14. IDS/IPS Systems

ND545 C02 L02 A12 IDS IPS

IDS/IPS Notes

Recap:

  • Intrusion Detection is a critical layer in an organizations security program.
  • It can be a hardware appliance or a virtual machine.
  • It can reside at the edge of the network for incoming traffic or it can reside inside the network to monitor internal traffic.
  • An IDS is generally passive, it reports alerts to the SysAdmin.
  • An IPS operates the same but adds active response to the alert.
  • IDS uses behavior or heuristic monitoring and fires signatures or rules in reaction.

What is an IDS? Intrusion Detection System

What is an IDS? Intrusion Detection System

Additional Thoughts:

  • Many other solutions, for example, NGFW and Wireless, have begun integrating IDS functionality in their products.
  • IDS rules come 3-ways: Built-in, subscription, and manually added.
  • IDS can be challenging to manage, it is not uncommon to have a high false-positive rate. Rules must be tuned.
  • We didn't get into using Snort directly in this course because a junior analyst would not have the privileges to use Snort. This is something that would be covered in another course.

Anatomy of and IDS Rule

Anatomy of and IDS Rule

ND545 C02 L02 A13 IDS IPS Walkthrough

Next Concept