity in the way that traffic is being sent and received on our network, that it's gonna start flagging this So I'm gonna start sending alerts.
Host based I D. S is an I P s is are installed on the device that we think may be targeted. This is something such as anti viruses or anti malware sze. They will actually sit on the device that we think will be targeted, and they will scan for malicious activity on that device.
They aren't looking at our network. They aren't looking at what's going on amongst our other computers.
They're looking at what's going on with our computer. They're looking at our file system. They're looking at the incoming and outgoing connections, but they're not really concerned about other people's network traffic. So
security, host based ideas and I PS will be on the individual devices and our network based I PS and ideas will be on our actual network. It's great to have a combination of both of them because we can't just rely on one of the other. We may have a month now where on our computer that our host based can't catch
because not really doing much on our computer,
but instead it's causing our computer to send out a lot of odd network traffic, which one which a network based ideas would catch,
or we may have a particular type of malware or particular type of malicious activity. That's only affecting our style system. And it's modifying our files and it's changing our registry and it's popping up ABS and it's popping up fake anti virus. And it's not really sending anything at malicious or suspicious over our network.
Well, then, a network based ideas
would be less inclined to catch that rather than a host based I d s would. So r I P s I d S r I P s. So it's it's great to have a combination of both of them on your network host based I D s is or I. P s is on the device and the network base that's watching our network.