If you’re planning to take the SY0-601 version of the Security+ exam, you should understand how to implement secure network designs. This includes using advanced security devices to secure networks.
For example, can you answer this practice test question?
Q. Lenny noticed a significant number of logon failures for administrator accounts on the organization’s public website. After investigating it further, he notices that most of these attempts are from IP addresses assigned to foreign countries. He wants to implement a solution that will detect and prevent similar attacks. Which of the following is the BEST choice?
A. Implement a passive NIDS.
B. Block all traffic from foreign countries.
C. Implement an inline NIPS.
D. Disable the administrator accounts.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
IPS Versus IDS—Inline Versus Passive
Intrusion prevention systems (IPSs) are an extension of IDSs. Just as you can have both a HIDS and a NIDS, you can also have a HIPS and a NIPS, but a network-based IPS (NIPS) is more common. There are some primary distinctions of an IPS when compared with an IDS:
- An IPS can detect, react to, and prevent attacks.
- In contrast, an IDS monitors and will respond after detecting an attack, but it doesn’t prevent attacks.
- An IPS is inline with the traffic. In other words, all traffic passes through the IPS, and the IPS can block malicious traffic.
- In contrast, an IDS is out-of-band. It monitors the network traffic, but the traffic doesn’t go through the IDS.
- Because an IPS is inline with the traffic, it is sometimes referred to as active. In contrast, an IDS is referred to as passive because it is not inline with the traffic. Instead, it is out-of-band with the network traffic.
Most IDSs will only respond by raising alerts. For example, an IDS will log the attack and send a notification. The notification can come in many forms, including an email to a group of administrators, a text message, a pop-up window, or a notification on a central monitor.
Some IDSs have additional capabilities allowing them to change the environment in addition to sending a notification. For example, an IDS might be able to modify access control lists (ACLs) on firewalls to block offending traffic, close processes on a system that were caused by the attack, or divert the attack to a safe environment, such as a honeypot or honeynet.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
Both IDSs and IPSs have protocol analyzer capabilities. This allows them to monitor data streams looking for malicious behavior. An IPS can inspect packets within these data streams and block malicious packets before they enter the network.
In contrast, a NIDS has sensors or data collectors that monitor and report the traffic. An active NIDS can take steps to block an attack, but only after the attack has started. The inline configuration of the IPS allows an IPS to prevent attacks from reaching the internal network. As an example, the figure shows the location of two network-based IPSs (NIPS 1 and NIPS 2). All Internet traffic flows through NIPS 1, giving it an opportunity to inspect incoming traffic. NIPS 1 protects the internal network by detecting malicious traffic and preventing attacks from reaching the internal network.
NIPS used to detect and prevent attacks
NIPS 2 is protecting an internal private network. As an example, imagine that Homer needs to manage some equipment within a supervisory control and data acquisition (SCADA) network in the nuclear power plant. The SCADA equipment is in the private network. The firewall next to NIPS 2 can have rules that allow traffic from Homer’s computer into the network, but block all other traffic. NIPS 2 will then inspect all the incoming traffic and block malicious traffic.
This might seem like overkill, but many advanced persistent threats (APTs) have successfully installed remote access Trojans (RATs) onto internal systems through phishing or malware attacks. Once the RAT is installed, attackers can now attack from within. If an attacker began launching attacks on the private network from Homer’s system, the firewall wouldn’t block it. However, the NIPS will prevent this attack from reaching the private network. Notice that each IPS is placed on the edge of the protected network. NIPS 1 is placed on the edge of the network between the Internet and the screened subnet. NIPS 2 is on the edge of the SCADA network between it and the intranet. This placement ensures that the NIPS can inspect all traffic going into the network.
Q. Lenny noticed a significant number of logon failures for administrator accounts on the organization’s public website. After investigating it further, he notices that most of these attempts are from IP addresses assigned to foreign countries. He wants to implement a solution that will detect and prevent similar attacks. Which of the following is the BEST choice?
A. Implement a passive NIDS.
B. Block all traffic from foreign countries.
C. Implement an inline NIPS.
D. Disable the administrator accounts.
Answer is C. An inline network-based intrusion prevention system (NIPS) can dynamically detect, react to, and prevent attacks. An inline system is placed inline with the traffic, and in this scenario, it can be configured to detect the logon attempts and block the traffic from the offending IP addresses before it reaches the internal network.
A passive network-based intrusion detection system (NIDS) is not placed inline with the traffic and can only detect the traffic after it has reached the internal network, so it cannot prevent the attack.
If you block all traffic from foreign countries, you will likely block legitimate traffic.
You should disable administrator accounts if they’re not needed. However, if you disable all administrator accounts, administrators won’t be able to do required work.
See Chapter 4 of the CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide for more information on securing network.
