🛡️ Intrusion Detection and Prevention Systems (11.1.7)

IDS (Intrusion Detection System)

A passive security appliance that performs real-time analysis of network traffic or system logs, configured with signature patterns to raise an alert when malicious activity is matched.

Signature-Based Detection

Matches activity against known patterns of malicious activity (like antivirus software). Requires constant updates.

Anomaly-Based Detection

Defines a baseline of normal traffic and alerts on anything that falls outside that baseline. Main drawback is a high level of false positives.

IDS Sensor Placement (Defense in Depth)

Typically positioned behind a firewall to monitor traffic entering and exiting a security zone, detecting suspicious activity the firewall missed.

Passive IDS Sensor Characteristic

Uses a sniffer (from a mirrored port/TAP), does not slow down traffic, and is undetectable by the attacker (no IP address on the monitored segment).

IPS (Intrusion Prevention System)

An active security appliance that provides an automatic response to network threats it matches (compared to the passive logging/alerting of an IDS).

Two Common IPS Preventive Measures

Ending the session (e.g., sending a TCP reset) or shunning (applying a temporary filter to block the attacker's IP address on the firewall).

Network Placement of an IPS-enabled Firewall

It is inline with the network, meaning all traffic passes through it, which makes it a potential single point of failure.

Host-Based IDS/IPS

Software agents that run on end systems to monitor application processes, data files, and log files for suspicious activity.